IIS Site Inheritance - asp.net

I'm looking for advice on how to handle multiple web.configs in a single IIS site. I have little experience in IIS but need to figure this out.
Background:
1) We have an intranet application running on a single site in IIS 7.5
2) We have custom application code on various servers that we iframe into our intranet and want to piggy-back on our intranet's URL. (intranet.com/custom/blah.aspx)
3) To accomplish this we created virtual directories within our IIS intranet site. Unfortunately, this appears to cause some inheritance/conflict between our intranet's web.config and the web.configs for our various custom applications.
My initial thought is that perhaps we need to remove our custom applications from our IIS intranet site and create new IIS site, but I’m not sure if/how this would be possible as we still want to piggy back on the same URL.
Any ideas?
Let me know if additional detail/clarification is needed.

In my opinion you can still go ahead with your existing setup i.e. having custom applications as virtual directories in your intranet application.Its just you need to resolve conflicts in web.config. There are two ways to resolve those conflicts.
Tell your intranet application's web.config not to push its configurations on child directories. Way to achieve this is use location tag. e.g.
If you want parent app not to push its connection strings to children directories then use following construct.
<location path="." inheritInChildApplications="false">
<connectionStrings>
</connectionStrings>
</location>
If you wrap all those conflicting settings in location element then it will not get pushed to children directories. You have to be cautious here as it will stop inheritance to intranet application's own child directories and not just virtual directories.
Tell your custom application's web.config not to inherit configurations from parent directories. Way to achieve this is use <clear/> element.
In your custom application's web.config for all those conflicting settings you first clear settings coming from parent and then add specific settings you want to add. e.g.
<connectionStrings>
<clear />
<add your specific connection string>
<connectionStrings>

Related

ASP.NET, two Web.Config

I have a .NET application with all the aspx pages and the main web.config in the root folder but I now have a situation where I need a portal like section for other users. I have created a new folder with it's own unique aspx pages and a second web.config.
I especially need a second web.config to have the <authentication> with a <forms loginUrl="" defaultUrl="> for this portal section and a <authentication> too.
I have implemeted this second web.config in the way I created the first and I am getting this error message:
It is an error to use a section registered as allowDefintion='MachineToApplication'
beyond application level. This error can be caused by a virtual directory not being
configured as an application in IIS.
Now I think the main web.config file is conflicting with the this second webconfig in it's folder. I'm not sure how to fix this, I have seen theories on how this works but no solid code.
Thank you for any suggestions and your time, it is much appreciated.
In IIS, create a virtual directory, under your main application. The local web.config will overide stuff in your main web.config, but still use you main web.config for everything else (i.e. ConnectionStrings, encoding, etc.).

Add Standalone ASP.Net Application Into Existing ASP.Net Website - not working

I have an asp.net '4.5' site (Orion Solarwinds) and I would like to add functionality. This can be done with a virtual directory, but adding anything to that folder will cause a recompile and interrupt service to the user.
It should be possible(and done it many times before) to 'just' add a application. So I should be able to use a separate application pool.
BUT what happens is that even with a index.html file in an empty application with a web.config in there, it still seems to inherit from the host webconfig. Thus this is not a Standalone ASP.Net Application in an existing website. I have tried to decouple this basic application - no joy. How can I fix this?
You can try using inheritInChildApplication by wrapping sections you don't want to inherit in host webconfig with this:
<location path="." inheritInChildApplications="false">
There's more details in this other thread

Nesting web applications in IIS and web.config issue

Current installation
I have two web applications app_A and app_B (same app with app_A but for test purposes) under IIS default website. A domain www.mydomain.com that points to the server needs to access app_A. That can be done by changing the physical path from \inetpub\wwwroot\ to \inetpub\wwwroot\app_A.
The second application should be access under www.mydomain.com/app_B/
Problem
When accessing www.mydomain.com/app_B/ because it's now a sub-directory of app_A it sees the web.config from app_A and I got error like "duplicate entries in web.config" when accessing the www.mydomain.com/app_B/ application. I can eliminate the errors by using the tag to remove first and declare again the entries in app_B web.config.
Questions
Is there any other way to make the installation in order app_A would be access from www.mydomain.com/ and app_B from www.mydomain.com/app_B without messing the web.config files as described above?
For the current installation, is there a way to set something on IIS in order for app_B not to see at all web.config from app_A because is a subdirectory?
For the current installation, do you see any real problems (possibly on security) by using the remove tag for the app_B application?
For the current installation I observer a strange behaviour. If I login to app_A and app_B and logout from app_A it also logout from app_B (not always). I am using Active Directory for authentication. Do I need to change something in app_B's web.config in order to say that it's totally different application?
I know this is an old question and you might have found out the solution. I am replying in case you need an answer.
There are two ways to avoid merging of parent’s config file and child’s config file. Either you can add
inheritInChildApplications="false" Tag in the parent’s config file. For example:
<location path="." inheritInChildApplications="false">
<connectionStrings>
</connectionStrings>
</location>
Or
you can add "Remove" tag or "Clear" in child’s config file to clear the parent’s settings.
Also, I don’t see any security threats by clearing parents settings.
By any chance are you using same cookie name in authentication for parent and child applications? If this is the case, once you login to child application, the cookie generated by the parent application will be overridden. Try specifying name of the cookie for at least one of the application.

Merging/inheriting web.config files but without having site to be a child site

I'd like to have the functionality of merging/inheriting the web.config of one site with that of a shared web.config, but without having the site being a child site of the site with the shared web.config.
Is there a way to implement similar functionality?
What I'm trying to do have a shared web.config in any folder (could be outside of wwwroot). Then multiple sites under IIS will have their own web.configs which merge/inherit with the shared web.config. The aim is to have the site web.configs as non-cluttered as possible, maybe just app settings for company id and a reply email address.
I would use the machine.config for the shared stuff.
Or you can reference the shared web.config like this:
<appSettings file="../Support/config/WebEnvironment.config">
</appSettings>
And here I blog about when we moved all of our settings to a database table.

What replaces .htaccess on IIS/ASP.NET sites?

On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.
Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?
e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?
Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:
<location path="Secret" allowOverride="false">
<system.web>
<authorization>
<deny users="*" />
</authorization>
<httpHandlers>
<remove path="*.*" verb="*"/>
</httpHandlers>
</system.web>
</location>
I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.
Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.
http://learn.iis.net/page.aspx/473/using-urlscan
http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/
There are some things you can do with web.config like defining security settings etc...
Other times you have to use HttpModules or HttpHandlers, look here:
http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx
If not, you can find different ISAPI, but in this case you need access to IIS.
For example, the ISAPI for emulating rewrite mod apache:
> http://www.codeplex.com/IIRF
The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.
There are two cases:
If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...
That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.
As per the [documentation on Application Folders][1], IIS won't serve requests to content stored in the /app_data folder although your application can read and interact with those files.
ASP.NET recognizes certain folder names that you can use for specific types of content. The following table lists the reserved folder names and the type of files that the folders typically contain.
Note
The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.

Resources