Last post Nov 12, 2019 04:19 PM by bischofb
Nov 12, 2019 01:25 AM|bischofb|LINK
I have an ASP.NET MVC site that has been working for years and it uses the Authorization attribute on many controller actions. We migrated to a Windows 2016 server with Shibboleth and copy/pasted the code on it and now the Authorize attribute is ignored.
I don't think it has to do with my code since the only thing that has changed is the server. It works fine when I run locally as well. Is there an IIS setting I might be missing or possibly Windows Server 2016 has an breaking change that I'm not aware of (I
don't keep up with such things since the application never changes)? I compared the new settings to the old settings but I don't see anything different (I'm not an IIS expert).
Nov 12, 2019 08:42 AM|Yongqing Yu|LINK
According to your description, which authentication mode does your MVC use?
Please make sure that your IIS has enabled the corresponding authentication.
If you still can't solve your issue, I hope you can provide your web.config settings for us to check.
Nov 12, 2019 04:19 PM|bischofb|LINK
I was able to determine that it's not ignoring the authentication attribute, instead it thinks EVERYONE is already authenticated, thus making it appear that it's not doing anything. We just started using Shibboleth 3 and I wonder if there is integration
with Shibboleth so it knows that the user logged in with Shibboleth even though I didn't call any forms authentication code myself. The code is ten years old so it's hard to tell. I was able to create a custom authentication attribute that did more authentication
and that got it working.