ASP.NET 4.5 C # Forms Authentication access denied on login page
I found several posts on this subject, but I cannot find the correct solution:
I have a .net 4.0 web application that uses forms authentication very well. Now I wanted to implement the same in a new project in 4.5, but I keep getting a 401.2 (access denied) error on the login page when I go to an unauthorized section.
The app redirects correctly (mvc way, no .aspx in my pages), but on the login page I get an error that I am not authorized to view this page due to server config.
Then I tried a demo from Microsoft that says Framework 4.5 is supported, but it still doesn't work.
This is my general web.config section:
<authentication mode="Forms">
<forms loginUrl="/admin/Login.aspx" />
</authentication>
And this is the web.config in my folder that I want to protect from unauthorized users:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
When I set allow users = "*" the application works fine and I can visit every page. Then I thought it might have something to do with the mvc approach in my forms authentication, but this is not a problem, I also tried this fix from Rick Strol but it didn't help. ( link )
Any ideas?
EDIT When I change the location of my login.aspx to a folder outside the protected area, I redirect correctly, but I would like to keep the login.aspx page inside a protected folder as I did before. Visual Studio automatically allows access to loginUrl = "", no?
source to share
In my case, the problem was with Visual Studio 2017. My task was to convert the old .net site to a web application project. As part of this task, I created a new VS2017 Web Application Project, copied the required files from the old website code base, ran Convert to Web Application, added namespaces, etc. and it basically worked.
The application uses forms authentication and webconfig tags link to the LocalLogin.aspx page, but I get an "access denied" message in my browser and can never get to the LocalLogin.aspx page. After searching a lot, I found this:
"Visual Studio 2017 will automatically add a NuGet package called Microsoft.AspNet.FriendlyUrls to your website or web application project. Because of this package, forms authentication will not work and even the login page will not be displayed many times." Go to this thread for more information:
ASP.NET Application Login Page Denying Access to Forms Authentication
After looking at the possible solutions in this thread, I decided to remove the friendly links link (Microsoft.AspNet.FriendlyUrls) and leave the extensions in the loginUrl and defaultUrl elements in the web.config forms tag. By the way, no NuGet package was added to the solution, just a link. I removed the link and also had to comment out the call and the routing method.
After that it still gave the msg in the browser the message "access is denied", but it turned out that I also needed to remove the rewritten 301 redirect to friendly urls from the browser that was created with the FriendlyUrls component to start with.
I googled "remove 301 redirects from browser cache" and did the following:
"To clear the permanent redirects, go to chrome: // net-internals. To the right of the top red status bar, click the down arrow ▼ to open the dropdown menu, and under Tools - group, select" Clear cache ". 48, that was the only thing that helped me clear the cached 301.
How long do browsers cache HTTP 301?
All is well now and hopefully some of my extended hair is growing!
source to share
Make sure your web.config file has the correct connection parameters to your aspnetdb and that you are using the correct membership provider.
Other troubleshooting tips:
Right click your web solution and make sure the following properties are set:
- Anonymous Authentication = Enabled
- Windows Authentication = Disabled
- Set a breakpoint in your application and make sure you are the correct database. If you have not yet registered an account, then you should be redirected to the registry web page.
In 4.5, the default layout will create an accounts folder with the Login, register and other OpenAuthProviders web pages so you can manage all of the user's security. However, you don't have to follow this model. I would read this from MSDN How to do Simple Forms Authentication
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" defaultUrl="~/" />
</authentication>
source to share