i am using awstats for my IIS7.5
I try to use forms authenrication, but it only work on the directory only( http://XXXX.com/awstats/wwwroot/cgi-bin/ ).
However, I can go to http://XXXX.com/awstats/wwwroot/cgi-bin/awstats.pl?config=testsite directly without login.
I want people to to execute this (awstats.pl?config=testsite) before login.
I don't want to create a local domain for the users becasue I will have many user to using awstats in different subfoler.
The web.config in the /awstats
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="SIPE_ASPXAUTH" loginUrl="~/Login.aspx" protection="All" path="/" timeout="20">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="Perl" path="*.pl" verb="GET,HEAD,POST" modules="CgiModule" scriptProcessor="C:\Perl64\bin\perl.exe "%s" %s" resourceType="Unspecified" requireAccess="Script" preCondition="bitness64" />
</handlers>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
Related
This is my web.config file, I am getting 500 exception after I have deployed project in azure server, If I remove V2 in modules application runs, but it runs on kestrel not in IIS.
<configuration>
<location path="." inheritInChildApplications="false">
<!--<system.web>
<httpRuntime maxRequestLength="204800" enableVersionHeader="false" />
</system.web>-->
<system.webServer>
<security>
<!--Removes Server header from response-->
<requestFiltering removeServerHeader="true">
<!--200 MB in bytes-->
<requestLimits maxAllowedContentLength="209715200" maxQueryString="10240" />
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<remove name="X-AspNet-Version" />
<remove name="X-Forwarded-Host" />
<remove name="Server" />
</customHeaders>
</httpProtocol>
<handlers>
<remove name="aspNetCore" />
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\Data.WebAPI.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" hostingModel = "inprocess"/>
</system.webServer>
</location>
</configuration>```
I am using OKTA as an Idp for SSO feature. I have added a application in OKTA & have defined below settings :
Single sign on URL & Audience URI (SP Entity ID) : http://localhost/KentorBeginner/ (Even tried by removing trailing slash)
On browsing OKTA SSO Url (different than above), okta redirects to my IIS configured application (KentorBeginner) but I am getting a HTTP Error 405.0 - Method Not Allowed.
The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.
Please find the below screenshots for reference.Direct-browse
Thanking you.
Regards,
Ravi Karavadia
Actually, the problem lied in posting the request to html file.
IIS sees html files as static and only allows them to use GET and HEAD verbs, so when a form was posted I was getting "405 Method Not Allowed...cannot be displayed because an invalid method (HTTP verb) is being used" error.
We need to configure whatever language you're using to handle the html files instead of the static file handler.
So I added below entry for handling html file with a different handler.
under handlers tag of System.WebServer.
Below is my web.config snippet.
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="ISAPI-dll" />
<remove name="StaticFile" />
<remove name="WebDAV" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Script" />
<add name="ISAPI-dll" path="*.dll" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Either" requireAccess="Execute" allowPathInfo="true" preCondition="bitness32" />
<add name="html" path="*.html" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="None" />
</handlers>
<defaultDocument enabled="true">
<files>
<clear />
<add value="Hello.html" />
</files>
</defaultDocument>
<security>
<requestFiltering>
<verbs>
<add verb="POST" allowed="true" />
</verbs>
<fileExtensions>
<add fileExtension=".html" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
Thanking you.
Regards,
Ravi Karavadia
I was getting this error on Firefox because I was using Facebook Container extension. After disabling Facebook Container in about:addons I can log in normally - without getting "Method Not Allowed" error
I am a web app that I'm trying to get working with Windows Auth. However, no matter what I do, I can't get past a 401.
web.config
<configuration>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
<authorization>
<clear />
<add accessType="Deny" users="?" />
<add accessType="Allow" users="CABLE\mmulhe200" />
</authorization>
</security>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="WWW Server" areas="Authentication,Security,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket" verbosity="Verbose" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="401.1" />
</add>
</traceFailedRequests>
</tracing>
</system.webServer>
</configuration>
IIS Failed Request Trace Output (Partial)
<failedRequest url="http://dev.windowsauthtest.com:80/"
siteId="3"
appPoolId="windowsAuthTest"
processId="33204"
verb="GET"
authenticationType="NOT_AVAILABLE" activityId="{80000727-0003-F400-B63F-84710C7967BB}"
failureReason="STATUS_CODE"
statusCode="401.1"
triggerStatusCode="401.1"
timeTaken="0"
xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
>
The part that concerns me is
authenticationType="NOT_AVAILABLE"
I get prompted to enter my credentials and I enter my NT username/password and it just keeps re-prompting.
