5

I am in the process of moving some sites over to a new windows 2003 installation running IIS6. However I am running into problems with forms authentication. The sites in question run fine on the old box which is the same OS and IIS version.

When I try to login to the website I get a event log "URL authorization failed for the request" and the page redirects back to:-

http://www.demo.socialclause.net/logout.aspx?ReturnUrl=/Secure/Procurement/Default.aspx

Both the old and new servers contain the same set-up and the same permissions. Obviously I am missing a setting somewhere but cant fathom it out. Can anyone help?

My web.config contains this:-

<authentication mode="Forms">
  <forms slidingExpiration="true" name=".ASPXAUTH" protection="All" loginUrl="~/logout.aspx" timeout="60" ></forms>
</authentication>

and inside the /secure dir (this is not a virtual directory) my web.config contains:-

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="ClauseAdmin"/>
      <allow roles="ProcurementAdmin"/>
      <allow roles="ReportAdmin"/>
      <allow roles="SystemAdmin"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

The event log shows:

Event Type: Information
Event Source:   ASP.NET 2.0.50727.0
Event Category: Web Event 
Event ID:   1314
Date:       26/05/2009
Time:       21:01:05
User:       N/A
Computer:   WILDEAA1
Description:
Event code: 4007 
Event message: URL authorization failed for the request. 
Event time: 26/05/2009 21:01:05 
Event time (UTC): 26/05/2009 20:01:05 
Event ID: af3bac34e6d74630b937a5a05d0f25f2 
Event sequence: 4 
Event occurrence: 1 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/2067908276/Root-1-128878416581538912 
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: C:\Inetpub\websites\www.demo.socialclause.net\htdocs\ 
    Machine name: WILDEAA1 

Process information: 
    Process ID: 1076 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Request information: 
    Request URL: http://demo.socialclause.net/Secure/Procurement/Default.aspx 
    Request path: /Secure/Procurement/Default.aspx 
    User host address: 91.84.25.241 
    User: richard@wildesoft.net 
    Is authenticated: True 
    Authentication Type: Forms 
    Thread account name: NT AUTHORITY\NETWORK SERVICE
Rippo
  • 22,117
  • 14
  • 78
  • 117

5 Answers5

3

Try deny users ? (anonymous) instead of * (all)

<authentication mode="Forms">
    <forms name=".ASPXFORMSAUTH" loginUrl="~/Common/Login.aspx" timeout="450" />
  </authentication>
  <authorization>
    <deny users="?" />
    <allow roles="Admin" />
  </authorization>
CRice
  • 12,279
  • 7
  • 57
  • 84
  • How strange looks like I am now getting into the "secure area" but it appears that the site is now not identifying the IsInRole method as each role returns false. User.IsInRole("SystemAdmin") I still don't understand why this site works on the old box. I have just copied the files over and set up the new box in exactly the same way. Any more ideas? – Rippo May 27 '09 at 07:21
  • Sounds like you user has no roles assigned, thats why you can log in still (aren't anonymous). Have a look at the role provider, and are you using the membership aspnetdb? – CRice May 27 '09 at 07:32
  • Boon, this is not the problem. The site and database has been cloned and I am logging in as the same user. The site works on my dev box, on the old windows 2003 server but not on the new 2003 server. It must be something else causing the problem. It must be something I am missing.... Any more ideas? I am not using the membership aspnetdb. – Rippo May 27 '09 at 07:37
  • 1
    Actually, won't this allow access to any authenticated user? – Derek Hunziker Jul 27 '10 at 16:42
  • I think Derek is right. My testing shows that this allows access to any authenticated user, not just the users in the allowed roles. So it seems to work, by allowing ALL authenticated users in. – Polyfun Jan 11 '17 at 16:23
0

Try this? Basically, you were stating allow x, y, z and then deny all.

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="*"/>
      <allow roles="ClauseAdmin"/>
      <allow roles="ProcurementAdmin"/>
      <allow roles="ReportAdmin"/>
      <allow roles="SystemAdmin"/>
    </authorization>
  </system.web>
</configuration>

If that doesn't work, try this.

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="ClauseAdmin"/>
      <allow roles="ProcurementAdmin"/>
      <allow roles="ReportAdmin"/>
      <allow roles="SystemAdmin"/>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>
Sean
  • 1
0

I had the same error message cropping up and it turned out that my role names in the authorization section of my web.config were spelled incorrectly.

Derek Hunziker
  • 12,996
  • 4
  • 57
  • 105
0

I have only used the sql role provider so far... i think the answer lies in your role provider you are using. Your users don't seem to be getting assigned roles. Can you supply you web.config section on this? For example this is mine:

      <roleManager enabled="true" defaultProvider="IDTSqlRoleProvider" cacheRolesInCookie="true" cookieProtection="All">
    <providers>
      <clear/>
      <add
        name="IDTSqlRoleProvider"
        type="System.Web.Security.SqlRoleProvider"
        connectionStringName="SqlMembershipConnectionString"
        applicationName="ConsumerSynergy"/>
    </providers>
  </roleManager>
CRice
  • 12,279
  • 7
  • 57
  • 84
-3

Just guessing here, because I wouldn't use IIS if you paid me, but perhaps you're missing some certificates or password files that need to be installed on the server? Maybe you need to tell IIS about the Roles/Users you're trying to match.

EDIT: Going by the additional information you have revealed I'd rule out certificates and concentrate on how roles are defined. You say they are defined in the database but the fact they became invalid when you switched server suggests three possibilities:

  1. Your roles are defined as Windows System Accounts or IIS users.
  2. Your roles are defined as database users but your only copied the data tables, not the users (by that I mean database users, not a "users" table in the database).
  3. Your roles are defined but permissions to read them have changed.

I suspect it's 1.) IIS users.

SpliFF
  • 38,186
  • 16
  • 91
  • 120
  • The roles are defined in a database and get pulled out when the user logins in. The site works on the old box. I think it has something to do with permissions or even a global policy, but I can't seem to find out the answer. – Rippo May 27 '09 at 07:07
  • nonetheless the language implies an 'URL authorisation' problem. I suspect your SSL or server certificates may not be set up correctly. – SpliFF May 27 '09 at 07:40
  • I am sorry but I am not using SSL, I can't see how this would be a problem anyway. How did you deduct that SSL is the problem? – Rippo May 27 '09 at 17:28
  • because SSL client-side certificates are a way to limit access to secure areas. – SpliFF May 28 '09 at 00:55