tags:

views:

2226

answers:

5
Q: 

URL authorization failed for the request

Hi Guys

I am in the process of moving some sites over to a new windows 2003 installation running IIS6. However I am running into problems with forms authentication. The sites in question run fine on the old box which is the same OS and IIS version.

When I try to login to the website I get a event log "URL authorization failed for the request" and the page redirects back to:-

http://www.demo.socialclause.net/logout.aspx?ReturnUrl=/Secure/Procurement/Default.aspx

Both the old and new servers contain the same set-up and the same permissions. Obviously I am missing a setting somewhere but cant fathom it out. Can anyone help?

My web.config contains this:-

<authentication mode="Forms">
  <forms slidingExpiration="true" name=".ASPXAUTH" protection="All" loginUrl="~/logout.aspx" timeout="60" ></forms>
</authentication>

and inside the /secure dir (this is not a virtual directory) my web.config contains:-

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="ClauseAdmin"/>
      <allow roles="ProcurementAdmin"/>
      <allow roles="ReportAdmin"/>
      <allow roles="SystemAdmin"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

The event log shows:

Event Type: Information
Event Source:   ASP.NET 2.0.50727.0
Event Category: Web Event 
Event ID:   1314
Date:    26/05/2009
Time:    21:01:05
User:    N/A
Computer:   WILDEAA1
Description:
Event code: 4007 
Event message: URL authorization failed for the request. 
Event time: 26/05/2009 21:01:05 
Event time (UTC): 26/05/2009 20:01:05 
Event ID: af3bac34e6d74630b937a5a05d0f25f2 
Event sequence: 4 
Event occurrence: 1 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/2067908276/Root-1-128878416581538912 
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: C:\Inetpub\websites\www.demo.socialclause.net\htdocs\ 
    Machine name: WILDEAA1 

Process information: 
    Process ID: 1076 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Request information: 
    Request URL: http://demo.socialclause.net/Secure/Procurement/Default.aspx 
    Request path: /Secure/Procurement/Default.aspx 
    User host address: 91.84.25.241 
    User: [email protected] 
    Is authenticated: True 
    Authentication Type: Forms 
    Thread account name: NT AUTHORITY\NETWORK SERVICE
A: 

Just guessing here, because I wouldn't use IIS if you paid me, but perhaps you're missing some certificates or password files that need to be installed on the server? Maybe you need to tell IIS about the Roles/Users you're trying to match.

EDIT: Going by the additional information you have revealed I'd rule out certificates and concentrate on how roles are defined. You say they are defined in the database but the fact they became invalid when you switched server suggests three possibilities:

  1. Your roles are defined as Windows System Accounts or IIS users.
  2. Your roles are defined as database users but your only copied the data tables, not the users (by that I mean database users, not a "users" table in the database).
  3. Your roles are defined but permissions to read them have changed.

I suspect it's 1.) IIS users.

SpliFF  2009-05-27 07:03:28
The roles are defined in a database and get pulled out when the user logins in. The site works on the old box. I think it has something to do with permissions or even a global policy, but I can't seem to find out the answer.
Rippo  2009-05-27 07:07:01
nonetheless the language implies an 'URL authorisation' problem. I suspect your SSL or server certificates may not be set up correctly.
SpliFF  2009-05-27 07:40:06
I am sorry but I am not using SSL, I can't see how this would be a problem anyway. How did you deduct that SSL is the problem?
Rippo  2009-05-27 17:28:47
because SSL client-side certificates are a way to limit access to secure areas.
SpliFF  2009-05-28 00:55:05
answer updated with new possibilities.
SpliFF  2009-05-28 01:04:07
+1  A: 

Try deny users ? (anonymous) instead of * (all)

<authentication mode="Forms">
    <forms name=".ASPXFORMSAUTH" loginUrl="~/Common/Login.aspx" timeout="450" />
  </authentication>
  <authorization>
    <deny users="?" />
    <allow roles="Admin" />
  </authorization>
CRice  2009-05-27 07:05:57
How strange looks like I am now getting into the "secure area" but it appears that the site is now not identifying the IsInRole method as each role returns false.User.IsInRole("SystemAdmin")I still don't understand why this site works on the old box. I have just copied the files over and set up the new box in exactly the same way. Any more ideas?
Rippo  2009-05-27 07:21:24
Sounds like you user has no roles assigned, thats why you can log in still (aren't anonymous). Have a look at the role provider, and are you using the membership aspnetdb?
CRice  2009-05-27 07:32:48
Boon, this is not the problem. The site and database has been cloned and I am logging in as the same user. The site works on my dev box, on the old windows 2003 server but not on the new 2003 server. It must be something else causing the problem. It must be something I am missing.... Any more ideas?I am not using the membership aspnetdb.
Rippo  2009-05-27 07:37:00
Any more ideas guys?
Rippo  2009-05-27 17:29:12
Actually, won't this allow access to any authenticated user?
Derek Hunziker  2010-07-27 16:42:44
A: 

I have only used the sql role provider so far... i think the answer lies in your role provider you are using. Your users don't seem to be getting assigned roles. Can you supply you web.config section on this? For example this is mine:

      <roleManager enabled="true" defaultProvider="IDTSqlRoleProvider" cacheRolesInCookie="true" cookieProtection="All">
    <providers>
      <clear/>
      <add
        name="IDTSqlRoleProvider"
        type="System.Web.Security.SqlRoleProvider"
        connectionStringName="SqlMembershipConnectionString"
        applicationName="ConsumerSynergy"/>
    </providers>
  </roleManager>
CRice  2009-05-27 22:07:17
A: 

Try this? Basically, you were stating allow x, y, z and then deny all.

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="*"/>
      <allow roles="ClauseAdmin"/>
      <allow roles="ProcurementAdmin"/>
      <allow roles="ReportAdmin"/>
      <allow roles="SystemAdmin"/>
    </authorization>
  </system.web>
</configuration>

If that doesn't work, try this.

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="ClauseAdmin"/>
      <allow roles="ProcurementAdmin"/>
      <allow roles="ReportAdmin"/>
      <allow roles="SystemAdmin"/>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>
Sean  2010-05-14 16:56:38
A: 

I had the same error message cropping up and it turned out that my role names in the authorization section of my web.config were spelled incorrectly.

Derek Hunziker  2010-07-27 16:43:46

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps