I am not entirely positive about this, but you may try adding the "slidingExpiration" attribute to your web.config file. It is supposed to reissue the authentication cookie every time a request is sent to the server...at least the way I understand what I read in the documentation. You can set the "timeout" period to whatever you like, but the sliding expiration keeps the session alive as long as someone is actively using it. I think this is so you can have short timeout periods but not worry too much about loosing your users. Give it a shot, but I thought if nothing else it was woth a try. :) -- Andrew "Tom Smit" wrote in message news:%2353V0dMHEHA.3700@TK2MSFTNGP09.phx.gbl...[quote] > We're having a problem where our application is timing out > after 60 minutes no matter what type of activity is > occuring. A user can be in the middle of a server call > and it will timeout after 60 minutes. This only occurs > with Windows authentication and not forms based. > > We have the following in the web.config: > > > timeout="120" path="/"> > > > > stateConnectionString="tcpip=127.0.0.1:42424" > sqlConnectionString="data source=127.0.0.1;user > id=sa;password=" cookieless="false" timeout="120" /> > > > Where is this 60 minute timeout coming from? Am i missing > something? > >[/quote] [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => <#an4cUqHEHA.3012@TK2MSFTNGP12.phx.gbl> [ref] => <#53V0dMHEHA.3700@TK2MSFTNGP09.phx.gbl> [htmlstate] => on_nl2br [postusername] => Andrew [ip] => AndrewR2k1@remo [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 2 [islastshown] => [isfirstshown] => [attachments] => [allattachments] => ) --> Windows Auth Problem - ASP.NET Security

Windows Auth Problem - ASP.NET Security

We're having a problem where our application is timing out after 60 minutes no matter what type of activity is occuring. A user can be in the middle of a server call and it will timeout after 60 minutes. This only occurs with Windows authentication and not forms based. We have the following in the web.config: <authentication mode="Windows"> <forms loginUrl="Login.aspx" name="RiskLogin" timeout="120" path="/"> </forms> </authentication> <sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;user id=sa;password=" cookieless="false" timeout="120" /> Where is this 60 minute timeout coming from? Am i missing something?...

  1. #1

    Default Windows Auth Problem

    We're having a problem where our application is timing out
    after 60 minutes no matter what type of activity is
    occuring. A user can be in the middle of a server call
    and it will timeout after 60 minutes. This only occurs
    with Windows authentication and not forms based.

    We have the following in the web.config:

    <authentication mode="Windows">
    <forms loginUrl="Login.aspx" name="RiskLogin"
    timeout="120" path="/">
    </forms>
    </authentication>

    <sessionState mode="StateServer"
    stateConnectionString="tcpip=127.0.0.1:42424"
    sqlConnectionString="data source=127.0.0.1;user
    id=sa;password=" cookieless="false" timeout="120" />


    Where is this 60 minute timeout coming from? Am i missing
    something?


    Tom Smit Guest

  2. #2

    Default Re: Windows Auth Problem

    Tom,

    Here is a snippet from the machine.config file:

    <authentication mode="Windows">
    <!--
    forms Attributes:
    name="[cookie name]" - Name of the cookie used for Forms
    Authentication
    loginUrl="[url]" - Url to redirect client to for Authentication
    protection="[All|None|Encryption|Validation]" - Protection mode for
    data in cookie
    timeout="[minutes]" - Duration of time for cookie to be valid (reset
    on each request)
    path="/" - Sets the path for the cookie
    requireSSL="[true|false]" - Should the forms-authentication cookie
    be sent only over SSL
    slidingExpiration="[true|false]" - Should the
    forms-authentication-cookie and ticket be re-issued if they are about to
    expire
    -->
    <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All"
    timeout="30" path="/" requireSSL="false" slidingExpiration="true"></forms>
    </authentication>

    I am not entirely positive about this, but you may try adding the
    "slidingExpiration" attribute to your web.config file. It is supposed to
    reissue the authentication cookie every time a request is sent to the
    server...at least the way I understand what I read in the doentation.
    You can set the "timeout" period to whatever you like, but the sliding
    expiration keeps the session alive as long as someone is actively using it.
    I think this is so you can have short timeout periods but not worry too much
    about loosing your users.

    Give it a shot, but I thought if nothing else it was woth a try. :)

    -- Andrew




    "Tom Smit" <tsmitnospam.com> wrote in message
    news:%2353V0dMHEHA.3700TK2MSFTNGP09.phx.gbl...
    > We're having a problem where our application is timing out
    > after 60 minutes no matter what type of activity is
    > occuring. A user can be in the middle of a server call
    > and it will timeout after 60 minutes. This only occurs
    > with Windows authentication and not forms based.
    >
    > We have the following in the web.config:
    >
    > <authentication mode="Windows">
    > <forms loginUrl="Login.aspx" name="RiskLogin"
    > timeout="120" path="/">
    > </forms>
    > </authentication>
    >
    > <sessionState mode="StateServer"
    > stateConnectionString="tcpip=127.0.0.1:42424"
    > sqlConnectionString="data source=127.0.0.1;user
    > id=sa;password=" cookieless="false" timeout="120" />
    >
    >
    > Where is this 60 minute timeout coming from? Am i missing
    > something?
    >
    >

    Andrew Guest

  3. #3

    Default Windows Auth Problem

    I have an intranet site that uses Windows Authentication. It is open to all
    domain users. When I attempt to hit the site it asks me for my credentials.
    I give it the same domain user name and password I used to log into Windows
    and it lets me in. It is my understanding that if I am already logged in to
    Windows with proper credentials it should not ask me for them again, but it
    does.

