Login Page in ASP.NET application with FormsAuthentication access denied

Question

I've got a webapp running that needs users to login. Webconfig:

    <!--Logging in stuff-->
    <authentication mode="Forms">
        <forms loginUrl="login.aspx" timeout="2880"/>
    </authentication>
    <authorization>
        <deny users="?"/>
    </authorization>

And in the login.aspx page (doubled checked the name) I have the following logic after verifying the user credentials using my own database:

    if (checkCredentials.searchCredentials(attemptedName, passwordBox.Text) != null)
            {
                FormsAuthentication.RedirectFromLoginPage(attemptedName,false);
            }

I know the if statement works, as it did with a previous method I used for logging in.

However, when I run the application, the login page opens up immediately with error 401.2.

Answer 1

I am posting another answer since this deals with the typical problem of using Visual Studio 2017 with forms authentication, and is an alternate to my previous answer.

Visual Studio 2017 will automatically add a NuGet package called Microsoft.AspNet.FriendlyUrls to your website or web app project. Because of this package, forms authentication will not work and even the login page will not render many times.

• The solution explained in my previous answer is to remove this package or comment the line in Application_Start event in global.asax that says RouteConfig.RegisterRoutes(RouteTable.Routes);. Your website will lose the benefits of friendlyUrls if you use this approach.

• But, there is a third solution that is mentioned in two different CONFIGURATIONS below; you can use either of them.

  • CONFIGURATION 1 removes the aspx extension from login and defaultUrl
    values.

  • CONFIGURATION 2 keeps the aspx extensions but adds special access permissions for freindlyurl corresponding to login.aspx.

  (? in access permission means all unauthenticated users and * means all users i.e. authenticated + unauthenticated users)

NOTE: I have tried and tested this solution.

CONFIGURATION 1 for Forms authentication config when using Friendly Urls

<authentication mode="Forms">
<forms loginUrl="login" defaultUrl="home" 
   slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>

CONFIGURATION 2 for Forms authentication config when using Friendly Urls

<system.web>
<!--keep the aspx extensions for login and default pages-->
<authentication mode="Forms">
    <forms loginUrl="login.aspx" defaultUrl="home.aspx" 
       slidingExpiration="true" timeout="20" name=".Auth" protection="All">
    </forms>
    </authentication>
</system.web>

<!-- add access permissions for friendly url corresponding to login.aspx-->
<location path="login">
        <system.web>
            <authorization>
                <allow users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

Answer 2

Since you are using Visual Studio 2017, the first thing you need to check is if Microsoft.AspNet.FriendlyUrls package is included. Go through following steps.

• comment the line in Global.asax that says RouteConfig.RegisterRoutes(RouteTable.Routes); and try your page now. But, make sure to clear the cache in your browser else the old cached version of this URL with 401.2 error will keep showing.
• If you still see some issues, then just remove the above package by selecting Solution node in solution explorer and then going to Tools => NuGet Package Manager => Manage Packages for solution; check in Installed list for this package, select it and select the solution checkboxes on right,then click on uninstall button.

Below are some other things that you need to make sure.

Try changing your forms tag in web config to following. Change the value of defaultUrl and timeout according to your requirements.

<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx" 
   slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>

Also, your C# code must be in Login button click event; if it's anywhere else then also you could see issues.

Allow Login.aspx for all unauthenticated users. Add this configuration just before </configuration> at end of web config file. Enter the path for Login.aspx if its not in root like Security/login.aaspx if the page is under Security folder of root.

 <location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
        <deny users="*" />
      </authorization>
    </system.web>
 </location>

Open the IIS Management console by going to Control Panel > Administrative Tools > Internet Information Services Manager. Then, expand the websites node and select the website you are using. Now double click Authentication in right pane and make sure Anonymous and Forms authentication are enabled and other options are disabled as shown in following screenshot: Security settings in IIS website

Answer 3

You can check to see if you have this kind of entry. If so, you could try remove it.

<system.webServer> 
    <modules> 
        <remove name="FormsAuthentication" /> 
    </modules> 
</system.webServer>