IIS Forms Authentication Not Redirecting To Login Page

Question

I created an ASP.NET Web Forms template project with VS2017.

I am trying to make forms authentication work. At present I am unable to get any kind of redirect to my login page. The behaviour is:

Browse to website => access denied. No logon page seen. Also, if I try to browse to the logon page at localhost/Account/Login it says access denied.

In Web.config I added the forms authentication section and specified the login page:

  <appSettings>
    <add key="owin:AutomaticAppStartup" value="false"/>
  </appSettings>
  <system.web>
    <trust level="Full" />
    <authentication mode="Forms">
      <forms name="dealer-bdopcycling" path="/" defaultUrl="~/" loginUrl="~/Account/Login" protection="All" timeout="30" />
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>...

Additionally, as you can see, I blocked access for all non-authenticated users.

Furthermore, due to the infinite redirect loop thanks to the template, and following this post, I added the key to stop Owin automatic app startup.

I have confirmed the settings: anonymous authentication ENABLED, windows authentication DISABLED.

Another strange behaviour is that if I removed the key to stop Owin automatic startup, I do not get access denied if I browse to the application (or the login page) I do get the redirect, but an infinite redirect loop and server error.

The code in Startup.Auth.cs that comes with the template was said in another post to be causing part of the trouble, and I also found that commenting out the login path line meant the infinite loop disappeared and the inability to access anything returned:

public partial class Startup {

        public void ConfigureAuth(IAppBuilder app)
        {
            app.CreatePerOwinContext(ApplicationDbContext.Create);
            app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
            app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),  // commenting out this changes infinite loop to cannot login
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                }
            });

I'd just like to know how to fix it?

Answer 1

You are denying access for all users <deny users="?"/> for the complete site. And that includes the login page. That is why you get a loop. So you need to give all users permission to view the login page.

Add this snippet after the </system.web>

<location path="~/Account/Login.aspx">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>

Can't help you with the owin part though. Got no experience with that.

Answer 2

The default template includes the following line in the Web.config that was the cause of my problem (the one that is commented out):

<system.webServer>
    <modules>
      <!--<remove name="FormsAuthentication" />-->
      <remove name="ApplicationInsightsWebTracking" />
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
    </modules>
    <validation validateIntegratedModeConfiguration="false" />
  </system.webServer>