Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Trouble allowing a 401 response through DNN, FormsAuthentication and MADAM not workingTrouble allowing a 401 response through DNN, FormsAuthentication and MADAM not working
Previous
 
Next
New Post
3/12/2015 5:40 AM
 

tl/dr: can I stop DNN from using Forms Authentication for some requests so 401 responses reach the client?

We have two websites that we want to share a domain name .. one DNN 7.3 site and a .NET MVC style project.  Each are in their own independent Site in IIS.  The DNN site is bound to port 80 and the main domain name, with rewrite rules in the web.config that redirect requests  to /api/* to the other Site.  Using the advanced management UI from https://dnnurlmanagement.codeplex.com/ we have been able to stop the DNN Friendly URL module from intercepting requests, and get the web.config rewrite rules to work.

Unfortunately, when our API chooses to respond with 401 Unauthorized, for example when you try to log in with an invalid password, the 401 response is intercepted by the Forms Authentication HttpModule in DNN and changed to a 302 Found redirect to the login page.  This seems very well documented and led me to the MADAM library at https://msdn.microsoft.com/en-us/library/aa479391.aspx

It seems clear that the order of processing for typical unauthorized requests, e.g. to the Admin site in DNN when not logged on, is:

1/ Forms Authentication is enabled

2/ URL Authorization scheme decides if a request is to be served or denied, and may respond with 401.

3/ Forms Authentication intercepts this and turns the 401 into a 302 with Location header pointing to Login page.

MADAM promises to offer the ability to replace the normal Forms Authentication scheme with a more configurable option so you can decide when to perform step 3 above, and when not to.

We installed MADAM and carefully configured it to not use Forms Authentication for requests to api/* but are still getting 302 responses.  We looked at outbound rewrite rules, but they cannot change the response status code.

I see in the DNN site's web.config there are suspicious lines like:

    <configuration>

      <!-- register local configuration handlers -->

      <configSections>

        <sectionGroup name="dotnetnuke">

          <section name="authentication" requirePermission="false" type="DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke" />

This makes me feel DNN may be completely taking over the Forms Authentication handling and MADAM has no chance to operate, but I cannot tell for sure.

Is it possible to get our 401 response returned to the client unaltered?  Is MADAM the right approach to use?

Thanks!

Nick

 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Trouble allowing a 401 response through DNN, FormsAuthentication and MADAM not workingTrouble allowing a 401 response through DNN, FormsAuthentication and MADAM not working


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.

Content Layout

Subscribe to DNN Digest

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out