ASP.NET 4.5 C# Forms Authentication access denied to login page

5
votes

I have found some posts on this, but I can't seem to find the right solution:

I have a .net 4.0 web application that uses Forms authentication very good. Now, I wanted to implement the same thing in a new project in 4.5, but I keep getting a 401.2 (access denied) error on the login page when I enter an unauthorized section.

The application redirects correctly(in an mvc way of things, without the .aspx in my pages), but on the login page, I keep getting the error that I am unauthorized to view this page due to server configurations.

I then tried the demo from microsoft, which says framework 4.5 is supported, but it still doesn't work.

This is my general web.config section: 

<authentication mode="Forms">
  <forms loginUrl="/admin/Login.aspx" />
</authentication>

And this is the web.config in my folder which I want to be protected from unauthorized users:

    <system.web>
     <authorization>
      <deny users="?" />
     </authorization>
    </system.web>

When I set allow users="*" the application works fine, and I can enter every page. I then thought it might have something to do with the mvc approach in my forms authentication, but that doesn't seem to be the problem, I also tried this fix from Rick Strahl, but that didn't help. (link)

Any ideas?

EDIT When I change the location of my login.aspx to a folder outside the protected area I get redirected correctly, but I would like to keep the login.aspx page inside the protected folder, as I did before. visual studio automatically allows access to the loginUrl="", no?

6
c#asp.net.netforms-authentication

6 Answers

3
votes

In my case, the issue was related to Visual Studio 2017. My task was to convert an old .net website to a web application project. As part of the task, I created a new VS2017 web application project, copied in needed files from old web site code base, ran Convert to Web Application, added namespaces, etc, and got things working, mostly.

The app uses forms authentication and the webconfig forms tag references LocalLogin.aspx page, but I would get an "access is denied" msg in the browser and could never get to the LocalLogin.aspx page. After much googling I found this:

"Visual Studio 2017 will automatically add a NuGet package called Microsoft.AspNet.FriendlyUrls to your website or web app project. Because of this package, forms authentication will not work and even the login page will not render many times." Go to this thread for more info:

Login Page in ASP.NET application with FormsAuthentication access denied

After looking at the possible solutions in that thread, I opted to remove the friendly urls reference (Microsoft.AspNet.FriendlyUrls), and leave the extensions on the loginUrl and defaultUrl elements in the web.config forms tag. Incidentally, there was no NuGet package added to the solution, just the reference. I removed the reference, and also had to comment out a routeconfig call and method.

After doing this, it still gave the "access is denied" msg in the browser, but it turns out that I also needed to remove a cached permanent 301 redirect to friendly urls from the browser, which was created by the use of the FriendlyUrls component to begin with.

I googled "remove 301 redirect from browser cache", and followed this:

"To clear a permanent redirect, go to chrome://net-internals. On the right of the top red status bar, click on the down arrow ▼ to open the drop-down menu, and under the "Tools" group, choose "Clear cache". As of version 48, this was the only thing that worked for me to clear a cached 301."

How long do browsers cache HTTP 301s?

Now, all is well, and hopefully some of my pulled out hair grows back!

0
votes

Ensure that your web.config file has the correct connection settings to your aspnetdb and that you are using the correct membership provider.

Some other trouble shooting tips:

Right click your web solution and ensure that the following properties are set:

  • Anonymous Authentication = Enabled
  • Windows Authentication = Disabled
  • Set a break-point in your app and ensure that you are hitting the correct database. If you have not registered an account then you should be redirected to the register web page.

In 4.5 the default layout will create a Account folder with the Login,register, and other OpenAuthProviders type webpages so you can manage all the user security. However you do not have to follow this model. I would read this from MSDN How to: Implement Simple Forms Authentication 

    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" defaultUrl="~/" />
    </authentication>
0
votes

To my run commenting me the next module in the web.config :

<system.webServer>
      <!--<modules><remove name="FormsAuthentication" />
      </modules>-->  
</system.webServer>
0
votes

Try to this- Replace your loginUrl

loginUrl="~/admin/Login.aspx"

0
votes

Disabling friendly urls worked for me.

If you don't care about the implication of doing this, just remove routes.EnableFriendlyUrls(settings) from the RouteConfig class.

-1
votes

Please use below code and try. This is reverse way of doing

<system.web>
   <authorization>
      <allow users="?" />
    </authorization>
</system.web>