Umbraco, ELMAH, MADAM and authentication
Please refer to this blogpost
Warning – read first: There is an issue with this approach; when you’re authenticated via Forms Authentication (like being logged in on the website), you’re ALSO allowed to access elmah.axd.
I have looked for a solution, but I haven’t figured one yet. Do you have the solution? Please reply on this blog and I’ll include your information.
We’re using ELMAH in every single umbraco project we built, it’s an awesome error logging module for .NET.
To protect ELMAH, we were using Basic Authentication, which is built-in in .NET and IIS.
But since umbraco v4.7.1, umbraco relies on Forms Authentication for the Members. As you might know, it’s impossible to have Basic AND Forms Authentication enabled at the same time, so the quick conclusion was to go with Forms Authentication, else umbraco’s membership provider wouldn’t work anymore.
So now we have a problem: whenever someone’s logged in as a member, he/she can access elmah.axd (assuming that you’ve got elmah.axd protected as described here).
Wouldn’t it be awesome if we could still use some sort of Basic Authentication AND Forms Authentication? Ofcourse! That’s where MADAM steps in (from the creator of ELMAH, isn’t that coincidental?).
So here’s a guide how to set-up your project (which I assume already has ELMAH running and configured, as described here for example):
Add the MADAM assembly to the bin folder (+ reference if you use VS)
Some stuff in the web.config:
- Add sectionGroup for madam:
<sectionGroup name="madam"> <section type="Madam.FormsAuthenticationDispositionSectionHandler, Madam"/> <section type="System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/> </sectionGroup>
- Add httpModules to system.web/httpModules and system.webServer/modules:
<add name="FormsAuthenticationDisposition" type="Madam.FormsAuthenticationDispositionModule, Madam"/></pre> <!-- IMPORTANT! The actual HTTP authentication module MUST appear AFTER the FormsAuthenticationDisposition module. --> <add name="BasicAuthentication" type="Madam.BasicAuthenticationModule, Madam"/>
- Extend the <authentication mode=”Forms” /> tag in <system.web>:
<authentication mode="Forms"> <forms> <credentials passwordFormat="SHA1"> <user name="elmah" password="<<<YOUR_SHA1_HASHED_PASSWORD>>"/> </credentials> </forms> </authentication>
- Add a location element to protect elmah.axd:
<location path="elmah.axd"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location>
- Add a madam element, like after the elmah element:
<madam> <userSecurityAuthority realm="ELMAH" provider="Madam.FormsUserSecurityAuthority" exposeClearTextPassword="false "/> <formsAuthenticationDisposition> <discriminators all="true"> <!-- This discriminator helps detect redirection to the Forms login page. --> <discriminator inputExpression="Response.RedirectLocation" pattern="login\.aspx\?returnurl\=" type="Madam.RegexDiscriminator"/> <!-- These discriminators are based on the various locations and requests for which Forms should be discriminated. The conditions expressed by these discriminators are OR'ed together in the absence of the all attribute. --> <discriminator> <discriminator inputExpression="Request.RawUrl" pattern="^/elmah\.axd"/> </discriminator> </discriminators> </formsAuthenticationDisposition> </madam>
That’s “all” 
Good luck!