IIS Web Application Allowing Anonymous Access Although this is Disabled
Windows Server 2012 R2, IIS 8
I did some more diagnostics. What is it about this line in the web.config file which overrides the Authentication configuration specified in IIS?
<configuration>
<system.webServer>
<modules>
<add name="Webhook" type="MyApp.Webhook" preCondition="" />
</modules>
</system.webServer>
</configuration>
I copied my Webhook folder to a Webgate folder and mapped the Webgate site to the Webgate folder. Through trial and error I can see that as long as that module is defined in the web.config file, the site can be accessed anonymously. As soon as I remove that line, I see the 401 Unauthorized on an anonymous request. Strange, why should the specification of my module which handles request, override the IIS specification which stipulates that request must be authenticated before they can be executed?
Here is the original question with the background on what I've been trying to do and the problem I've been having:
I have a web application - Webgate - set up to Disallow Anonymous access. Here's what this looks like:
The problem is, when I use Postman to interact with this application without any Authentication, the transaction succeeds. Here's what this looks like:
How can this be?
One more screenshot to confirm that this is the application which answers to that URL:
Here is the one complexity, although I fail to see how this could have anything to do with the issue. Both Webgate and Webhook (see screenshot above) are two sites within IIS which are mapped to the same web application in the filesystem. Webgate is configured to insist on Authentication, Webhook is configured to allow Anonymous access. Again, I fail to see how Webhook's allowance of Anonymous access could have any impact on a transaction which comes in on the Webgate binding. Some background for context: Application capabilities when coming in via Webgate will be a superset of what is accessible via Webhook. Security can't be short-circuited by coming in on the wrong interface because transactions are checked at the application level to confirm whether the current transaction is identified or anonymous. The whole purpose of the two sites is so that accesses via the open interface - Webhook - are never challenged for identity, whereas transactions coming in on the protected interface - Webgate - are always challenged for Authentication.
I've done this before, although not recently, and I've never run into this problem. There is that little complexity, but bottom line, if a site is set up to disallow Anonymous access and insist on Basic Authentication, how are transactions getting through without being challenged? That is something I have never seen before. Thank you for your advice.
The Issue Revisited
To summarize what we learned so far,
- You wrote a managed module for ASP.NET.
- This module hooks to pipeline event
OnBeginRequestto perform some business logic and callsctx.ApplicationInstance.CompleteRequest()when finishing. - Anonymous authentication was used on IIS side.
Everything works fine there, but you found that,
- When Basic authentication is used on IIS side things started to break in integrated pipeline mode
- Switching back to classic mode seems to solve it.
The Cause
Your module works in classic mode no matter what authentication method is used, because the whole ASP.NET pipeline runs behind IIS authentication module.
However, integrated mode works differently from classic mode, where your module no longer executes behind authentication but ahead of.
You confirmed that by collecting FRT.
The Solution
Like we discussed, the solution is to simply change your module so that it hooks to OnPostAuthenticateRequest instead.
References
- Microsoft published the pipeline changes in an important article, so everyone should get familiar with the details.
- Migrating from classic to integrated requires a good guide
- FRT is always a handy helper for module/handler developers
- Ruby's Net::SSH is limited to 3 authentication tries while OpenSSH client is not
- Cakephp: choose which data to save after login
- How do I make it to where my login will accept either an email or username in the username field
- How to set a cookie in client side in NextJS 13?
- How can I authenticate user token in Angular Guard if I am using Http-Only?
- How to override sfDoctrineGuard validators in order to allow login based on credentials
- Azure "easy auth" OpenID Connect scope
- problems with custom authentication provider in spring boot 3.3.0
- What If Session Expires While User Is Still On The Website
- Remix run: Authentication succeeds on validation failures
- WMS service basic authentication
- How to manage user claims?
- How to get the popup menu to select user certificate in Tomcat 10 server?
- Enable password and unix_socket authentication for MariaDB root user?
- How to consume from an eventsource API requiring auth headers?
- How to display an Error message when logging in fails in Reactjs
- Notify navbar of authenticated status when logged in (Angular)
- Proper way to store a token retrieved client-side in nextjs 13 "App Router" version?
- Signout and login not working in auth.js in Next14 with middleware and server actions
- Laravel: Auth::user()->id trying to get a property of a non-object
- 404 page not found when running firebase deploy
- .NET 8 Blazor Server - role authorization with Windows Authentication
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- Symfony2: How to change Entity Manager just before doing login_check
- JWT signature verification failing
- SMAppService register() - How to detect launch at startup/login vs regular launch?
- AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
- authMiddleware doesn't exist after installing clerk
- Stop request in CookieAuthenticationEvents.OnValidatePrincipal after response body has been written to
- Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue