Making a public page accessible when Forms Authentication is used
We have a website that is protected with Forms Authentication in IIS. We would like to make one page in this website accessible to everyone without any authentication.
All the resources I saw mentions using tag but it's not working for us for some reason.
web.config:
<configuration>
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Both public.htm and UserLogin.aspx are in the same folder. When we browse public.htm, we get 401.2.
If disable Forms Authentication, public.htm is accessible.
UPDATE (5/21):
Disabled Forms Authentication in but still getting 401.2 error.
<configuration>
<location path="public.htm">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
It sounds just like your anonymous authentication has been disabled or your current login user don't have permission to view the public.htm.
If you are hosting it in VS, please ensusre Enabled anonymous authentication has been selected and you current logon user have permission to access the htm file.
If you are hosting it in IIS, please ensure anonymous authentication has been enabled and the authorization rule would looks just like
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
The authentication in applicationhost.config would looks like
<location path="Sitename">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
And the authorization rule for public.htm would be.
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Please remember to grant IUSER read permission to access public.htm.
- Where to store the refresh token on the Client?
- Django using email authentication with djoser for login
- rpId validation failed in Passkeys PoC on Android using Jetpack Compose
- How to obtain a boolean out of a SQL WHERE condition?
- Flutter MSAL_js-based (B2C) Authentication fails
- What is the standard/modern way to use CAC/PIV card authentication in Java/Tomcat web applications?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to Properly Set Up Auth Middleware in Nuxt 3 with Node.js Backend?
- How to handle client card/pfx authentication certificate popup in Playwright
- Swift Discord OAuth2 redirect URi not supported by Client
- Symfony security component - Unable to find key \"username\" in the token payload
- How to properly use Bearer tokens?
- "MultipleObjectsReturned or ObjectDoesNotExist error when accessing 'google' provider in Django-allauth"
- expect, interact and then again expect
- Error: FB.login() called before calling FB.init()
- How to find user_id in Django endpoint
- Is this djoser implementation secure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- How/why is login page redirect required?
- How can I sync JWT blacklists in PHP microservices without a bottleneck or SPOF?
- login page asp.net sql
- Need help understanding keycloak, reverse proxies, and middleware in a cluster
- Classic ASP Request.ServerVariables("LOGON_USER") returning wrong username
- .Net 8: Cannot authenticate user with "Individual Accounts Auth" template
- Issue: All users access the same google drive account
- Get username from Azure Identity
- How do I persist the the user with supabase using nextjs?
- Retrieve .htaccess login name from PHP
- ways of authentication with Nginx
- How do I access a dev tunnel from a service/authenticate between apps?