How to provide ASP.NetWebadminfiles (WSAT) like user management for your hosted or online site

I recently was working on a ASP.net 2.0 website. I used the ActiveDirectoryMembershipProvider and used the membership API along with Login controls to provide a nice experience to the user with features like Sign up as new user, change password, password reset, login and all related functionality which any website offers you.
When my code was in development, I had the built in WSAT (ASP.Net website administration tool), which I could launch from Visual Studio.Net and I could easily administer my website. You can launch this tool using the Website–>ASP.Net configuration menu. This tool is really cool and without writing a single line of code you can easily manage all the security and settings for your website.
But the problem arises when you move your code to production. The WSAT tool only works locally (i.e via localhost). By default, it prohibits remote access.
In this post, I will explore two ways of managing your website security remotely.

Option 1 :

Make changes to the WSAT tool to make it work remotely
The WSAT tool with source code is located in your C:WINDOWSMicrosoft.NETFrameworkv2.0.50727ASP.NETWebAdminFiles folder. To make it accessible on the network, all you have to do is go to IIS–>Create new virtual directory–>Point to the above folder and remove anonymous access from directory settings page.

Then you need to access it the same way your local ASP.Net configuration tool is accessed i.e via a URL which resembles something like :
http://SERVER/AdminTool/default.aspx?applicationPhysicalPath=C:Inetpubwwwrooottestsite&applicationUrl=/testsite

But you will notice, as soon as you try to access it, it will spit out an ugly error “This tool cannot be remotely accessed.“. This is because by default the tool is locked down for local access only. To fix this, all you need to do is open C:WINDOWSMicrosoft.NETFramework64v2.0.50727ASP.NETWebAdminFilesApp_CodeWebAdminPage.cs file in a text editor and change line#488 FROM >> if (!application.Context.Request.IsLocal) { << TO if(false){

Once you save your file, the tool will allow remote access.

Option 2

:
Some people may not allow you to mess with the production webserver like above, becasue it involves changing a .net framework file and it can be a security risk. 4guysfromrolla.com has done a nice thing, they have written a generic user management piece which works just like WSAT and you can easily include it as part of your website. Just package it with your website, since it comes with source code (although the source code is in C#). You just have to follow a few steps to make it work for you. You can find the article which talks about the custom tool here : http://aspnet.4guysfromrolla.com/articles/052307-1.aspx and download the source code here http://aspnet.4guysfromrolla.com/code/ezdeploy.zip

Here are few things I had to do to make it work for my website:

  • Copy the source code to a subfolder in my site
  • Delete the web.config from the root level which comes with the source code
  • Move the 4guys.master file to the root of my website (this is mentioned in the article)
  • Move images from the i folder to the images folder of my website and change links which point to these images (this is mentioned in the article)
  • Change the stylesheet link in 4guys.master file to point to the correct location.
  • Move _controls folder to the root of my website
  • Delete all subfolders except admin from the source code. We dont need these.
  • Changed the 4guys.master to remove menu links to pages which are irrelevant for the security piece.
  • NOTE: If you are using ActiveDirectoryMembershipProvider, you will get bunch of errors like
    The property 'LastLoginDate' is not supported by the Active Directory membership provider.]
    
    System.Web.Security.ActiveDirectoryMembershipUser.get_LastLoginDate()

To solve this all you have to do is remove following lines in all the .aspx pages.
<asp:BoundField DataField=”lastlogindate” HeaderText=”Last Login Date” />
<asp:BoundField DataField=”lastactivitydate” HeaderText=”Last Activity Date” />
<asp:BoundField DataField=”isonline” HeaderText=”Is Online” />

Advertisements

4 thoughts on “How to provide ASP.NetWebadminfiles (WSAT) like user management for your hosted or online site

  1. Hello,
    The concept is very nice and simple (first option). I am looking to make the database in Sqlserver.

    Kindly suggest where can i change the connection string in Web.config. I tried with the connection string but got some prob. I you can send me the web.config, that may help me.

    I am looking to keep this in a folder of main application. Please suggest.

    Actually, I created a new web app ‘TestWebAdmin”
    This is the url i tried
    http://localhost/testwebadmin/default.aspx?applicationPhysicalPath=C:Inetpubwwwrooottestwebadmin&applicationUrl=/testwebadmin

    It is showing
    Server cannot access application directory ‘C:\Inetpub\wwwrooot\testwebadmin\’. The directory does not exist or is not accessible because of security settings

    I gave Full control to all the users. Still same problem.

    Even I tried the second optoin, 4guysfromrolla.com,
    It is working fine and i am able to make the connection stirng to the SQLServer, but in the page (logged as admin ) Access_rules.aspx.

    I gave the acess to the Purchasing folder > admin and purchasing,

    When I am going to give the acess of Purchasing to Sales or IT, it is replacing Admin acess.
    I tried to modify the code but no luck.

    If you have come across any nice tool, from which we can do admin maintanence remotely, please suggest. Or if any possbile solution if you have for above questions that too is fine.

    Thanks and Regards,
    Prashanth Kumar G.

  2. THANKS – Great article !!!

    I wondered where the hell its hiding 🙂

    C:WINDOWSMicrosoft.NETFramework64v2.0.50727ASP.NETWebAdminFilesApp

    What a great find !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s