MVC Web Api won't allow Windows Authentication - asp.net

I have a simple MVC web api 2 IIS hosted application which I want to enable windows authentication (initially not using Owin). I am running this on my development machine and running as local IIS.
So, from what I could find, I need to add the following to the web.config
1: to the following section the authentication mode="Windows"
<system.web>
<compilation debug="true" targetFramework="4.5.1"/>
<httpRuntime targetFramework="4.5.1"/>
<authentication mode="Windows" />
</system.web>
2: Then add the following
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
When I add the above and run the application (in debug from Dev studio), I get the following error
HTTP Error 500.19 - Internal Server Error
Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
and then it specifically points to this web config entry
Config Source:
37: <authentication>
38: <windowsAuthentication enabled="true"/>
39: </authentication>
Anyone have any ideas why I would be getting this?
Also, I noticed when I switch to IIS express, that in the project properties, the Windows Authentication is set to disabled, and grayed out so I cannot set it here either.
Thanks in advance for any help!

If you read applicationHost.config, you will see that authentication related sections are locked down and cannot be overridden in web.config,
<section name="windowsAuthentication" overrideModeDefault="Deny" />
Thus, you need to specify that in applicationHost.config, instead of web.config. Both IIS and IIS Express have such restriction.

Related

Web.config: Allow all users on given path at machine level

I have successfully setup Elmah at machine level in order to have error logging for all web applications. Now I want to add the RSS feed of each application to Outlook. Problem is applications are secured and won't allow Outlook to access RSS feed (at my.web.application.com/elmah.axd/rss). Since I can't ask Outlook to login in the app, I figured I'd give access to anybody to the elmah path and restrict by IP address (actually restricting to our local network), with the following config:
<location path="elmah.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="10.0.0.0" allowed="true" subnetMask="255.255.255.0" />
</ipSecurity>
</security>
</system.webServer>
</location>
This actually works when put in the application's Web.config: I have access to the elmah.axd page without logging in. Perfect. Now I wanted to do this at machine level so every application behaves the same. So I put it at the same places I put the Elmah config, that is:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config
C:\Windows\System32\inetsrv\config\applicationHost.config (IIS config)
Although putting the config there made Elmah respond on every web application, it doesn't work with that security config: the applications still ask to login... What need I do to make it work at machine level ?
Would it be that in machine level web.config the path is not relative to the applications ? but then how can I make it work ? (I also tried ~/elmah.axd without success...)
Check for overrides in each application's configuration.
The local configuration settings override settings in parent
configuration files.
Source: https://msdn.microsoft.com/en-us/library/ms178685%28v=vs.140%29.aspx

IIS 7 how to preserve website subfolder Authentication settings

In IIS you can set folder-level settings using the Features view (see screenshot). I want to disable Anonymous authentication for several subfolders of my website and save those settings to source control. I want to know where does IIS save these settings. They are not in the website web.config or the web.config inside subfolders. Is there anyway I can save the IIS settings with the source code or do I have to perform these tasks with each fresh deployement?
Add the following to your root web.config for each folder you want to secure:
<location path="secure_folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
The above assumes that you're using Basic Authentication.
Alternatively create a web.config in each sub folder to be secured with pretty much the same (except without the <location> tag:
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
If receive an error such as:
There was an error while performing this operation.
Details:
Filename: \?\d:\sites\play1\www\web.config
Line number: 15
Error: This configuration section cannot be used at this path. This
happens when the section is locked at a parent level. Locking is
either by default (overrideModeDefault="Deny"), or set explicitly by a
location tag with overrideMode="Deny" or the legacy
allowOverride="false".
Then it means that the configuration settings for <anonymousAuthentication> and <basicAuthentication> haven't been delegated Read/Write permissions.
You can adjust this by launching IIS Manager and opening the Feature Delegation manager:
When you do this you'll see a list of features that can be controlled and their delegation state:
Right click on Authentication - Anonymous and select Read/Write. Do the same for Authentication - Basic.
This feature delegation setting will be applied globally across all sites on the server, however it is possible to fine tune this to specific sites using Custom Site Delegation.
You can read more about IIS 7.x/8.0 Feature Delegation here:
http://www.iis.net/learn/manage/managing-your-configuration-settings/an-overview-of-feature-delegation-in-iis