Any ideas?
I'm having problems figuring out how to transform the web.config file when my NuGet package it installed. It's doing some of the transformations, but not all of them.
Here's the untouched web.config file that I need to modify upon installation of my NuGet package:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
<system.web>
<authentication mode="None" /> ***** I want this removed *****
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" /> ***** I want this removed *****
</modules>
</system.webServer>
</configuration>
Here's what I want as the result:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="MvcMailer.BaseURL" value="" />
<add key="SecurityGuardEmailFrom" value="info#email.net" />
<add key="SecurityGuardEmailSubject" value="Your Password has been reset." />
<add key="SecurityGuardEmailTemplatePath" value="~/MailerTemplates/ResetPassword.html" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/SGAccount/Login" timeout="2880" />
</authentication>
</system.web>
<system.webServer>
<modules>
</modules>
</system.webServer>
</configuration>
This is transformed web.config file in the MVC application, which is incorrect:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="MvcMailer.BaseURL" value="" />
<add key="SecurityGuardEmailFrom" value="info#email.net" />
<add key="SecurityGuardEmailSubject" value="Your Password has been reset." />
<add key="SecurityGuardEmailTemplatePath" value="~/MailerTemplates/ResetPassword.html" />
</appSettings>
<system.web>
<authentication mode="None" /> ***** Not removed when it should be *****
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/SGAccount/Login" timeout="2880" />
</authentication>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" /> ***** Not removed when it should be *****
</modules>
</system.webServer>
</configuration>
And this is my web.config.install.xdt file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<authentication mode="None" xdt:Transform="Remove" xdt:Locator="Match(mode)" />
<authentication mode="Forms" xdt:Transform="Insert">
<forms loginUrl="~/SGAccount/Login" timeout="2880" />
</authentication>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" xdt:Transform="Remove" xdt:Locator="Match(name)" />
</modules>
</system.webServer>
</configuration>
I've read all the documentation on the Nuget.org site about how to use the XDT transformations, and it even works on this tester site; https://webconfigtransformationtester.apphb.com/, but it doesn't work in action.
I'm stumped. Any suggestions on how to make this work?
Here's what the new web.config.install.xdt looks like that handled the job successfully:
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<appSettings>
<add key="SecurityGuardEmailFrom" value="info#email.net" xdt:Transform="Insert" />
<add key="SecurityGuardEmailSubject" value="Your Password has been reset." xdt:Transform="Insert" />
<add key="SecurityGuardEmailTemplatePath" value="~/MailerTemplates/ResetPassword.html" xdt:Transform="Insert" />
</appSettings>
<system.web>
<authentication mode="Forms" xdt:Transform="SetAttributes" />
<authentication mode="Forms">
<forms loginUrl="~/SGAccount/Login" timeout="2880" xdt:Transform="Insert" />
</authentication>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" xdt:Transform="Remove" />
</modules>
</system.webServer>
</configuration>
Instead of trying to Remove the original authentication element, I changed the mode attribute, then I Inserted the forms element. The rest seemed to work itself out once this worked correctly.
We are adding a couple pages to our application that don't need to be locked down behind a login. How would I open up two pages to be publicly accessible.
Here is my Web.config:
<authentication mode="Forms">
<forms name=".ORGANIZATION" loginUrl="Default.aspx" protection="All" timeout="120"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
We want page1.aspx and page2.aspx to be public. How would I allow that?
You would add a location in the web.config to exempt them:
<configuration>
<!-- The rest of your web.config -->
<system.web>
<authentication mode="Forms">
<forms name=".ORGANIZATION" loginUrl="Default.aspx" protection="All" timeout="120"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="page1.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="page2.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
In an authenticated website, you can use the Location element in web.config to specify that a page can be accessed anonymously.
In this web.config section anyone can get to the RecoverPassword page without being authenticated, but no one can access pages in the Admin folder without being authenticated.
<configuration>
<location path="RecoverPassword.aspx"> // specify file \ only specify one --
<location path="Admin" > // specify folder / either file or folder
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>