I'm trying to configure the WebServices-path on a formsauthenticated site to use basic authentication. But I cant get passed the (Windows) login prompt. If I comment out the basicauthenticationsection and get to the forms-loginpage I get in.
<location path="WebServices"> <!--<episerver.basicAuthentication sendBasicChallenge="true" basicRealm="" />--> <system.web> ... </system.web></location>
So obviously I have the correct permissions. The httpmodule is configured.<httpModules> <add name="BasicAuthentication" type="EPiServer.Security.BasicAuthentication, EPiServer" /> ...</httpModules>
EPiServer CMS 5 R2
I have found a way to get it to work. But is it meant to be done like this?
The WebServices directory in R2 is handled with VirtualPathProviders and is physically the "C:\Program\EPiServer\CMS\5.2.375.7\Application\WebServices" directory. If I add an empty "WebServices" directory in the root of the site-directory and then in the IIS settings change the directory security for the "WebServices" directory. I set authentication mode to be only "Basic authentication" and I set the "Default domain:" to our domain-name. I have to use the WindowsMembership/Role or MultiplexingMembership/Role providers. I can skip the "Default domain" value in the IIS settings if I use the usernameformat=DomainAndName on the WindowsMembershipProvider. I can only log in with a windows account. If I use an SqlMembership account there is not even a request to the server and the BasicAuthentication-module.
Is this how it is meant to be setup. Or is the problem that I am testing it on a domain. Normally the scenario, on a public site with formsauthentication, is that its not on a domain. Will the set up be easier on a server without domain?
Testing on a 2003 server and on my XP. IIS 6 I guess.
When installing an EPiServer site the default IIS security settings are:"Enable anonymous access" - enabled"Integrated Windows authentication" - enabled
If "Integrated Windows authentication" is enabled the BasicAuthentication module want work. The "DecodeAuthenticationHeader" method in the BasicAuthentication module checks if the authentication-header starts with "Basic", if not it returns false and the user is never validated. If "Integrated Windows authentication" is enabled the authentication-header will start with "Negotiated" and the method will allways return false.
So if I disable "Integrated Windows authentication" on the site level I can use a SqlMemberShipProvider user to call the WebService.
Maybe this is obvious, but it wasn't for me.