ASP.Net 4 Forms Authentication in IIS 7.5 - Default Document No Longer Working

I've recently migrated a web app from .Net 3.5 to .Net 4 and changed the app pool to Integrated mode in IIS 7.5. This app has 2 parts: the first is open to the public and the second is by login only. I use forms authentication for login which is configued thusly in the root web.config:
<authentication mode="Forms">
<forms loginUrl="~/private/login.aspx" protection="All" timeout="20" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="~/private/default.aspx" cookieless="UseCookies" enableCrossAppRedirects="true" />
</authentication>
In the root web.config I have the default authorization to to deny unauthenticated users, thusly:
<authorization>
<deny users="?" />
</authorization>
BUT I have the setting below configured in the root web.config to allow everyone to see the welcome page:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="?,*" />
</authorization>
</system.web>
This has been working great for years but now, if I don't explicily put Default.aspx in the URL, the forms redirect module causes the login page to be served. I've verified that I have my default pages configured correctly and they are enabled in IIS7. I have also tried specifying them in web.config. I have verified that the DefaultDocumentModule is sequenced before the DirectoryListing module.
If I remove the element the problems "goes away" but the effect would be to default to allow all users and this is completely undesireable.
I'm out of ideas. Suggestions?
Thanks
I
Seems like some kind of default doc issue. If you look in IIS Manager at the site, what is in the "Default Document" list. Is it possible that something other than Default.aspx is higher in the list? If something matching this is found in your root web, it will attempt to go there first and thus be redirected to login.
Are you explicitly setting the default document in your web.config? as in:
<defaultDocument enabled="true">
<files>
<clear />
<add value="Default.aspx" />
<add value="Default.htm" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
</files>
</defaultDocument>
OK, I had a Microsoft Premier Support Engineer dig into this for me. We sat down together at my workstation and went through (a) the environment and app configuration and (b) possible solutions.
He referenced this MS "Fast Publish" article which suggests that I remove the ExtensionLessURL handlers from IIS via MMC. Well, we're a huge organization with servers out the wazoo and I could not guarantee that this change would always be honored so I didn't want to do that. We tried using web.config to remove them but that did not work.
So, I showed him this solution from another StackOverflow thread (posted by Dmitry.Alk) and he said it was a good work-around for now. It works great for this particular situation.
The Fast Publish article references this hotfix A update is available that enables certain IIS 7.0 or IIS 7.5 handlers to handle requests whose URLs do not end with a period which I've got to sell to our IT "department".
I don't call what I've written here an "answer" but I wanted to share what I've come to learn in case others happen upon this thread.

Production issues - disable ASP.NET debugging, restrict access to directory

I deployed my latest web site to production environment, now client found that the following issues on my deployment. and that are to be fixed.
I just need some clarification from you all on the following
disable ASP.NET debugging
I already set compilation debug="false" in the web.config, is there anything that to be done apart from this?
restrict access to directory
any idea on defining access rights for users?
Have you tried this:
<compilation
debug="false"
/>
on your web.config
HOW TO: Disable Debugging for ASP.NET Applications
ScottGu's Blog
this will display the exact error that user gets.
And if your application has an download.upload file into a folder you need to
Share Folder name “YourFileFolder” and add ‘Network Service’ account having read/write permission
Regards
There is a configuration setting in machine.config(only) called:
<configuration>
<system.web>
<deployment retail="true"/>
</system.web>
</configuration>
This parameter will automatically turn off debugging features(tracing,compilation,...).
For your security rights, give only access on your directory to the iis pool user.
To disable Browsing in IIS7 add this to your web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="false" />
</system.webServer>
In my case (error:
debugging should be disabled in the web.config file
) i basically turned web.config to :
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
note:I use Visual Studio 2010

Cassini ignoring Win NT role authorization, IIS 7.5 all ok

I have an ASP.NET MVC 3 application running on both my local dev box (Win7) and staging server (W2k8r2). The application operates fine in both environments until ASP.NET Windows authorization security is enabled.
After securing the web-app, it continues operates correctly on the staging server but generates 401.2 access denied's on my local dev box. The only significant difference I can see is on local dev box, I'm using Cassini via Visual Studio whereas the server is IIS7.5.
Windows authorization + impersonation is being used. What could cause Cassini to generate these 401.2 access denied?
Web.config is:
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<!-- replication of system.webServer security settings for cassini which doesn't process them... -->
<authorization>
<allow roles=".\Test Application - Users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="Test Application - Users" />
</authorization>
</security>
FYI Relevant users are in the 'Test Application - Users' Windows security group on each system.
Solution
The underlying issue on the dev box turned out to be that:
Cassini doesn't support identity impersonation and
Whilst the user had been added to relevant NT groups, they had not logged off/on and thus the group SID's associated with their Windows token had not been refreshed
If impersonation had been supported by Cassini I doubt this would have been an issue because a new token would have been established within the impersonation context. Thanks to #x0n for pointing in the right direction.
i'm not entirely sure, but I don't think cassini can impersonate (iis express can, however.)
In solution explorer pane select the Web Project and hit F4. (not right click+properties, thats different) - this will show property pane
In properties Pane then set:
Windows Authentication: Enable
Anonymous Authentication: Disabled
Run your project, Happy Days!

Resources