This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 42%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECE%3C/text%3E%3C/svg%3E)
We have a .NET 4.7.2 ASP.NET Web Forms application deployed under IIS running with Azure Active Directory Authentication.
The web app is registered as an application on Azure AD and requires users to login before accessing the site.
Is there a way to expose a single aspx page for anonymous access?
Or perhaps access the page via a token acquired from Azure, without requiring the user to login?
We are trying to return the aspx page as a byte array.
Prior to Azure AD, WebClient was used to access the page, passing in a username and password.
Below please find some sample code:
System.Net.WebClient webClient = new System.Net.WebClient();
Uri requestUri = new Uri(m_url);
System.Net.NetworkCredential credentials = new System.Net.NetworkCredential(SiteSettings.AlerterUserName, SiteSettings.AlerterPassword, SiteSettings.AlerterDomain);
System.Net.CredentialCache credentialCache = new System.Net.CredentialCache();
credentialCache.Add(new Uri(SiteSettings.SiteUrl), "NTLM", credentials);
webClient.Credentials = credentialCache;
byte[] raw = webClient.DownloadData(requestUri);
m_body += System.Text.Encoding.Default.GetString(raw);
This is no longer valid with Azure.
We have replaced the use of WebClient with HttpClient, however instead of the requested page being returned, the site is requiring a login:
string token = GetAccessToken();
using (HttpClient httpClient = new HttpClient())
{
httpClient.BaseAddress = new Uri(m_url);
httpClient.DefaultRequestHeaders.Remove("Authorization");
httpClient.DefaultRequestHeaders.Add("Authorization", "Bearer " + token);
byte[] raw = httpClient.GetByteArrayAsync(m_url).GetAwaiter().GetResult();
m_body += System.Text.Encoding.Default.GetString(raw);
}
The following is returned:
<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
<!DOCTYPE html>
<html dir="ltr" class="" lang="en">
<head>
<title>Sign in to your account</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
...
Thank you,
Ed
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
typically webform pages do not support bearer tokens, as they use cookie authentication. you need to add bearer token support to your application.
Thank you for the response.
Is that accomplished thru code and/or the Azure portal?
You don’t explain your current configuration. Are you use azure easy auth, or the owin pipline and Microsoft identity?
Owin pipline and Microsoft identity.
We mostly followed:
The official docs for the old framework are slowly disappearing. You will need to google for examples. But basically you add UseJwtBearerAuthentication middleware and configure it. As both middleware will run on each request, either one can create the principal.
From what I can see, JwtBearer requires .NET Core; this is a .NET 4.7.2 WebForms app.
the owin pipeline supports jwt tokens. google for examples,
I ended up installing Microsoft.IdentityModel.JsonWebTokens and added the following to Startup.cs:
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
*AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,*
*TokenValidationParameters = new TokenValidationParameters*
*{*
*ValidateIssuer = true,*
*ValidIssuer = aadInstance,*
*ValidateAudience = true,*
*ValidAudience = redirectUrl,*
*ValidateLifetime = true,*
*ValidateIssuerSigningKey = true*
*}*
});
The token seems to be acquired successfully as per the screenshot.
However when trying to access the aspx page using the token, Azure requires a signin:
httpClient.DefaultRequestHeaders.Authorization = AuthenticationHeaderValue.Parse(token.CreateAuthorizationHeader());
byte[] raw = httpClient.GetByteArrayAsync(PathToASPXPage).GetAwaiter().GetResult();
<head>
<title>**Sign in to your account**</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
I wonder if the ASPX page needs to be changed to an API call.