Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Brian 7 posts 27 karma points
    Sep 30, 2015 @ 18:39
    Brian
    0

    Umbraco + IIS basic authentication

    I need to enable IIS basic authentication on my simple Umbraco site, to keep it from prying eyes. When enabled, after I enter in the basic auth username / password in the browser the first page that I am taken to is /login.aspx?ReturnUrl=%2f

    Is there any way to keep Umbraco from doing this? Why does enabling basic authentication in IIS take me to an Umbraco login page after logging in via IIS basic auth?

    Thanks!

  • David Peck 690 posts 1896 karma points c-trib
    Oct 05, 2015 @ 14:53
    David Peck
    0

    I'm not sure, but why is IIS authentication any more secure than the Forms authentication that comes with Umbraco?

    I'd stick with Umbraco authentication, and if that's not enough I'd limit access to the Umbraco folder based on IP.

  • Carl Jackson 139 posts 478 karma points
    Oct 05, 2015 @ 16:33
    Carl Jackson
    0

    In IIS you need to disable forms Authentication - You can't have Basic and Forms Authentication enabled at the same time as the conflict.

    In your web config search for "login.aspx" and you will see that it is teh default login URL for forms Authentication and so IIS will try to redirect a 401 there .

    With Basic auth t makes you login firts .... then redirects you there!

    As said above though - if you need to stop people looking you can just protect the root of your site and add a simple login page - it is as secure as basic auth and alows you to manage users via Umbraco.

    Thanks

  • Brian 7 posts 27 karma points
    Oct 07, 2015 @ 15:02
    Brian
    0

    Thanks for you responses.

    I wish it was easier to just globally password protect the site, for the purpose of keeping people out during development / QA / UAT. I'm not just trying to keep people out of the Umbraco folder, I'm trying to block people or search engines (who are not the client or internal staff) from viewing the site all-together.

    It sounds like adding a simple login page is the only way to go. Limiting by IP is not going to be easy for us, as not everyone who accesses the site has a static IP.

  • David Peck 690 posts 1896 karma points c-trib
    Oct 07, 2015 @ 16:02
    David Peck
    0

    I see your issue. It's very hacky but, if you provided a static html page with a secret url, you could set a cookie with a complex value as a kind of key. Then you could get your controller(s) to check the cookie and throw a 403 HTTP Status code if the cookie value isn't good, otherwise carry on as normal.

Please Sign in or register to post replies

Write your reply to:

Draft