Configuring Windows Auth & Forms Auth in Asp.Net

Ask a Question related to ASP.NET Security, Design and Development.

  1. Chris Mohan #1

    Default Configuring Windows Auth & Forms Auth in Asp.Net

    Configuring Windows Auth & Forms Auth in Asp.Ne
    Hi, I've configured a web app to use windows authentication and also set up two separate subdirectories to use forms authentication. It appears to work fine but I have never seen a sample that demonstrates both in the same web.config and I don't like assuming i've done this correctly and securely.

    Please take a look at the following from my web.config and let me know what you think(its not the full config-- just stripped down to its essentials w/ no attributes) Its pretty basic, i just use a location element for each sub-dir and then set the auth mode inside of it. Thanks!

    <?xml version="1.0" encoding="UTF-8" ?><configuration><system.web><authentication mode="Windows" /><authorization><allow users="*" /></authorization></system.web><location path="SecureArea1"><system.web><authentication mode="Forms"><forms loginUrl="login.aspx" /></authentication><authorization><deny users="?" /></authorization></system.web></location><location path="SecureArea2"><system.web><authentication mode="Forms"><forms loginUrl="login.aspx" / ></authentication><authorization><deny users="?" /></authorization></system.web></location></configuration>
    Chris Mohan Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Forms Auth Info passed to Windows Auth?
      The requirement is to build an ASP.Net intranet application, so external users can log in to the main web portal via forms authentication, using...
    2. ASP.Net Forms authentication & Windows Auth combined
      I have a situation where I would like to use forms authentication and windows authentication combined. Basically, I would like to use a form to...
    3. FORMS AUTH HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      I'm using forms Auth! Why am i getting the error:-I HAVE DONE EVRYTHING NEEDED! Error authenticating. Error obtaining group names. The specified...
    4. Help with forms auth
      Hi, I am using forms Auth on my WEB APP. I am checking the credentials in sql server. When a user request any page other than login.aspx they get...
    5. Forms Auth. What do you think?
      Hi guys, I am new to forms Authetication and wish to do the following.. A bit like the Dreamweaver Authentication tool... 1. Authenticate my...
  2. avnrao #2

    Default Re: Configuring Windows Auth & Forms Auth in Asp.Net

    this looks ok to me as far as you take care of securing your forms
    authentication. I mean securing forms authentication cookie and role list.
    any request to subfolders, the location element in web.config clearly
    overrides windows authentication.

    Av.

    "Chris Mohan" <chrismo1__=AT__yahoo.com> wrote in message
    news:41D908AE-CFD5-46BF-AFA9-D8D7F64231B3@microsoft.com...
    > Configuring Windows Auth & Forms Auth in Asp.Net
    > Hi, I've configured a web app to use windows authentication and also set
    > up two separate subdirectories to use forms authentication. It appears to
    > work fine but I have never seen a sample that demonstrates both in the
    > same web.config and I don't like assuming i've done this correctly and
    > securely.
    >
    > Please take a look at the following from my web.config and let me know
    > what you think(its not the full config-- just stripped down to its
    > essentials w/ no attributes) Its pretty basic, i just use a location
    > element for each sub-dir and then set the auth mode inside of it. Thanks!!
    >
    > <?xml version="1.0" encoding="UTF-8"
    > ?><configuration><system.web><authentication mode="Windows"
    > /><authorization><allow users="*" /></authorization></system.web><location
    > path="SecureArea1"><system.web><authentication mode="Forms"><forms
    > loginUrl="login.aspx" /></authentication><authorization><deny users="?"
    > /></authorization></system.web></location><location
    > path="SecureArea2"><system.web><authentication mode="Forms"><forms
    > loginUrl="login.aspx" / ></authentication><authorization><deny users="?"
    > /></authorization></system.web></location></configuration>

    avnrao Guest
    Reply With Quote Reply With Quote
  3. Chris Mohan #3

    Default Forms Auth in subdirs but WIndows Auth in Main Site

    Hi, I've configured a web app to use windows authentication. Two of the app's subdirectories
    are configured as applications in IIS and the mainsite's web.config defines those subdirs to use forms authentication. It appears to work fine but I have never seen a sample that
    demonstrates both in the same web.config (all the samples show a
    snippet outside the context of the entire web.config) I don't like
    assuming i've done this correctly and securely.

    Please take a look at the following from my web.config and let me
    know what you think. The approach is pretty basic i just use a
    location element for each sub-dir and then set the auth mode inside
    of it.

    The Directory Structure looks like this:

    |---\MainSite(Configured as An App in IIS)
    | +---Secure1(Configured as An App in IIS)
    | +---Secure2(Configured as An App in IIS)
    | +---MainSiteChild1
    | +---MainSiteChild2
    |web.Config(in mainSite's Root)

    A stripped down version of the web.config settings:
    line1: <?xml version="1.0" encoding="UTF-8" ?>
    line2: <configuration>
    line3: <system.web>
    line4: <authentication mode="Windows" />
    line5: <authorization>
    line6: <allow users="*" />
    line7: </authorization>
    line8: </system.web>

    line10: <location path="SecureArea1">
    line11: <system.web>
    line12: <authentication mode="Forms">
    line13: <forms loginUrl="login.aspx" />
    line14: </authentication>
    line15: <authorization>
    line16: <deny users="?" />
    line17: </authorization>
    line18: </system.web>
    line19: </location>

    line21: <location path="SecureArea2">
    line22: <system.web>
    line23: <authentication mode="Forms">
    line24: <forms loginUrl="login.aspx" />
    line25: </authentication>
    line26: <authorization>
    line27: <deny users="?" />
    line28: </authorization>
    line29: </system.web>
    line30: </location>

    What I think that this mix of settings acheives is the same
    thing as if the Secure1 & Secure2 subdirectories had their own web.config files.

    Here's a good article about this exact topic but it uses
    the "maverick" web.configs in sub dirs approach:
    [url]http://www.theserverside.net/articles/showarticle.tss?[/url]
    id=FormAuthentication


    Chris Mohan Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139