0

For more than a couple of years, we have successfully used the approach outlined in this post for enabling mixed-mode authentication in our Asp.Net app: https://stackoverflow.com/a/7735008

We have 2 pages, Login.aspx and WindowsLogin.aspx with appropriate elements as highlighted in above post. Everything has been working fine until recently when it broke and we are unable to figure out why or when it broke down (for a few months, we had been working on major new features in our app, we added a few managed modules and other things, but I have tried eliminating them one at a time with no avail).

We have this defined for our global authentication:

<system.web>
    <authentication mode="Forms">
        <forms cookieless="UseCookies" loginUrl="~/Login.aspx" slidingExpiration="true" timeout="10" />
    </authentication>
</system.web>

<system.webServer>
    <security>
        <authentication>
            <anonymousAuthentication enabled="true" />
            <basicAuthentication enabled="false" />
            <digestAuthentication enabled="false" />
            <windowsAuthentication enabled="false" />
        </authentication>
    </security>
</system.webServer>

Then appropriate elements exactly as in the referenced post. Now when I visit WindowsLogin.aspx directly in browser, it 302 redirects me to Login.aspx with return url set to WindowsLogin.aspx. I have tried simplifying web.config by eliminating all unneeded configuration until all remained was bare bones authentication and other pieces. Still WindowsLogin.aspx redirects to Login.aspx (i.e. Forms authentication is kicking on WindowsLogin.aspx page).

The interesting thing is if I change loginUrl to WindowsLogin.aspx (with everything else remaining exactly same), then WindowsLogin.aspx shows me the native browser authentication challenge as expected.

I have tried and exhausted all options I could think of to get this work with loginUrl set to Login.aspx, but it simply doesn't work.

I enabled IIS tracing rules for 302 redirect and captured a log file where WindowsLogin.aspx was redirecting to Login.aspx (with loginUrl set to Login.aspx). The trace file is available here: http://imbibe.in/public/fr000001.xml

Can someone please help me in figuring out why is FormsAuthentication module kicking on WindowsLogin.aspx page when its WindowsAuthentication module that is supposed to do the auth there. And why does just switching the login url raises the 401 challenge on Windows Auth page. We are working with IIS 7.5 on Win Server 2008.

UPDATE: I created a simple web app with only 3 pages, Default, Login and WindowsLogin and followed the mixed-mode authentication approach on the same server and it worked. Which obviously means its something in our application/app pool that is interfering. I am hoping the IIS Trace log provided can shed some light on it. If I completely remove <authentiction mode="Forms"> from our app's web.config (which essentially means no auth is enabled), then Login and WindowsLogin pages work fine. But with the current configuration only, going to WindowsLogin redirects back to Login.aspx.

Community
  • 1
  • 1
r_honey
  • 883
  • 4
  • 15
  • 31

1 Answers1

0

You need to add some location exceptions in your web.config file (anywhere outside the regular System.Web section):

<!-- Providing it's in the root - No leading slashes! -->
<location path="WindowsLogin.aspx"> 
  <system.web>
    <authorization>
      <allow users="?" />
    </authorization>
  </system.web>
</location>

This will allow all non-authenticated FORMS users to access the page. Otherwise your users will keep getting redirected to the FORMS login page (as they should).