    IIS is configured to not allow annonymous access and only use Integrated
    Windows Authentication.

    My web.config contains the following:
    <authentication mode="Windows"/>
    <allow users="*" />
    <identity impersonate="true" />

    I don't think I should need those last two. But it doesn't work either way.
    All I really need is to be able to identify the user so I may display
    user-specific data. I'd like to do this without having them log in if they
    are already logged in as a domain user. What setting am I missing?

    Thanks,

    John


    John Guest

  4. #4

    Default RE: Windows Auth Problem

    Hi John,

    If you're using IE and IE's security setting is set correctly (IE Options:
    Advanced/Security: (check) Enable Integrated Windows Authentication), this
    should work out-of-box.

    I've just tested it on my side using a simple web application:

    web.config:

    <system.web>
    </authentication>
    <authorization>
    <allow users="*"/>
    </authorization>
    <identity impersonate="true"/>



    Default.aspx.cs:

    protected void Page_Load(object sender, EventArgs e)
    {
    Response.Write(Request.LogonUserIdentity.Name);
    }


    It should print out current user's logon name when viewed in IE.

    If your settings are correct, would you please create a simple web site
    like above and test it? Thanks.

    References:

    #Integrated Windows Authentication - Wikipedia, the free encyclopedia
    http://en.wikipedia.org/wiki/Integrated_Windows_Authentication

    #Integrated Windows Authentication (IIS 6.0)
    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5
    23ae943-5e6a-4200-9103-9808baa00157.mspx
    * Integrated Windows authentication is supported by only Internet Explorer
    2 and later.
    * Integrated Windows authentication does not work over HTTP proxy
    connections.



    Sincerely,
    Walter Wang (microsoft.com, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications. If you are using Outlook Express, please make sure you clear the
    check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
    promptly.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project ysis and dump ysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Walter Guest

  5. #5

    Default Re: Windows Auth Problem

    Hi Walter,

    Thank you for the reply. I had already tested a very simple page using
    User.Identity.Name. I changed it to do exactly as you've indicated and I get
    the same behavior. IE is also set as indicated. I also get the same
    behavior with Firefox. I've tried this on three different machines--one XP
    and two Server 2003--browsing locally (localhost) as well as remotely and
    get the same result.

    Here's a funny twist: I just tested this code on a Virtual PC session that
    is not on the domain; it's in a workgroup. It worked as expected and
    properly recognized me and displayed my local machine username. So I'm
    wondering if there's some Active Directory setting that is incorrect. Is
    that possible?

    John


    "Walter Wang [MSFT]" <microsoft.com> wrote in message
    news:phx.gbl... 


    John Guest

  6. #6

    Default Re: Windows Auth Problem

    Hi John,

    It might not be related to Active Directory settings since you mentioned
    that after you input user/password the login is successful.

    Another place to check is IE options, Security tab:

    When you click on the "Custom Level" button, you will see "User
    Authentication" part in the Security Settings dialog: it displays following
    options:

    * Anonymous logon
    * Automatic logon only in Intranet zone
    * Automatic logon with current user name and password
    * Prompt for user name and password

    The default setting should be second one "Automatic logon only in Intranet
    zone". Is it possible that your intranet site isn't recogonized as "Local
    intranet"? You can select the "Local intranet" zone and click on button
    "Sites" to view/change the settings.

    Let me know your findings.


    Regards,
    Walter Wang (microsoft.com, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.


    Walter Guest

  7. #7

    Default Re: Windows Auth Problem

    Hi Walter,

    Sorry I took so long to respond. I've been away for a while. Anyway, I
    followed your suggestions and got it to work with IE. But something about
    this is not right. My IE was already set for "Automatic logon only in
    Intranet zone" (the default). But to get it to work on a development server
    I had to add http://devserver as a local intranet site. To get it to work
    with my web server on my local box I had to add http://localhost as a local
    intranet site. That shouldn't be, should it? So it seems Local Intranet
    doesn't recognize anything on its own--it only looks in the list I provide.
    I would think that if the domain controller/DNS server knows how to find
    "devserver" on our local network then it should report that back to IE as
    being local intranet. And at the least, it should know that "localhost" is
    local... No?

    Our network admin is looking into a way to push specific sites to the local
    intranet list through an IE policy, although that seems like a kludge. That
    also doesn't help the Firefox users. But who cares about them anyway,
    right? ;)

    If you have any further advice on this please let me know. Thanks.

    John



    "Walter Wang [MSFT]" <microsoft.com> wrote in message
    news:phx.gbl... 


