Forms Authentication and SSL

[Marco Roello]

Hi, I read some posts here, but I haven't found the full solution of my
problem.

I,ve configured my web application to use SSL with Server Certificates
(Tested and works).

Only one subfolder (/secure) of my webapp works with SSL. (Tested and works)

Web.Config
authentication mode="Forms">
<forms loginUrl="/secure/login.aspx" protection="All" timeout="30"
requireSSL="true">
......

The users search a page of my webapp (example:
"http://myserver/mywebapp/webform1.aspx") on a non secure SSL channel.
If the user isn't authenticated, he will be redirected to the loginUrl. The
problem is that he will not be redirected with the https:// prefix, so he
has to manually change the address in from http:// to [url]https://.[/url]

I've tried putting the full address in the loginUrl, like
loginUrl="https://myserver/mywebapp/secure/login.aspx", but in this case,
when redirecting on the login.aspx, I receive an Access denied Error
(401.2).

I've tried to configure IIS security, with anonimous access only, windows
authentication, both, but nothing changes.

So, the question is simple: how can I redirect a user to a SSL login page
when he isn't authenticated, don't matter if he comes from an http:// or
https:// address
Thank you in advance

Marco Roello
[email]marco.roello@cnrservice.it[/email]



How can I configure my app

[Michael Tissington]

I'm using Forms Authentication, the user may come from a HTTP page, the
login page is using SSL, so after logging in the user will be redirected
back to a non SSL page.

This used to work without any warnings. Suddenly after entering the login
information IE is warning the user that they are being redirected to a non
secure page.

What is causing this?

If I change the login page to non ssl (just HTTP) then I don't get the
problem.

How can I use SSL for the login page and not prompt the user when they are
being redirected?

Thanks.

--
Michael Tissington
[url]http://www.tabtag.com[/url]
[url]http://www.oaklodge.com[/url]

[Jacob Yang [MSFT]]

Hi Michael,

From security consideration, IE will prompt us this security alert either
when we enter into a secure website from a non-secure one, or vice versa.
To my knowledge, we cannot dismiss this alert, unless we check the "In the
future, do not show this warning" checkbox.

This security alert is very useful in the case if we want to send out our
secret information, such as credit account number, password, over internet.
With this alert, we should be notified whether the web site we are
communicating is a real secure or valid web site before sending out the
secret information. Without this security alert, we have no sense whether
the web site is secure.

Does it answer your question? If I have misunderstood your concern, please
feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "as is" with no warranties and confers no rights.

[Michael Tissington]

Jacob,

Yes, it partly answers my question.

The other aspect of this is how do I use forms authentication with SSL

Consider the following

1) User views a non SSL page
2) Clicks on a link which requires forms authentication
3) Web.config points to a https page for the login information
4) Using SSL the login information is collected
5) How then does the redirection back to the refering page work?
is it SSL or the original protocol - can it be specified?

Basically we are are just wanting to collect the user information using SSL
and then return to the protocol that was using when the user clicked on the
link (which may or may not be https)

Thanks.

--
Michael Tissington
[url]http://www.tabtag.com[/url]
[url]http://www.oaklodge.com[/url]


"Jacob Yang [MSFT]" <jiany@online.microsoft.com> wrote in message
news:TF$S48GmDHA.576@cpmsftngxa06.phx.gbl...

> Hi Michael,
>
> From security consideration, IE will prompt us this security alert either
> when we enter into a secure website from a non-secure one, or vice versa.
> To my knowledge, we cannot dismiss this alert, unless we check the "In the
> future, do not show this warning" checkbox.
>
> This security alert is very useful in the case if we want to send out our
> secret information, such as credit account number, password, over

internet.

> With this alert, we should be notified whether the web site we are
> communicating is a real secure or valid web site before sending out the
> secret information. Without this security alert, we have no sense whether
> the web site is secure.
>
> Does it answer your question? If I have misunderstood your concern, please
> feel free to let me know.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> Get Secure! ¨C [url]www.microsoft.com/security[/url]
> This posting is provided "as is" with no warranties and confers no rights.
>

[MSFT]

Hi Michael,

Is the login form (SSL required) in the same web application or virtual
folder?

With FormsAuthentication.RedirectFromLoginPage method, we can't specufy the
protocol or get the source protocol from From FormsAuthentication object.

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)