Multiple log-in requests for single aspx page - WHY?

[Paul Bryant]

I have a subweb secured with Windows authentication. IIS has anonymous
access disabled & basic auth enabled. The sub folder has acls set to allow
access to a single non-admin user as well as administrators. Upon browsing
to the home of the secured subweb users are prompted to log-in once, and
assuming correct credentials are entered can access the site. When then
non-admin user then follows a link to browse to an aspx page within the
subweb another log-in prompt is displayed.
WEIRD:
If the user enters their username/password the log-in dialog re-appears 3
times then the page is displayed. HOWEVER if they click cancel/press escape
the page IS STILL DISPLAYED.

This only happens from a win2k client, accessing the page from XP works as
expected.

Also, I found that when setting unique permissions on the subweb using the
FPSE admin web pages I lost the ASPNET account permissions, breaking the
application, and had to manually re-add them. This doesn't seem very clever.
As if security wasn't complicated enough with ASP I now have to check ACLs,
IIS settings, FPSE settings AND web.configs, any or all of which can break
the security.

TIA,

Paul Bryant

[Jim Cheshire [MSFT]]

Paul,

Are you impersonating in your ASP.NET application? If not, I would think
that the cause of the problem is that ASPNET (the user account for the
aspnet_wp.exe process) is being denied access. However, the fact that it
works from a Windows XP machine is very strange.

What do the IIS logs show? What do you see if you get a Filemon log of
this problem? ([url]www.sysinternals.com[/url]).

As to the FPSE, if you try and manage permissions using FPSE, they may
tighten security which will remove any unknown accounts from browse access
on the site. This includes the ASPNET account. Therefore, if you do
tighten security with FPSE, you will need to add the ASPNET account back to
the wwwroot folder with default permissions.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]

This post is provided as-is with no warranties and confers no rights.


--------------------

>From: "Paul Bryant" <paul@NO_SP_AMgap66.com>
>Subject: Multiple log-in requests for single aspx page - WHY?
>Date: Fri, 17 Oct 2003 12:28:06 +0100
>Lines: 27
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <OvTMNHKlDHA.2432@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: dsl-217-155-7-30.zen.co.uk 217.155.7.30
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7228

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have a subweb secured with Windows authentication. IIS has anonymous
>access disabled & basic auth enabled. The sub folder has acls set to allow
>access to a single non-admin user as well as administrators. Upon browsing
>to the home of the secured subweb users are prompted to log-in once, and
>assuming correct credentials are entered can access the site. When then
>non-admin user then follows a link to browse to an aspx page within the
>subweb another log-in prompt is displayed.
>WEIRD:
>If the user enters their username/password the log-in dialog re-appears 3
>times then the page is displayed. HOWEVER if they click cancel/press escape
>the page IS STILL DISPLAYED.
>
>This only happens from a win2k client, accessing the page from XP works as
>expected.
>
>Also, I found that when setting unique permissions on the subweb using the
>FPSE admin web pages I lost the ASPNET account permissions, breaking the
>application, and had to manually re-add them. This doesn't seem very

clever.

>As if security wasn't complicated enough with ASP I now have to check ACLs,
>IIS settings, FPSE settings AND web.configs, any or all of which can break
>the security.
>
>TIA,
>
>Paul Bryant
>
>
>