ChrisCa
ChrisCa

Reputation: 11056

Forms authentication ignored in virtual application

I have an admin site set up as a virtual applcation inside of another website.

I would like visitors to the sub directory (the virtual application) to be promtped for credentials using the same Forms authentication set up on the main parent site

Have tried all sorts of things but can't get it to work, including

Removing all <authentication mode="Forms">, <authorization>, <membership> and <roles> sections from the virtual-app web.config

Copying the same <authentication mode="Forms">, <authorization>, <membership> and <roles> sections from the parent to the virtual-app web.config

Using a virtual directory instead of virtual application

But I never get promted for credentials

Anyone know how to get this setup?

thanks

UPDATE:

Have now got it to inherit permissions from the parent, by deleting the application name in IIS (to make it a virtual directory rather than a virtual application)

However, this screws all the paths in the admin site

e.g. I get the following error

The file '/Site.master' does not exist.

So should I be using a virtual directory (which seems to inherit authentication from the parent)?

Or a virtual application (which currently doesn't inherit auth from the parent but has the correct relative paths)?

Here's the parent config

<membership defaultProvider="SqlServerMembershipProvider">
            <providers>
                <add connectionStringName="xxxxxxxx" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="SqlServerRoleProvider">
            <providers>
                <add connectionStringName="xxxxxxx" applicationName="/" name="SqlServerRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
            </providers>
        </roleManager>

        <authentication mode="Forms">
            <forms name=".EPiServerLogin" loginUrl="login.aspx" timeout="120"/>
        </authentication>
        <authorization>
            <deny users="?"/>
        </authorization>

Upvotes: 4

Views: 3485

Answers (3)

rlb.usa
rlb.usa

Reputation: 15041

We do what you're trying to do quite often here.

We do it this way : The root level is a virtual application, it contains the master web.config and global.ascx. We have a normal folder, 'Admin' inside of that. Inside of that, we have a small web.config, it only contains <authorization> XML information. You'll need a login page somewhere, either the root or Admin folder.

I was a little confused in your post about whether there are three applications/directories involved (app, parent app, app's admin), or only two (app & it's admin). I'm making a critical assumption here that it's two. If you do have the three, it's going to be some more work to get this thing going.

alt text

Upvotes: 0

ChrisCa
ChrisCa

Reputation: 11056

I needed to use a single sign on solution, as described here

http://www.codeproject.com/KB/aspnet/SingleSignon.aspx

The main point being, each site needs to use the same encryption key for the cookie values. So this machineKey element needs to be added to each site involved in the Single Sign On

Upvotes: 2

Zhaph - Ben Duguid
Zhaph - Ben Duguid

Reputation: 26976

How have you configured authorization?

Also, I assume you're not already authenticated in the parent site?

In the admin subdirectory you should have something like the following in your web.config (obviously you may have more information in there as well):

<configuration>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

This will deny all anonymous users, but allow all authenticated users access. You can easily extend this if you are using a Role Provider to only allow certain roles:

      <allow roles="Admin" />
      <deny users="*" />

Note that you need the "Deny all users" in there, as the default behaviour is to allow all users. Authorization works "top down" in that it starts at the top of the list, and as soon as it finds a match, it stops processing, so if the user is in the "Admin" role, it will not get to the "Deny all users" rule.

You can also configure this in the root web.config using a <location> element.

Responding to comments

And your authentication/authorization all works in the parent site?

Could you edit your question to include (sanitised) web.config sections you've tried so we can see if there's anything obvious missing - for example, if you're using Roles to lock down the admin area, you have enabled it (<roleManager enabled="true">, defaults to false).

Upvotes: 1

Related Questions