2

I've been tasked with moving a .NET 3.5 application from some of our old servers to their new home on an IIS 8.5 level server and, unsurprisingly, some of them simply won't run.

To mitigate this, I've imported all of the files into a new project and run through all of the errors, warnings and messages, ironing out the problems.

The application now starts, however, the login process (typical .NET login process, using FormsAuthentication.RedirectFromLoginPage(UserName.Text, True) simply doesn't work; it will not authenticate the user.

The web.config file has the following entry in the authorization section:

<anonymousIdentification enabled="false" />
...
<httpModules>
    <add name="ScriptModule" 
        type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, 
        PublicKeyToken=31BF3856AD364E35"/>
    <add name="FormsAuthentication" 
        type="System.Web.Security.FormsAuthenticationModule" />
</httpModules>
...
<authentication mode="Forms">
    <forms loginUrl="Default.aspx" 
        defaultUrl="default.aspx" 
        slidingExpiration="true" 
        timeout="20" 
        name="FORMSAUTHCOOKIE" 
        protection="All" />
</authentication>
...
<authorization>
    <allow users="*"/>
    <deny users="?"/>
</authorization>

I've modified the code behind with some dummy variables for me to monitor with watches etc...

 1    If row.ItemArray.Length <> 0 And Not row("Suspended") Then
 2        Session("isadmin") = row("Administrator")
 3        Session("email") = row("Email")
 4        Session("welcome") = row("Forename") & " " & row("Surname") & "  (" & row("Department") & "), logged in"
 5        uAdapter.UpdateLastLogin(row("UserName"), row("Password"))
 6        FormsAuthentication.RedirectFromLoginPage(UserName.Text, True)
 7        Dim y As Boolean = Request.IsAuthenticated
 8        Dim x As HttpCookieCollection = Request.Cookies
 9        Dim z As HttpCookie = Request.Cookies.Item("FORMSAUTHCOOKIE")
10        Dim a As Int32 = -1
11    Else
12        Msg.Text = "Invalid login details. Please try again."
13    End If

Lines 7 through 10 are for testing and reading other values that are not present in the code. Despite the FormsAuthentication.RedirectFromLoginPage(UserName.Text, True) executing without error, it does not redirect to any other page than the current, even if there's a referral from elsewhere. Also, line 7, on execution, has a False result.

There are no error messages. The data is being returned from the connection. There is a difference in formatting between the two versions of the system, but I put this down to the rendering on IIS.

Can anyone spot anything obvious as to why this wouldn't work? Have I missed something somewhere?

Further Details

Further to David's answer, below, I have tested with a direct ReturnUrl and stepped through the code... Debug screenshot

Community
  • 1
  • 1
Paul
  • 4,160
  • 3
  • 30
  • 56
  • Have you tried to capture first chance exception dump? The redirection should work if IIS configuration set properly. – Jokies Ding Mar 05 '20 at 09:21
  • Thanks for getting back to me, @JokiesDing, I'm running this in IIS Express while debugging, so any errors should pop-up in VS. – Paul Mar 05 '20 at 14:20
  • @Paul Something else to consider is if the encrypted authentication ticket in the authentication cookie has been set. E.g. has a FormsAuthenticationTicket object been created and set in Response.Cookies? – David Mar 05 '20 at 18:57
  • @David - Once again, the code hasn't actually changed. I suspect something with IIS. I've changed it between Classic and Pipeline modes, and tried a range of other options. What I may do is just ditch the whole security thing and base it on Windows Auth; it is on an intranet, after all. Thanks for your input, btw. – Paul Mar 05 '20 at 20:33
  • Sorry I wasn't provide much help. This is difficult because you're migrating from two specific environments and so you have to hope that someone else did the same thing and ran into the same issue. – David Mar 06 '20 at 17:31
  • @David - Sorry for the delay in getting back to you. You're on the nail there - the migration process between Microsoft technologies is a minefield - you should see the 'fun' I've had migrating SharePoint 2007... I appreciate your input, whatever it happens to be, as it rules things out. – Paul Mar 09 '20 at 09:14

2 Answers2

0

From the Remarks section of the MSDN documentation (link):

By default, the ReturnUrl variable must refer to a page within the current application. If ReturnUrl refers to a page in a different application or on a different server, the RedirectFromLoginPage methods redirects to the URL in the DefaultUrl property. If you want to allow redirects to a page outside the current application, you must set the EnableCrossAppRedirects property to true using the enableCrossAppRedirects attribute of the forms configuration element.

Here is my guess:

  • ReturnUrl is not defined in the query string.
  • ReturnUrl points to a page on your old server.

It is more than likely the latter.

David
  • 5,877
  • 3
  • 23
  • 40
  • Thanks for responding David. I understand where you're going with this, but I suspect it's a bit more involved. I have tried accessing the application from other pages, but the redirect works without problem on the original server. Besides, the default page is set in the web.config: `defaultUrl="default.aspx"` – Paul Mar 05 '20 at 14:16
0

Okay. After much research and many wonderful side issues, the problems I'm experiencing are down to breaking changes in .NET 4.0.

Microsoft goes into a lot more detail on their site, about the issue, but the long and short of it is detailed below...

Paul
  • 4,160
  • 3
  • 30
  • 56