Umbraco, ELMAH, MADAM and authentication

Please refer to this blogpost

Warning – read first: There is an issue with this approach; when you’re authenticated via Forms Authentication (like being logged in on the website), you’re ALSO allowed to access elmah.axd.
I have looked for a solution, but I haven’t figured one yet. Do you have the solution? Please reply on this blog and I’ll include your information.

We’re using ELMAH in every single umbraco project we built, it’s an awesome error logging module for .NET.

To protect ELMAH, we were using Basic Authentication, which is built-in in .NET and IIS.
But since umbraco v4.7.1, umbraco relies on Forms Authentication for the Members. As you might know, it’s impossible to have Basic AND Forms Authentication enabled at the same time, so the quick conclusion was to go with Forms Authentication, else umbraco’s membership provider wouldn’t work anymore.

So now we have a problem: whenever someone’s logged in as a member, he/she can access elmah.axd (assuming that you’ve got elmah.axd protected as described here).
Wouldn’t it be awesome  if we could still use some sort of Basic Authentication AND Forms Authentication? Ofcourse! That’s where MADAM steps in (from the creator of ELMAH, isn’t that coincidental?).

So here’s a guide how to set-up your project (which I assume already has ELMAH running and configured, as described here for example):
Add the MADAM assembly to the bin folder (+ reference if you use VS)
Some stuff in the web.config:

  • Add sectionGroup for madam:

<sectionGroup name="madam">
<section type="Madam.FormsAuthenticationDispositionSectionHandler, Madam"/>
<section type="System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  • Add httpModules to system.web/httpModules and system.webServer/modules:
<add name="FormsAuthenticationDisposition" type="Madam.FormsAuthenticationDispositionModule, Madam"/></pre>
<!-- IMPORTANT! The actual HTTP authentication module MUST appear  AFTER the FormsAuthenticationDisposition module. -->
<add name="BasicAuthentication" type="Madam.BasicAuthenticationModule, Madam"/>
  • Extend the <authentication mode=”Forms” /> tag in <system.web>:
<authentication mode="Forms">
<credentials passwordFormat="SHA1">
<user name="elmah" password="<<<YOUR_SHA1_HASHED_PASSWORD>>"/>
  • Add a location element to protect elmah.axd:
<location path="elmah.axd">
<deny users="?"/>
  • Add a madam element, like after the elmah element:
<userSecurityAuthority realm="ELMAH" provider="Madam.FormsUserSecurityAuthority" exposeClearTextPassword="false "/>
<discriminators all="true">
<!-- This discriminator helps detect redirection to the Forms login page. -->
<discriminator inputExpression="Response.RedirectLocation" pattern="login.aspx?returnurl=" type="Madam.RegexDiscriminator"/>
<!-- These discriminators are based on the various locations  and requests for which Forms should be discriminated.  The conditions expressed by these discriminators  are OR'ed together in the absence of the all attribute. -->
<discriminator inputExpression="Request.RawUrl" pattern="^/elmah.axd"/>

That’s “all” 😉 Good luck!

9 Replies to “Umbraco, ELMAH, MADAM and authentication”

  1. Couldn’t you do this:

    I don’t have an Umbraco instance in front of me, but isn’t there a different role for an admin then there is for a member?

  2. err…. my code didn’t appear.

    in the authorization, above deny, just add a allow roles=”roles for admin user seperated by comma”


  3. Cheers for posting this, good to know. I just have a question. You say…

    “So now we have a problem: whenever someone’s logged in as a member, he/she can access elmah.axd”

    I have implemented this but I seem to still have this problem. When I’m not logged in as a member and try access elmah.axd it is correctly offering the Basic Authenticate challenge. I can then enter the details (as you have them) “elmah” and a password and I can then access elmah.axd fine. When I am logged in as a member though, I am allowed to access elmah.axd like before.

    Any ideas what I am doing wrong?

  4. @Daniel
    Damm, I see you’re right! I thought I’d tested it really thoroughly.
    Will look into this today or tomorrow and update this blog according to my findings.

  5. Pingback: Umbraco, ELMAH (with SQL CE 4.0) and authentication | kipusoep's tech blog

  6. Of course if you don’t want to configure authentication you could also configure elmah to store logging information in a XML file or SQL database and then completely disable the elmah.axd handler from your publicly facing website. Then create another ASP.NET site which only you would have access to with the same elmah configuration pointing to the same log source and simply navigate to the /elmah.axd handler of your private site to read the logs of your public site.

Leave a Reply

Your email address will not be published. Required fields are marked *