Why is my style sheet redirecting me to login?

StackOverflow https://stackoverflow.com/questions/4136208

Question

I am sure this has something to do with IIS but I can't figure it out.

I have a website using forms authentication. When my website tries to access any file resources (javascript files, css, etc), I am redirected to the forms login page set in my web.config. I also get redirected if I just type the address into the address bar.

The web.config entry for forms auth is pretty basic:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

There are also two location nodes to deny users from other parts of the site:

<location path="n2">
  <system.web>
    <authorization>
      <allow roles="Editors" />
    </authorization>
  </system.web>
</location>
<location path="web.config">
  <system.web>
    <authorization>
      <deny users="*" />
    </authorization>
  </system.web>
</location>

I am using the standard IIS7 install on Windows Server 2008 R2.

Edit So, if I add a random auth cookie (FormsAuthentication.SetAuthCookie()), the resources become available, I know it has to be my authentication model that's messed up somehow. It works on another server (I just copied it over). Any ideas how I can track the problem down?

Was it helpful?

Solution

I had the same error, in my case the trick was setting Anonymous Authentication to use the App Pool identity instead of IUSR in IIS

  1. Open IIS
  2. Expand Sites
  3. Select [YourWebSite]
  4. Double click Authentication (will be under the IIS "Area" or the Security "Category")
  5. Select Anonymous Authentication
  6. Click Edit in the Actions pane
  7. Click the 'Application pool identity' radio button

OTHER TIPS

I use allow * for my Content folder. That will prevent any authorization from happening for static content.

  <location path="Content">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Rick

In IIS, my Anonymous Authentication was on correctly and the user was set to IUSR. Therefore, I needed to go into Windows Explorer, navigate to my web app directory, right-click for Properties, Security tab, Edit button, and give IUSR Read, List, and Read & Execute permissions (the default set). Ensure the changes will be inherited by all children, apply, possibly wait, and you're good to go.

It's been along time since I did any asp.net forms work but the first questions would be - are you sure your user is a member of the "Editors" role. You can use the Web Site Administration tool to set this up I think? http://msdn.microsoft.com/en-us/library/ssa0wsyf.aspx

That is because you have set deny to everyone. In IIS 7, because of the integrated pipeline you will get redirected even when you try to browse CSS or any static page.

Put the static content inside a folder if you like and allow access to it.

Don't use <location> tags in web.config to handle authorization in an ASP.NET MVC application as locations have no longer any sense. All you need in web.config is the authentication tag. In MVC authorization could be achieved by decorating proper controllers and/or actions with the [Authorize] attribute.

I had exactly the same and found it was because I had forgotten to allow anonymous access to the website from inside IIS! This meant that the FormsAuthentication was always kicking in, even for the static resources that were not protected.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top