I need to enable IIS basic authentication on my simple Umbraco site, to keep it from prying eyes. When enabled, after I enter in the basic auth username / password in the browser the first page that I am taken to is /login.aspx?ReturnUrl=%2f
Is there any way to keep Umbraco from doing this? Why does enabling basic authentication in IIS take me to an Umbraco login page after logging in via IIS basic auth?
In IIS you need to disable forms Authentication - You can't have Basic and Forms Authentication enabled at the same time as the conflict.
In your web config search for "login.aspx" and you will see that it is teh default login URL for forms Authentication and so IIS will try to redirect a 401 there .
With Basic auth t makes you login firts .... then redirects you there!
As said above though - if you need to stop people looking you can just protect the root of your site and add a simple login page - it is as secure as basic auth and alows you to manage users via Umbraco.
I wish it was easier to just globally password protect the site, for the purpose of keeping people out during development / QA / UAT. I'm not just trying to keep people out of the Umbraco folder, I'm trying to block people or search engines (who are not the client or internal staff) from viewing the site all-together.
It sounds like adding a simple login page is the only way to go. Limiting by IP is not going to be easy for us, as not everyone who accesses the site has a static IP.
I see your issue. It's very hacky but, if you provided a static html page with a secret url, you could set a cookie with a complex value as a kind of key. Then you could get your controller(s) to check the cookie and throw a 403 HTTP Status code if the cookie value isn't good, otherwise carry on as normal.
Umbraco + IIS basic authentication
I need to enable IIS basic authentication on my simple Umbraco site, to keep it from prying eyes. When enabled, after I enter in the basic auth username / password in the browser the first page that I am taken to is /login.aspx?ReturnUrl=%2f
Is there any way to keep Umbraco from doing this? Why does enabling basic authentication in IIS take me to an Umbraco login page after logging in via IIS basic auth?
Thanks!
I'm not sure, but why is IIS authentication any more secure than the Forms authentication that comes with Umbraco?
I'd stick with Umbraco authentication, and if that's not enough I'd limit access to the Umbraco folder based on IP.
In IIS you need to disable forms Authentication - You can't have Basic and Forms Authentication enabled at the same time as the conflict.
In your web config search for "login.aspx" and you will see that it is teh default login URL for forms Authentication and so IIS will try to redirect a 401 there .
With Basic auth t makes you login firts .... then redirects you there!
As said above though - if you need to stop people looking you can just protect the root of your site and add a simple login page - it is as secure as basic auth and alows you to manage users via Umbraco.
Thanks
Thanks for you responses.
I wish it was easier to just globally password protect the site, for the purpose of keeping people out during development / QA / UAT. I'm not just trying to keep people out of the Umbraco folder, I'm trying to block people or search engines (who are not the client or internal staff) from viewing the site all-together.
It sounds like adding a simple login page is the only way to go. Limiting by IP is not going to be easy for us, as not everyone who accesses the site has a static IP.
I see your issue. It's very hacky but, if you provided a static html page with a secret url, you could set a cookie with a complex value as a kind of key. Then you could get your controller(s) to check the cookie and throw a 403 HTTP Status code if the cookie value isn't good, otherwise carry on as normal.
is working on a reply...