    John Guest

  8. #8

    Default Re: Windows Auth Problem

    One more thing. I noticed there's an "Include all local (intranet) sites
    not listed in other zones" checkbox. If I check this it works without
    adding sites to the list. But I'm not sure what this is really doing. Is
    this a safe setting or is it simply allowing every site that is not listed
    somewhere else? Since it's not on by default I assume it is not a
    recommended setting. And since it wasn't checked by default, either way
    we'll need some kind of policy change to get all users' workstations
    working. I just want to make sure we're making the right (and safe) policy
    changes. Thanks again.
    John

    "John" <nospam> wrote in message
    news:%phx.gbl... 
    >
    >[/ref]


    John Guest

  9. #9

    Default Re: Windows Auth Problem

    Hi John,

    Do you mean that the site is not recogonized by intranet sizes even if the
    option "Automatically detect intranet network" is checked? It's my
    understanding that this is the default setting and this is the option that
    make your local websites and localhost be recogonized as intranet sites.


    Regards,
    Walter Wang (microsoft.com, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Walter Guest

  10. #10

    Default Re: Windows Auth Problem

    Walter,

    That setting is only available in IE7. I, and most of us, are using IE6.
    But even in IE7, that setting does not help. The only ways we've found to
    make it work is add the server to the list or select the "Include all local
    sites" checkbox.

    John

    "Walter Wang [MSFT]" <microsoft.com> wrote in message
    news:phx.gbl... 


    John Guest

  11. #11

    Default Re: Windows Auth Problem

    John,

    Here's some rules about how IE determines a URL belongs to intranet zone or
    not:

    1) By the presense of or lack of dots (periods) in the domain name:

    http://DOMAINNAME -> Intranet Zone
    http://DOMAINNAME.COM -> Internet Zone
    http://192.168.1.15 -> Internet Zone

    2) Besides above rule, IE also uses proxy settings (bypass list, proxy.pac,
    etc), whatever goes to the proxy will be in the internet zone. Whatever
    doesn't hit the proxy (host in bypass list, "return DIRECT" in proxy.pac)
    will be in intranet.

    3) For IE6, IE also provides the following configuration box for the
    intranet zone (Internet Options -> Security -> Local Intranet -> Sites) :

    * Include all local (intranet) sites not listed in other zones
    * Include all sites that bypass the proxy server
    * Include all network paths (UNCs)

    These three options are checked by default in IE6; in IE7, the
    "Automatically detect intranet network" is checked by default.

    Therefore, I think the option you mentioned is required to make it work
    correctly. Would you please tell me why the option needs to unselected on
    your side?


    Regards,
    Walter Wang (microsoft.com, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Walter Guest

  12. #12

    Default Re: Windows Auth Problem

    Walter,

    Thank you for the thorough explaination. That's good info to know. I was
    mistaken about the new IE7 option. The site works as expected when that
    checkbox is selected. And since that is the default, we will be ok with
    that. But IE6 remains to be a problem. IE6's default configuration does
    not have the "Include all local (intranet) sites not listed in other zones"
    option selected. We either need this, or we need to add the site to the
    list. That's the only way we can hit the site without it asking for a
    logon. Regarding the number of dots, our development server is named
    "labweb" (no dots). We develop locally using "localhost" (no dots). Yet
    neither of these work unless we turn on the above option or add these to the
    intranet site list. I would think that http://localhost is always
    considered an intranet site, but evidently it is not. I still think we're
    doing something wrong, I just don't know what. BTW, we have no proxy
    servers.

    Thanks,

    John

    "Walter Wang [MSFT]" <microsoft.com> wrote in message
    news:phx.gbl... 


    John Guest

  13. #13

    Default Re: Windows Auth Problem

    Hi John,

    It's my understanding that on Windows XP SP2 and Windows Server 2003 with
    IE6, those settings are checked by default. Anyway, you could use group
    policy in your domain to enforce these settings are checked:

    #How to set advanced settings in Internet Explorer by using Group Policy
    Objects
    http://support.microsoft.com/kb/274846


    Regards,
    Walter Wang (microsoft.com, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Walter Guest

  14. #14

    Default Re: Windows Auth Problem

    Thanks Walter. We'll do that.
    John

    "Walter Wang [MSFT]" <microsoft.com> wrote in message
    news:phx.gbl... 


    John Guest

Similar Threads

  1. Forms Auth Info passed to Windows Auth?
    By golem_95@yahoo.com in forum ASP.NET Security
    Replies: 1
    Last Post: May 3rd, 11:47 AM
  2. ASP.NET 2.0 - Windows Auth and Roles
    By Mark Parter in forum ASP.NET Security
    Replies: 5
    Last Post: May 2nd, 03:09 PM
  3. Windows Auth - Active Directory
    By J. Shane Kunkle in forum ASP.NET Security
    Replies: 1
    Last Post: September 9th, 06:58 PM
  4. question on windows auth
    By chris in forum ASP.NET Security
    Replies: 2
    Last Post: April 30th, 05:52 AM
  5. Configuring Windows Auth & Forms Auth in Asp.Net
    By Chris Mohan in forum ASP.NET Security
    Replies: 2
    Last Post: April 29th, 06:46 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •