Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Forms Authentication doesn't work from outside the ISA firewall

Posted on 2009-12-19
26
Medium Priority
?
779 Views
Last Modified: 2012-06-27
I created a website that sits behind ISA firewall. It uses Forms Authentication and it works fine on all internal computers. Externally, it recognizes valid logons but doesn't log people in. If I enter incorrect password I get the proper error message, if all is correct i keep on being redirected to the login page. I am using custom membership provider.

What makes this even more puzzling is that there is another website behind the same firewall that also uses forms authentication and it works properly.

Any help would be greatly appreciated.

Danko
0
Comment
Question by:jdfatovic
  • 11
  • 9
  • 6
26 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26091288
You normally use FBA on one element or the other, not both. For example, if you looked at Outlook Web Access, FBA is generally set on ISA Server within the publishing rule or on the IIS box hosting the OWA application, not on both.
0
 

Author Comment

by:jdfatovic
ID: 26091374
I don't believe I am using any authentication on the ISA server. I get to the same site specific, custom login page. It almost seems that the authentication ticket can not be saved as when I enter the correct password it tries to go to some other page but gets redirected back to the login page.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26091443
Whether you believe it or not is immaterial. If you are stating that you definitely have not implemented any of the authentication aspects on the ISA publishing rule then that is a different matter.

Whilst we are at it, telling us the version of ISA server deployed, the version of ISA Service Pack applied etc would also be rather useful.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26091458
In addition, how have you published the sites?
Both on http using headers?
Both on https?
one on each?
Did you use a wizard to publish the sites?
Are nboth listening on the same ISA external IP address or do they have an IP address each?
0
 

Author Comment

by:jdfatovic
ID: 26091522
Yes, they are both listening on the same listener/external IP address. They both use the same Firewall Policy rule which is just a generic rule that forwards all of the www.xyz.com to that webserver. So www.xyz.com/a works, www.xyz.com/b doesn't. Path is just a wild card so that is not it. They are on the same we server under the same main site. Old one work, new one doesn't.

I am thinking that this has to be a problem with the web server. I compared both IIS configurations and nothing obvious is different.

I am running ISA 2006, I am not sure on the service pack.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 600 total points
ID: 26091535
If you have simply implemented a port-forwarding, non-web server publishing rule on ISA then yes, there will be no authentication (actually there is no anything as ISA will simply pass on the traffic to the IP address nominated so you have lost all of the protection ISA might provide. It is now almost as dumb as a Cisco box or similar).

I would agree, it sounds like the web server.

If you open the ISA gui, select monitoring - logging - start query and try a connection from outside to the both web sites, what do you see in the log? Are both sets of entries the same or different?
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26092258
If one FBA site works and the other does not using the same ISA server, let's compare the configuration of the FBA on both sites.  Can you provide more information?
0
 

Author Comment

by:jdfatovic
ID: 26092314
That is what I have been looking at. The one that doesn't work used to be on windows authentication. It is a very elaborate asp site with custom membership and role providers.

I am about to create a new site from scratch and see if I can get it to work with both providers. One thing that I noticed that is little strange is that "remember me" doesn't work on the new site. It seems that there is something wrong with the cookies, I am wondering if saving cookies is related to this issue of not being able to persist session login.

0
 

Author Comment

by:jdfatovic
ID: 26092342
As far as monitoring on ISA server, for both websites I see the same thing:

WebProxy, source network is external, and userid is anonymous.
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26092392
I'm a little confused.  Does the site that is failing use Windows Authentication?  Your comment seems to infer it used to be on Windows Authentication but isn't any more.  Did it fail when you switched authentication models?

Cookies shouldn't be a problem.  They are simply data based in the HTTP stream and unless your ISA server has rules to filter cookies it shouldn't matter.  However, you might have some cookie rules I'm unaware of.

Windows Authentication can be a problem via a proxy server.  If set incorrectly ISA will strip out the NTLM credentials from the stream and block authentication.
0
 

Author Comment

by:jdfatovic
ID: 26092415
Here are the ISA filter results - as you can see one connection attempt is denied and one is allowed. I hope this helps us.

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
0.0.0.0      Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1      Yes      Reverse Proxy      FIRE200      http://www.xyz.com/erecruitXYZ/Login.aspx?ReturnUrl=%2ferecruitXYZ%2fmain.aspx      www.xyz.com      TCP            Internet      -      -            -      Req ID: 0dd4da38; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      12/20/2009 9:24:36 PM      0      3578      19004      7692            64       0x42020000      0xf03      Web Proxy Filter            12/20/2009 4:24:36 PM      172.16.1.6      80      http      Failed Connection Attempt      www.xyz.com      207.180.136.81      anonymous      External            POST      http://www.xyz.com/erecruitxyz/Login.aspx?ReturnUrl=%2ferecruitxyz%2fmain.aspx


Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
0.0.0.0      Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1      Yes      Reverse Proxy      FIRE200      http://www.xyz.com/loginextra/      www.xyz.com      TCP            Internet      -      -            -      Req ID: 0dd4db24; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes      -      -      -      12/20/2009 9:30:52 PM      0      78      6391      886            302       0x42020000      0xf00      Web Proxy Filter            12/20/2009 4:30:52 PM      172.16.1.6      80      http      Allowed Connection      www.xyz.com      207.180.136.81      anonymous      External            POST      http://www.xyz.com/loginextra/login.aspx
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26092439
That doesn't help me at all.  Can you clarify the questions I asked?
0
 

Author Comment

by:jdfatovic
ID: 26092472
Both sites are setup to use forms authentication. The site that currently is not working used to be on Windows Authentication, but as we are opening it up to other non-domain people we switched it to FBA. FBA works fine for everyone on the inside of the firewall, but not on the outside.  In order to access the site from the outside people need to use VPN which defeats the purpose of FBA.

Sorry, didn't see your latest question before sending the logs.  
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26092600
I took a close look at the logs and nothing in ISA seems suspicious.  This definitely appears to be a server problem.

Do you have any more details regarding the FBA configuration on each server?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26092602
The second entry looks like it is getting a 302 redirect request
0
 
LVL 51

Assisted Solution

by:Ted Bouskill
Ted Bouskill earned 1400 total points
ID: 26092622
The 302 might be because the second authentication was successful.  The way ASP.NET FBA works is that when a user requests access to a page, the server checks to see if they are signed in.  If not they are redirected to the sign in page.  After the sign in succeeds, they are redirected back to the original page they requested.

If you look at the first URL that fails, the return URL is appended to the HTTP referrer column.

jdfatovic: I just thought of something.  Is the Login/Signin page set to anonymous?  It has to be.  The goal of the login/signin page is to allow an anonymous user to be authenticated.  If you have the login/signin page set to Windows Authentication, then internal users would be able to access the sign in page to be authenticated with FBA, however, the external users would fail.
0
 

Author Comment

by:jdfatovic
ID: 26092669
Good thought tedbilly, I am not really sure how to change authentication by page, I have it set for the entire site to use FBA.

However, getting to the page is not a problem. Also, if i put the wrong password it gives me my custom error message. When I enter the correct login info, it tries to go to the home page of the website and then comes back to the login page again, if i never logged in.
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26092895
For your last test to access the page were you signed into the domain behind the firewall?  If yes, it wasn't a valid test of my theory.

The location section in the web.config file is where you control access to the sign in page to ensure it doesn't require authentication.  Also in IIS you can use the 'Properties' and set anonymous access for that specific page if Anonymous isn't set for the entire site.  Which brings up another point.  What are the security settings for both web sites?  The one that works and the one that doesn't.

0
 

Author Comment

by:jdfatovic
ID: 26093107
My last test was performed through the firewall. I just tried the following:
1. Created a new site
2. Copied the site that works to the newly created site - was able to login
3. Copied the "broken site" files over the newly created site. I explicitly allowed access to the login.aspx page in the web.config file - and it doesn't work again. It let's you enter the userid and password, gives you the error message if you use wrong password, but doesn't let you login. If you enter the right password it keeps on getting redirected to the login.aspx page with no error message.  

This clearly shows that it's not the ISA server but something in the web application in my mind. I just don't know what.
 
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26093194
Sorry I disagree.  I think this is a web application problem.  We need to drill into the differences between the two configurations for FBA and the web applications.  If you truly feel it's an ISA problem then try port forwarding the broken site outside the firewall without using ISA and see if it fails or succeeds.  I suspect it will fail.

I'm convinced that something in the web application required domain access to work and that's why it only works internally, not externally.

Can you closely inspect the FBA settings for both web.config files?
0
 

Author Comment

by:jdfatovic
ID: 26093228
I agree with you, I am saying it is NOT ISA. I inspected the web.config file, I don't think that is it either. I am suspecting that it has to do with something related to the logging process which in case of the one that works is a custom process, whereas in the case of the one that doesn't work I am using standard .net login stuff. I will have someone else take a look in the morning - this is very frustrating. Thanks for your help so far.
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26093242
Sorry I misread.

With the one that is failing, is it using LDAP to authenticate?
0
 

Author Comment

by:jdfatovic
ID: 26093295
no, it's using custom membership provider:

            <membership defaultProvider="HRMembershipProvider">
                  <providers>
                        <clear/>
                        <add name="HRMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="HRConnectionString" applicationName="HRN" passwordFormat="Encrypted" enablePasswordRetrieval="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0"/>
                  </providers>
            </membership>
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 26094183
Hmm.  Is the connection string using a SQL account or integrated security?  How is it different than the working site?
0
 

Accepted Solution

by:
jdfatovic earned 0 total points
ID: 26120453
I figured it out. Under the definition for Forms security in the web.config file, I was missing a dot in front of the cookie name.
<forms name=".XYZcookie" ...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26121665
neat - good work :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question