1

I'm running into a strange issue. I have a .Net application deploying to Azure which is using Azure ACS for authentication. While the project is set up as a web application, we are primarily serving static .html and .js files. The problem is that the user is redirected to authenticate through ACS ONLY when they visit our root url directly.

For example, I have this set up locally through the Azure emulator. If the user goes to 127.0.0.1:81/ they are redirected to log in, but if they go directly to 127.0.0.1:81/Index.html, they are able to load up the page without being redirected to ACS. (although subsequent .js calls during the page load to a .svc service fail)

Here is my web.config file:

<?xml version="1.0" encoding="utf-8"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <httpRuntime requestValidationMode ="2.0"/>
    <authorization>
      <deny users="?" />
    </authorization>
    <authentication mode="None" />
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
      </assemblies>
    </compilation>
  </system.web>
  <connectionStrings>
    <add name="ExperienceBrowserEntities" connectionString="metadata=res://*/ExperienceBrowser.csdl|res://*/ExperienceBrowser.ssdl|res://*/ExperienceBrowser.msl;provider=System.Data.SqlClient;provider connection string=&quot;Data Source=tmbwb1mnyn.database.windows.net;Initial Catalog=ExperienceBrowser;Persist Security Info=True;User ID=ExperienceBrowserUser;Password=XXXXXXXX;MultipleActiveResultSets=True;Application Name=EntityFramework&quot;" providerName="System.Data.EntityClient" />
  </connectionStrings>
  <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
  </system.serviceModel>
  <appSettings>
    <add key="FederationMetadataLocation" value="https://appCentral.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml" />
  </appSettings>
  <system.webServer>
    <modules>
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    </modules>
  </system.webServer>
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="http://127.0.0.1:81/" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://appCentral.accesscontrol.windows.net/v2/wsfederation" realm="http://127.0.0.1:81/" requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <!--Following are the claims offered by STS 'https://appCentral.accesscontrol.windows.net/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
          <!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />-->
          <!--<claimType type="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" optional="true" />-->
        </claimTypeRequired>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="D6DAB54F4A47E88FFF206E6796A3367DA6033B0C" name="https://appCentral.accesscontrol.windows.net/" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
</configuration>
John Smith
  • 187
  • 7
Connor Simmons
  • 60
  • 5
  • Are you running all calls through security provider? Most likely, static items not marked for execution through the .NET stack do not get checked for security unless you specificially say to. – Josh Jul 13 '12 at 14:48
  • I haven't done anything to set that explicitly, no. I am not sure how to force all calls through the security provider – Connor Simmons Jul 13 '12 at 14:55
  • Looking into this further I see that there are ways to map static files to asp.net files to force authorization. Will setting this in IIS carry through to Azure when deployed? – Connor Simmons Jul 13 '12 at 15:16
  • I found this: http://stackoverflow.com/questions/3589020/how-to-do-forms-authentication-on-purely-html-pages-using-asp-net which is almost exactly what I need to secure this all. The problem is that the Azure Emulator fails when I add the section to my web config – Connor Simmons Jul 13 '12 at 15:27

1 Answers1

0

Think you need to add those extensions to be processed by ASP.NET in IIS. This answer is not based on Azure. I had to do this with regular IIS and ASP.NET. If it does not work the same in Azure please let me know and I will delete the answer.

"The mapping of file name extensions to ASP.NET is done in Internet Information Services (IIS). By default, .aspx pages are run by ASP.NET and .htm and .html pages are not."

ASP.NET Web Page Syntax Overview

paparazzo
  • 44,497
  • 23
  • 105
  • 176
  • yes - this answer is correct and it works the same way with azure. for my specific project i was able to simply add runallmanagedmodulesforallrequests="true" to my web config to force every request through the pipeline – Connor Simmons Jul 23 '12 at 19:22
  • runAllManagedModulesForAllRequests="true" worked for me thanks. I couldn't get IIS to serve static content when using ADFS authentication. – Vinnyq12 Jan 09 '13 at 09:25