Home > Enterprise >  Access denied (401.2) when loading default documents using Owin with Identity 2.0
Access denied (401.2) when loading default documents using Owin with Identity 2.0

Time:10-03

We recently converted a Framework 4.8 WebForms project that was using Forms Authentication to use Identity 2.0 Authentication and now we can't access default documents or images without allowing anonymous access.

Once authenticated with Identity, if you browse to a folder such as http://mysite/dashboard/default.aspx it works fine. However, if the default page is not in the path as in http://mysite/dashboard/ it returns 401.2 as though IIS needs permissions to server the page :

*Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.*

We have <authentication mode="None"> which I understand is correct for this situation. IIS is configured to use default documents just as it was when we were using Forms Authentication.

We also deny unauthenticated users with the System.Web.Security.UrlAuthorizationModule:

<authorization>
      <deny users="?" />
</authorization>

If we allow anonymous on the folder it does work but we don't what anonymous access on these locations.

<location path="Dashboard">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>  

So, how do you configure IIS to access default documents without 'allow anonymous' so it works like it did under Forms Authentication.

Thanks!!!

CodePudding user response:

Try to add this to the System.Webserver section

<modules>
  <remove name="FormsAuthentication"/>
   <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"  />
</modules> 

The key seems to be to remove the managedHandler Precondition from the FormsAuthentication module. As I understand it this is only supposed to optimize serving of static content.

CodePudding user response:

Found that adding <modules runAllManagedModulesForAllRequests="true"> to the web.config resolved the issues. Not really sure why at this point. I did notice that the request for a static file did not include the user identity which was working before removing Forms Authentication. After adding this, the user identity started showing up in the request.

  • Related