EPiWiki.se  - EPiServer notes shared with others
 

Windows integrated security

[Edit]
Sample how to troubleshoot of EPiServer installation running windows integrated security (also known as Windows NT Challenge/Response authentication).

Protocol



    C -> S GET ...
    
    S -> C 401 Unauthorized
             WWW-Authenticate: NTLM
    
    C -> S GET ...
             Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S
    
    S -> C 401 Unauthorized
             WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA==
    
    C -> S GET ...
             Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAAAAACiAAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQBUAFkArYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT
    
    S -> C 200 Ok

A known bug in EPiServer VPPs (up to CMS version 6) makes that the VPP response with an “Unauthenticated exception” instead of a 401 as it should. To fix this you can force the IIS to not accept anonymous users.

Force login to the whole site



<authentication mode="Windows" />
  <authorization>
    <deny users="?" />
  </authorization>

Force login to a virtual page provider



<location path="pages">
  <system.web>
    <authorization>
      <allow roles="*" />
      <deny users="?" />
    </authorization>

If this can be done here is a minimal hack to transform the “Unauthenticated exception” to a HTTT status 401.
In global.asax.cs (only for windows integrated security)

void Application_Error(object sender, EventArgs e)
{
if (Context == null
    || Context.Error == null
    || Context.Error.InnerException == null)
   {
      return;
   }

   if (Context.Error.InnerException is AccessDeniedException
       || Context.Error.InnerException is UnauthorizedAccessException)
   {
      log4net.ILog _log = log4net.LogManager.GetLogger(typeof(Global));

      if (_log.IsInfoEnabled)
      {
         _log.InfoFormat(
            "The user {0} has not access to {1} sending HTTP status 401 instead of exception",
            PrincipalInfo.CurrentPrincipal.Identity.Name,
            Request.RawUrl);
      }

      Response.Buffer = true;
      Response.StatusCode = 401;
      Response.StatusDescription = "Unauthorized";

      Response.AddHeader("WWW-Authenticate", "NTLM");
      Response.End();
   }
}
Version author:
Mattias Lövström

EPiServer version

All