Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

Restricting Access to trace.axd using IIS Basic Authentication

0.00/5 (No votes)
15 Sep 2004 1  
A technique to use the IIS Basic Authentication mechanism to control access to trace.axd.

Introduction

When using the Basic Authentication method of IIS, you end up generally placing all restricted content within one folder, and all non-restricted content elsewhere. But what if you need to restrict access to a particular type of file, or to a URL request that has no physical file to change the IIS security settings on, such as trace.axd, without having all users logged in, but still use IIS to perform the authentication.

This could be achieved by writing your own HttpModule that handles all requests, and perform the Basic Authentication yourself. However, with a few configuration settings changes and a small amount of code, the same effect can be achieved a lot easier.

Solution

Step 1

The first step is to set your main application to use the Forms Authentication.

    <system.web>
       <authentication mode="Forms" >
        <forms loginUrl = "Authentication\Login.aspx" name=".ASPNETFRM"/>
        </authentication>
    </system.web>

The Forms Authentication will only force a user to login if a particular resource has been denied to them. As we are not specifying an authorization section, all users will have access to all resources.

Step 2

To restrict access for trace.axd to only those users who are authenticated, we need to add in a location tag to the web.config file.

   <configuration>
     <location path="trace.xsd">
       <authorization>
         <deny users="?"/>
       </authoriation>
     </location>
    <system.web>
   ...
   </configuration>

Step 3

Off the root of your web site, create a new web application called Authentication. This is the folder where ASP.NET will redirect the users who need to be authenticated. It should match the first part of the loginUrl attribute that you added to the forms element in step 1.

With IIS, change the security settings of this folder, remove anonymous Digest and Windows authentication, and enable Basic.

Step 4

Within the Authentication folder, create a file called Login.aspx. This file name should match the last part of the loginUrl attribute. It will contain the code that maps the Windows authentication to the ASP.NET forms based application.

Within Login.aspx, copy the following code:

<%@ Page language="c#" AutoEventWireup="true" 
                     Inherits="System.Web.UI.Page" %>
<%@ Import Namespace="System.Web.Security" %>
<%@ Import Namespace="System.Configuration" %>
<SCRIPT language="C#" runat="server">
    private void Page_Load(Object Src, EventArgs e ) 
    {
        string user = HttpContext.Current.User.Identity.Name;

        FormsAuthenticationTicket ticket = 
                  new FormsAuthenticationTicket( user, false, 30 );
            
        string encTicket = FormsAuthentication.Encrypt(ticket);

        Response.Cookies.Add( 
                      new HttpCookie( 
                          ConfigurationSettings.AppSettings["AuthCookie"],
                          encTicket ) );
        
        Response.Redirect( 
                    FormsAuthentication.GetRedirectUrl( user, false ) );
    }    
</SCRIPT>

When the Page Load event runs, the code grabs the name of the current user from the HttpContext. A new FormsAuthenticationTicket is created and then this is returned to the user in a cookie. The cookie name must be the same name that was defined in the web.config.

The users who will be authenticating will need valid NTFS permission to access both the Authentication folder and the Login.aspx page. You do not have to restrict the access to these files, just ensure that all users are able to reach them.

Step 5

Within the Authentication folder, create a new web.config file. Within this file, we need to add the application settings value for the cookie that is picked up in Login.aspx, and we need to bind ASP.NET to the IIS Authentication to ensure that the User property of the HttpContext is populated with the details of the user authenticating against IIS.

   <configuration>
     <appSettings>
       <add key="AuthCookie" value=".ASPNETFRM"/>
     </appSettings>
     <systen.web>
       <authentication mode="Windows"/>
     </system.web>
   </configuration>

Step 6

Finally, the default behavior for Form Authentication is that each application within a web site will receive its own unique encryption key that is used to encrypt the cookie value. Because we need the cookie created within the Authentication application to be valid across all other applications in the web site, we need to switch off this behavior.

Within the web.config file of the root application, add the additional entry:

<system.web>
  <machineKey validationKey="AutoGenerate"
                 decryptionKey="AutoGenerate"
                 validation="SHA1"/>

Now, try and access the trace.axd output. If everything is setup correctly, you will be asked to login before the data is sent back to you.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here