I'm running IIS Express (not to be confused with the normal IIS) under Windows 10. My understanding is the settings are stored in "My Documents\IISExpress\config\applicationhost.config"
These settings can be overriden by a local web.config file when using creating an asp.net core project.
When attempting to use this web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="" inheritInChildApplications="false">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
I receive the following error.
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
identifying this line
<authentication>
**<anonymousAuthentication enabled="false" />**
<windowsAuthentication enabled="true" />
This in spite of changing this line to state allow
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
Is there any other place I should be looking?
Based upon feedback received.
The correct location for the configuration file is {ProjectDirectory}.vs\config\applicationhost.config when working within visual studio.
"My Documents\IISExpress\config\applicationhost.config" is incorrect
Related
I have a legacy web app hosted using PHP by IIS. Access to some of the directories of that app is restricted using the following configuration in web.config of the root directory. That makes the Windows username available as REMOTE_USER, so that the app can map that username into an individual database to check authorization. This works and MUST NOT be changed.
<location path="lsgprog/bibliothek/adm">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Access to some other directories is restricted as well and as well using credentials provided by Windows. So those other directories have anonymousAuthentication disabled and windowsAuthentication enabled as well. The difference is 1. that those settings are made in the GUI of IIS and 2. that authorization is actually checked against the file system. This means that the directories simply have read access only for some special groups of users, those groups and users are maintained by some Active Directory and because the app uses Windows auth, things simply work. Users authenticate at their Windows, open Internet Explorer, request the restricted parts of the site, IIS gets the username, group membership etc., checks access to the restricted directories in the file system and grants or denies it.
All of that is configured manually using the GUI of IIS and I want to migrate that to web.config. Enabling Windows auth for some directories is already documented above, what I'm missing is how to allow/deny access to users and groups, which is the file system part. I've already found the element authorization, which pretty much looks like what I want, but whatever I try doesn't work.
<location path="lsgprog/vfristen">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"
roles="*"
verbs="GET,HEAD,POST" />
</authorization>
</system.web>
</location>
My expectation was that the above is enough to DENY access to all users, but that doesn't work and any approach based on ALLOW doesn't as well. I hoped that users and roles could simply be mapped against the username and group names of the currently requesting user. What I don't want is form based authorization or converting directories to "apps" or anything that needs to be done outside of web.config.
So, is what I'm trying to do possible at all and if so, how? Thanks!
In this scenario there are multiple options, first - try and add a web.config file to the folder that needs to have its' own permissions e.g. under lsgprog/vfristen, the minimum web.config example which will deny all users access:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Why does it work - IIS looks at each folder structure for web.config files, in this case the child will overwrite the parent but only the nodes that are inside the child - meaning it will preserve all other settings from the parent (root) web.config:
Make application and directory-specific configuration settings in an ASP.NET application
Although the documentation above is for ASP.NET it applies at the IIS level as well.
Second option to try - since the question mentioned the root of the project is lsgprog then this setting in web.config:
<location path="lsgprog/vfristen">
Should be changed to (remove the root folder of the project from the path):
<location path="vfristen">
Finally third option which could also work is overwriting it at the Machine.config level as mentioned in the above document:
Use the location element in the Machine.config file
When the allowOverride attribute is false, the Web.config files in the web application directories can't override the settings that you specified in the element. This is a useful setting in environments where you must restrict application developers in how they configure a web application. The following example shows a part of a Machine.config file that requires authentication to access the MyApp application on the default Web site and that can't be overridden by settings in a Web.config file:
Machine.config
<configuration>
<location path="Default Web Site/MyApp" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
You could try to add the below code in your site web.config file:
<location path="foldername">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
<location path="foldername/page1.php">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="DOMAIN\ADGROUP" />
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>
Edit: need to install the URL Authorization in iis to make this rule work.
https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization
I have an asp.net WebApi application where I would like to move any configuration that is likely to change out of web.config into an external configuration file.
This will then allow an install update to overwrite the web.config so that it picks up any newer configuration added between version, but preserve other user settings which may vary between deployments.
I have successfully done this with a few sections, eg appSettings.
For appSettings, I have the folliwing in web.config...
<appSettings configSource="config\appSettings.config"/>
And then the external file has the various settings, eg ...
<?xml version="1.0" encoding="utf-8"?>
<appSettings>
<add key="IISSitePrefix" value="http" />
<!--- Set this to True to emit http request debug information to the Event log -->
<add key="EnableHttpDebugTracing" value="false" />
.... etc
I have been trying to do the same with the two configuration settings we need to change to toggle on/off windows authentication, as some deployments will use this, and others will use token based security. To do this I need to move the following out of web.config...
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
<system.web>
<authentication mode="Windows"/>
</system.web>
So for the first tag, I tried the following....
<authentication configSource="config\authentication.config"/>
with the contents of the external file being..
<?xml version="1.0" encoding="utf-8"?>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
However, when I run this, I get the following error...
The configuration section 'authentication' cannot be read because it is missing a section declaration
I get a similar result when I try the other section.
Does anyone know what this means, or even if it is possible to do the above?
Thanks in advance for any help
[EDIT 1]
After one of the comments I have realised, perhaps my configuration is not quite correct (it was some time ago I first looked at this, and am now revisiting)
Previously, to enable integrated (windows) authentication, I thought you needed two bits of configuration (system.web AND system.webserver)...
