Iron Speed Technical Forums
Register Latest Topics
 
 
 


Reply
  Author   Comment  
dingjing

Avatar / Picture

MVP Developer
Registered:
Posts: 256
Reply with quote  #1 
This is applicable to any ASP.NET web applications, not just ISD applications.

http://jingding.blogspot.com/2011/05/securing-elmah-with-independent-http.html

Keywords: error log, elmah, security, http authentication
alant

Registered:
Posts: 51
Reply with quote  #2 
I'm using Database user authentication.

I replaced the "Authenticate and authorize the user" block of code
Quote:
        // Authenticate and authorize the user
        using (var ad = new PrincipalContext(ContextType.Domain,
            AuthServer, username, password))
        {
          if (ad.ValidateCredentials(username, password))
          {
            var user = UserPrincipal.FindByIdentity(ad, username);
            if (user.IsMemberOf(ad, IdentityType.Name, ElmahRole))
              return;
          }
        }

with my own  custom function which validates the username/password against my database and then checks for a database role.
Quote:
        var result = VerifyPassword(username, password, role);
        if (result == true)
          return;


The function is correctly validating my user/role but it still returns
Quote:
401.2.: Unauthorized: Logon failed due to server configuration


Do I need any entries in the <location> element of web.config?


__________________
Alan Telford
dingjing

Avatar / Picture

MVP Developer
Registered:
Posts: 256
Reply with quote  #3 
Does ELMAH work properly before you add authentication?
alant

Registered:
Posts: 51
Reply with quote  #4 
Yes. As long as I add the
Quote:
<security allowRemoteAccess="true" />
into the web.config then it works fine both local and remote.
Without that line, it only works locally.
If I debug from VS2010 then it opens in debugger, and I can debug through the authModule.

But when not running through the debugger, it doesn't seem to use the code??

Local machine name is http://alan2013.maxtel.local/testelmah
VS2010 debugger runs as http://localhost:45678/

When running through the debugger my browser will prompt to enter user/password, but never asks when running http://alan2013.maxtel.local/

__________________
Alan Telford
alant

Registered:
Posts: 51
Reply with quote  #5 
OK. Good thing I tried on a small sample app.
I found that I had included the section
Quote:
  <system.web>
    <httpModules>
      <add name="ErrorAuth" type="SecurElmah.AuthModule, SecurElmah" />
    </httpModules>
  </system.web>

but not the section
Quote:
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <add name="ErrorAuth" type="SecurElmah.AuthModule, SecurElmah" preCondition="managedHandler" />
    </modules>
  </system.webServer>


I'm not clear on exactly the differences, but I noticed that ELMAH was configured with entries in both these areas, and I only had the SECURELMAH module added into one of them.
Once I added it to the other section it started working fine.

Thanks for your help, and for the article!!!!!

Next task, is secure it by ensuring HTTPS and possibly using DigestAuthentication (or FormsAuthentication) for the elmah requests.

__________________
Alan Telford
dingjing

Avatar / Picture

MVP Developer
Registered:
Posts: 256
Reply with quote  #6 
The issue was caused by .NET framework version difference. The article was written several years ago using .NET 3.5.
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.

Download Iron Speed Designer

Terms of Service Privacy Statement