IIS web.config in classic asp - asp-classic

I have a classic asp site hosted in IIS 7.5. Currently it allows me to upload only <200KB files. The hosting provider said that I should put that limit in web.config. I do not know how to increase the limit using web.config.

ASP Limits properties are by default located in the server applicationHost.config, if you don't have access to it, your hosting provider must delegate ASP feature to lower levels.
Once it is done, put this in your web.config:
<system.webServer>
<asp>
<limits maxRequestEntityAllowed="200000000" />
</asp>
</system.webServer>
Note that if the server is not delegating this feature properly, you will get an error when trying to do a request to your app.

Related

Disable Basic-Authentication without IIS manager

My ASP.NET MVC web application handles the authentication itself by explicitly sending the 401 status code and the www-authenticate header to make the browser display the basic authentication dialog.
My hosting provider doesn't provide access to the IIS manager and has the IIS BasicAuthenticationModule always enabled.
Unfortunately, the custom basic authentication implemented by my application is therefore now "hidden" by the IIS BasicAuthenticationModule. Any time I send a 401, the BasicAuthenticationModule seems to think it's his responsibility to handle the authentication. It also overrides the custom www-authenticate header of my application.
Is there a way to disable the IIS module for just my web application using the web.config only? I already tried adding the following settings to the web.config:
<configuration>
<system.webServer>
<modules>
<remove name="BasicAuthenticationModule" />
</modules>
</system.webServer>
</configuration>
But that just generates a lock violation error. This setting didn't do the trick either:
<configuration>
<system.web>
<authentication mode="None" />
</system.web>
</configuration>
Any other suggestions?
If you disable any authentication on IIS manager and check web.config, you will find that there is no configuration about authentication in it. Because configurations are saving in applicationhost.config file. That is why you need to use IIS manager.(Only administrator can use IIS manager)
But according to microsoft docs, you can use appcmd to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
appcmd.exe set config "site name" -section:system.webServer/security/authentication/basicAuthentication /enabled:"False" /commit:apphost

Session Resets when uploading a file using a flash plugin

My session is getting reset after I upload file using a flash plugin. I put some logging into the Session_Start function and I see its called every time I upload a file using the flash plugin. I'm not sure what would be causing this. This is working locally for me in dev environment with the same server and settings.
I'm using
IIS 7 with Windows Server 2008 R2.
My app:
ASP.NET MVC .NET 4.0 (legacy app)
I upload other files on the site without the flash plugin and those work. This functionality worked before. But for some reason now it stopped working.
Any ideas on what could be causing this to occur?
First Microsoft End of support for Windows Server 2008 and Windows Server 2008 R2.
The default server configuration does not allow you to upload files with Flash Uploader.
You could try below settings:
1)Disabling Request Validation:
ASP.NET automatically validates a request or rejects it if there are dangerous fields. However, HTML5/Flash Uploader sends files data in text fields (instead of binary ones) due to Adobe Flash Player limitations. IIS may treat this behavior as potentially dangerous and, thus, you can get the following error during uploading:
A potentially dangerous Request. Form value was detected from the client
use below code to disable the request validation on the page which processes the upload request:
<%# Page Language="C#" ValidateRequest="false" %>
2)Assign permission:
The folder where you are going to save files should have modified permissions.
Assign the iis_iusrs and iusr or application pool identity full permission to the upload folder.
3)Configuring Maximum POST Request Length:
Usually, the limitation for maximum POST request length is specified to reduce the risk of DoS attacks. If the request size exceeds a specific value, it is considered malicious and the upload would be broken.
If you are going to upload files larger than the default limitation, increase the latter.
Go to C:\Windows\System32\inetsrv\config\applicationHost.config and change
<section name="requestFiltering" overrideModeDefault="Deny" />
To
<section name="requestFiltering" overrideModeDefault="Allow" />
add below code in your application web.config file:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength ="2147482624" /> <!-- in bytes -->
</requestFiltering>
</security>
</system.webServer>
<system.web>
<httpRuntime maxRequestLength="2097151"/> <!-- in kilobytes -->
</system.web>
4)Configuring Control to Support Medium Trust Level:
.NET Trust Level in IIS specifies the level of code access security for ASP.NET applications. By default, HTML5/Flash Uploader works under the full trust level. However, if you create a website with the medium trust level on your server, you should configure HTML5/Flash Uploader to support this level as well. To perform this, just set the MediumTrustCompatibility property to true as the snippet below shows:
<aur:ImageUploaderFlash ID="ImageUploaderFlash1" runat="server"
MediumTrustCompatibility="true">
</aur:ImageUploaderFlash>
Setting the MediumTrustCompatibility property to true requires an application's pool to be routed to a single worker process. To perform this run IIS Manager, choose the application pool under which your website works, click Advanced Settings in the Actions panel, and set Maximum Worker Processes to 1:

Servicing HTTP PUT from .ashx handler in ASP.NET without tweaking file permissions

I've got an .ASHX handler I want to use to process an HTTP PUT to allow me to upload files to the web server--the .ASHX file actually uploaded data and sticks the file elsewhere, so it never actually touches the disk here.
I've set the web.config to allow it to handle HTTP PUT, but IIS won't pass the request to my code unless I set the ACLs on the .ASHX files themselves to be writable--Which is kinda silly, since we're not actually going to write to those files.
If I set the ACLs, it works fine, but I'd like to be able to process the file without having to set the ACLs at all (I'm sure there's an appropriate way to make IIS just pass the HTTP PUT to the .ASHX file without checking the permissions on the file itself.
This is on Win2008 R2 (actually, it's on Azure's 2008 R2, but should be the same), using .NET 4.0
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
There are several roadblocks to getting PUT (and DELETE) working with ASP.NET. Since you mention Win2008 R2 (IIS 7.5) I would check to see if the errors you are seeing mention the WebDAV module or handler.
WebDAV is enabled by default as of IIS 7.5. It will interfere with HTTP PUT and DELETE verbs on ASP.NET handlers and modules. If you're implementing a RESTful service you likely don't even utilize this functionality. Disable it via your web.config.
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
Some other solutions are mentioned in this forum post entitled HTTP Error 405 With ASP.Net MVC and HTTP PUT on IIS 7.5.

httpModules URL rewriter works on Visual Studios Dev Server, but not on IIS 7.5

In my web.config, I have a custom Url rewriter class that takes query strings such as /movies/godzilla.aspx and turns it into /template.aspx?id=1234
The rewriter works fine when I run it locally on the built in web server in Visual Studios, but when I put it on IIS 7.5 and try to access the page using the friendly name, I get a message saying the connection was reset and have to do an iisreset to get the site back online. The page is perfectly accessible from the server using the query string URL.
Here is a snippet of my web.config:
<system.web>
<httpModules>
<add name="ApFriendlyURL" type="FriendlyURL" />
</httpModules>
....
</system.web>
I'm confused as to why this works when running on the Dev Server in Visual Studios but not on IIS. I've played around with the settings in IIS, but I can't seem to find anything that would let me use the FriendlyURL class as the rewriter
HTTP modules in IIS 7.5 have to be configured in the system.webServer/modules section. Just copy your module definition there.
http://msdn.microsoft.com/en-us/library/aa347531(VS.90).aspx
Please be aware of the possible problem with the duplicate module configuration. If this is so, you turn off the integrated mode configuration:
http://www.iis.net/ConfigReference/system.webServer/validation
If you are working on .NET 2.0 application you should enable "Integrated mode" in your AppPool setings.

Windows Authentication not working for classic ASP pages (but does work for ASP.Net pages w/in same site)

We have an IIS7 intranet site running under integrated pipeline that is mostly ASP.Net with a few legacy classic ASP pages. The site allows anonymous access to most areas, but uses Windows Authentication to protect certain folders. Requests to ASP.Net pages in the protected folders behave as expected (authorized users can see them, others are denied), but any user can see any classic ASP page in the protected folders, regardless of permissions.
I suspect the windows authentication module is not being invoked for requests to classic ASP pages. We're running in integrated pipeline mode, and I found this article (http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/) which indicates that you need to explicitly remove and re-add modules if you want to take advantage of the integrated pipeline for non-ASP.Net requests. I tried to copy the article's example only replacing FormsAuthenticationModule with WindowsAuthenticationModule by adding the following to the web.config at the application root:
<system.webServer>
<modules>
<remove name="WindowsAuthentication" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
However, classic ASP pages are still being served regardless of permission.
Classic ASP pages totally ignore web.config or any .config actually.
The only way to handle this for classic ASP is through IIS, you will have to move the classic ASP pages to be under separate virtual website then for that virtual website set Windows Authentication and disable Anonymous Access.
This might help you as well:
IIS7: Setup Integrated Windows Authentication like in IIS6

Resources