<system.web>
<authentication mode="Windows"/>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
BUT now looking at this post, it appears I only need the <system.webServer> and not <system.web> at all
I removed my <system.web> and I could indeed turn off the intergarted authentication using just the <system.webServer> section.
So, now, what I want to configure in the external file is just the following..
ie if possible I'd like to just move out the <security> section, and leave the rest of the <system.webServer> in web.config.
I tried the following ..
<system.webServer>
<security configSource ="config\authentication.config"/>
</system.webServer>
With the contents of authentication.config being...
<?xml version="1.0" encoding="utf-8"?>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
But now when I try to execute a route I get..
Unrecognized attribute 'configSource'
Config Source:
87:
88: <security configSource ="config\authentication.config"/>
89:
So my (modified) question becomes is there a way to move out the above section?
Try changing the external file from
<?xml version="1.0" encoding="utf-8"?>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
to:
<?xml version="1.0" encoding="utf-8"?>
<authentication mode="Windows"></authentication>
It works for me ;)
I like to secure all aspx files in a folder ~/Secure/ secure such that specific IP addresses can access the folder's aspx files. I added the following web.config file to the folder, hoping that it adds to the parent web.config:
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="192.168.100.1" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
</ipSecurity>
</security>
</system.webServer>
</configuration>
The problem is that I get this error when I try to access to any of the aspx pages in the folder:
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
What does it take to make this idea happen? I like to just include one web.config file to a folder and that enforces the IP address authorization. I like this idea, since it is no-code and config only.
You cannot do it in the website web.config only.
If you can use IIS manager:
Open IIS Manager, locate the site, click on the folder you want to protect, then click on IP address and Domain Restrinctions.
Also click on "Edit feature settings" in the right Actions panel" to specify actions for unspecified clients (i.e. Deny with Forbidden, or simply Deny With Not Found).
This will generate the right configuration for you.
In your root web.config use the location element:-
<location path="Secure">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="192.168.100.1" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
</ipSecurity>
</security>
</system.webServer>
</location>
This is my web.config which has some tags for blocking Ipaddress
<configuration>
<connectionStrings>
...
</connectionStrings>
<appSettings>
....
</appSettings>
<runtime>
....
</runtime>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true"/>
<add ipAddress="83.116.19.53" allowed="true"/>
</ipSecurity>
</security>
</system.webServer>
</configuration>
My intention is to block any other IP except the above. The above is the only Ip address I want the website to be accessible from . But with "ipSecurity" tag I am always getting
500 - Internal server error and the site runs fine without it.
I have made sure that "IP and Domains Restrictions" are installed on the server.
Please let me know if I am missing anything.
Thank you.
For others that run into this issue. The cause of the issue is that Feature Delegation doesn't allow the feature to be managed by web.config.
To Fix:
Verify that the Feature is enabled for web.config management
In IIS 7, click on the root server
Double click Feature Delegation (under management)
Scroll down to IPv4 Address and Domain Restrictions
Change the delegation to Read/Write (in my case it was Read Only, which was the issue)
Hope this helps someone else.
For Windows 10 and Visual Studio 2015 note that the ApplicationHost.config file has been relocated to the .vs\config folder in your project's folder hierarchy. You will need to edit the project specific version of the ApplicationHost.config file found there with...
<section name="ipSecurity" overrideModeDefault="Allow" />
If you only edit the ApplicationHost.config located in your Documents\IISExpress folder this will not affect your existing application (MVC5 appl in my case).
Open the applicationHost.config file (located at %windir%\system32\inetsrv\config\applicationHost.config) and edit the ipSecurity section.
Change this line:
<section name="ipSecurity" overrideModeDefault="Deny" />
To:
<section name="ipSecurity" overrideModeDefault="Allow" />
Are you editing the config by hand or through IIS manager?
See this post about that error message as you may not have that feature delegation enabled
http://forums.asp.net/t/1220987.aspx
Try this outside System.Webserver tag
<location path="Default WebSite">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true"/>
<add ipAddress="83.116.19.53" allowed="true"/>
</ipSecurity>
</security>
</system.webServer>
</location>
Hopefully this will help someone...
I am running IIS express on Windows 7 locally and did the following - Control panel > Programs > Programs and features > Turn Windows features on or off
In the Windows Features dialog ensure the IP Security option is checked:
I also had to open up my applicationhost.config (under %userprofile%\Documents\IISExpress\config) file and change the following:
<section name="ipSecurity" overrideModeDefault="Deny" />
To
<section name="ipSecurity" overrideModeDefault="Allow" />
Don't forget custom site delegation. This allows you to only allow delegation to sites you intend.
I am developing asp.net application where there is need to upload files to http server. I am stuck with upload limit 4 MB. I can change it with creating following section in web.config file:
<configuration>
<system.web>
<httpRuntime maxRequestLength="204800" executionTimeout="600" />
</system.web>
</configuration>
Problem is that this setting cannot be customized by moving these same lines to location tag:
<configuration>
<location path="ftp_upload.aspx">
<system.web>
<httpRuntime maxRequestLength="204800" executionTimeout="600" />
</system.web>
</location>
</configuration>
IIS server just completely ignores this setting without issuing any warning or error message. I cannot understand that because in many other only minor errors in web.config it throws exceptions (for example when I forgot to set allowOverride parameter to true in parent web.config).
Try adding this to your config in the same location entry
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="2048000000"/>
</requestFiltering>
</security>
</system.webServer>
Note that the units are in bytes rather that kbyes... or something like that.