Forms authentication on a business WAN

Ask a Question related to ASP.NET Security, Design and Development.

  1. Philbert #1

    Default Forms authentication on a business WAN

    L.S.,

    For our client we have built a web application for use on their
    internal network.
    The employees need to log onto the application specifically,
    regardless of their Windows authorisation status.

    Web.config contains the following lines:

    <authentication mode="Forms">
    <forms name=".ASPXEFORM" loginUrl="ef_login.aspx" protection="All"
    timeout="10" />
    </authentication>

    <authorization>
    <deny users="?" />
    </authorization>

    What I find is that people that are logged into the network are not
    considered anonymous and can access the application without passing
    through ef_login.aspx

    How can I prevent this?

    Greetings,
    Philbert de Zwart,
    The Netherlands.
    Philbert Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Accessing htm files without authentication (forms authentication)
      I have application with forms authentication. All works fine. When user opens .aspx file gets login form, login and then get the .aspx page. But...
    2. ASP.Net Forms authentication with basic authentication popup
      Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user...
    3. Forms authentication then redirection to a secure web with NT authentication?
      Hi, I want to allow access to particular secured intranet web sites. These intranet are stored in sharepoint (2003 version) Actually I've...
    4. Authentication ticket, cookieless, forms authentication?
      Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the...
    5. Forms authentication with Windows authentication
      Hi, I have an ASP.NET web site that uses IIS Basic Authentication and accesses an OLAP Server at various stages. The OLAP Server authentication...
  2. Jim Cheshire [MSFT] #2

    Default RE: Forms authentication on a business WAN

    Philbert,

    As long as the user is requesting an .aspx page or another page mapped to
    the aspnet_isapi.dll, this should work fine (although your web.config is
    not configured as recommended.)

    See this:
    301240 HOW TO: Implement Forms-Based Authentication in Your ASP.NET
    Application
    [url]http://support.microsoft.com/?id=301240[/url]

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET
    [email]jamesche@online.microsoft.com[/email]

    This post is provided as-is with no warranties and confers no rights.


    --------------------
    >From: [email]philbert.de.zwart@logicacmg.com[/email] (Philbert)
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Subject: Forms authentication on a business WAN
    >Date: 20 Nov 2003 07:10:36 -0800
    >Organization: [url]http://groups.google.com[/url]
    >Lines: 27
    >Message-ID: <b4ba19d4.0311200710.49515fd9@posting.google.com >
    >NNTP-Posting-Host: 195.109.155.71
    >Content-Type: text/plain; charset=ISO-8859-1
    >Content-Transfer-Encoding: 8bit
    >X-Trace: posting.google.com 1069341036 1804 127.0.0.1 (20 Nov 2003
    15:10:36 GMT)
    >X-Complaints-To: [email]groups-abuse@google.com[/email]
    >NNTP-Posting-Date: Thu, 20 Nov 2003 15:10:36 +0000 (UTC)
    >Path:
    cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTN GXA05.phx.gbl!TK2MSFTNGP08
    .phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!n
    ews.maxwell.syr.edu!postnews1.google.com!not-for-mail
    >Xref: cpmsftngxa07.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security: 7597
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >L.S.,
    >
    >For our client we have built a web application for use on their
    >internal network.
    >The employees need to log onto the application specifically,
    >regardless of their Windows authorisation status.
    >
    >Web.config contains the following lines:
    >
    ><authentication mode="Forms">
    > <forms name=".ASPXEFORM" loginUrl="ef_login.aspx" protection="All"
    >timeout="10" />
    ></authentication>
    >
    ><authorization>
    > <deny users="?" />
    ></authorization>
    >
    >What I find is that people that are logged into the network are not
    >considered anonymous and can access the application without passing
    >through ef_login.aspx
    >
    >How can I prevent this?
    >
    >Greetings,
    >Philbert de Zwart,
    >The Netherlands.
    >
    Jim Cheshire [MSFT] Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139