Develop Reference

Anonymous authentication using generic asp.net handler (*.ashx)

I have an asp.net webforms application that has windows authentication enabled. I need to enable anonymous authentication on a folder “Test” in the website which contains images . I did that by adding
<location path="Test">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
Now any requests to images in Test folder is unauthenticated and everything works as expected until I introduced a generic handler for this folder which fetches files from the backend storage if the file is not found in the “Test” folder and boom it broke! Anonymous authentication doesn’t work anymore. Updated web.config file below -
<location path="Test">
<system.webServer>
<handlers>
<add verb="*" path="Test" requireAccess="None" name="Handler1" type="WebApplication1.Test.Handler1, Anonymous" />
</handlers>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
I inspected the request using fiddler and it returns HTTP/1.1 401 Unauthorized message if I have the handler section in config but if I remove the handler section from config everything just works fine and I can see the valid response in fiddler. Any insight into what could be wrong here?

Finally I was able to resolve it myself by modifying the location configuration as shown below by adding system.web to allow all users
<location path="Test">
<system.webServer>
<handlers>
<add verb="*" path="Test" requireAccess="None" name="Handler1" type="WebApplication1.Test.Handler1, Anonymous" />
</handlers>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>

IIS7 Authorization rules with custom role provider not working

Can someone please tell me why my IIS subdirectory authorization rules are not working?
I suspect it's something to do with using a custom membership and role provider.
All users, anonymous AND users who are logged in get a 401.2 Unauthorized error for all files in the /users subdirectory.
I'm trying to restrict access to static files and asp.net pages in a subdirectory. I used the Authorization Rules button in IIS7 manager.
In /users it has created a web.config file with this section:
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="auth_users" />
</authorization>
</security>
</system.webServer>
In the web.config of the site root are these custom role and membership settings. The membership and role providers are working fine - user are added to the role, it's just the authorization rules that aren't working.
<roleManager enabled="true" defaultProvider="MyRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" applicationName="MyUsersApp" />
</providers>
</roleManager>
<membership defaultProvider="MyMembershipProvider">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider" applicationName="MyUsersApp" />
</providers>
</membership>

Still playing with this, it looks promising.. but I'm thinking there's probably a more elegant solution out there.
<location path="users">
<system.web>
<authorization>
<allow roles="auth_users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<add name="JS" path="*.js" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<!--More static file types...-->
</handlers>
</system.webServer>
</location>

Web.config Forms Auth > protect root but allow access to subdirectory

Here's my problem...
I have a website running in II7 integrated pipeline mode and I want to enable forms auth on the entire website apart from the '/secure/' directory which contains the login form.
My web config currently looks something like this...
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="secure/login.aspx" protection="All" path="/" timeout="999999" slidingExpiration="true" enableCrossAppRedirects="true">
<credentials passwordFormat="Clear">
<user name="user1" password="xxxxxx"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="user1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="secure">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<!--Enabling Forms Authentication for the Entire Application-->
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
</configuration>
When I visit the website URL I just get an endless loop of redirects. I've tried putting the location specific auth rules above the system.web section but this had no effect.
Any ideas?
Cheers,
Robin

Access permissions are hierarchical. That is if you are forbidden to access some parent, you are forbidden to access all of its children, no matter what permissions are set to children.
You can move login form to the root directory and set permissions for the form - it will work.

ASP.Net WindowsTokenRoleProvider not matching Domain Groups

I am trying to use the default ASPNetWindowsToken provider to authorize users in an application that I am using Windows impersonation to log users in. If I add a IsInRole to the code behind the page in the page load, I can see the user is in the proper roles, but when I add the authorization to the web.config, I am getting 401 unauthorized errors. Not sure if I am missing something or not, but any help you can give would be appreciated. Below is my web.config.
<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off" defaultRedirect="Error.aspx" redirectMode="ResponseRewrite" />
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
</profile>
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<deny users="?" />
<allow roles="DOMAIN\Group" />
</authorization>
</system.web>

My ASP.NET MVC2 application with Forms Authentication is blocking access even to Images, Styles and Scripts

I'm developing a MVC2 application and using Forms Authentication on it.
The scripts, images and styles are all blocked to unlogged users and, consequently, the login page looks awful.
It works well local, the problem is when I publish to the server.
Does anyone has any idea WHY????
PS: The server IIS is version 7.5
My Web.config:
<configuration>
<system.web>
<globalization culture="pt-BR" uiCulture="pt-BR" />
<httpRuntime requestValidationMode="2.0"/>
<customErrors mode="Off" />
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<pages>
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="Admin.Models" />
</namespaces>
</pages>
<authentication mode="Forms">
<forms name="AGAuth" loginUrl="~/Home/Login" timeout="120" />
</authentication>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0" newVersion="2.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<connectionStrings>
<add name="DBContainer" connectionString="metadata=res://*/Database.DB.csdl|res://*/Database.DB.ssdl|res://*/Database.DB.msl;provider=System.Data.SqlClient;provider connection string="Data Source=thewebserver.com,5158;Initial Catalog=thedatabase;Persist Security Info=True;User ID=theuser;Password=thepassword;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient" />
</connectionStrings>
</configuration>

Add a web.config to the scripts, images and styles folders telling asp.net to allow access to all users (make sure you you don't have anything in there that you don't want anonymous users to have access to):
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
As for the reason, the following is telling IIS to let asp.net process all the requests:
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>

I had exactly the same problem.
The cause turned out to be the IIS authentication configuration. By enabling Anonymous Authentication (and enabling Forms Authentication and disabling Windows Authentication) the scripts, styles and images became accessible when logged off.

You can set permission to required folders like this:
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>

Take a look at the documentation for the location element. I think the first example will give you what you need.
For convenience, here is the example mentioned:
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>

The group IIS_WPG need read access to the fold. Now it works fine... hope this helps someone else

You can set the permission to required folders like this
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>

This is a complete stab in the dark but what are the rights on the image and css folders? If they are set so that only authorised people can get to them then you have a problem. You might try setting the rights on those folders to everyone, or for the .net default user and see what you get.

Did you accidentally copy or create a Web.config file in your Content folder that has an <authorization> element that may be denying access?

I had the same problem too and I tried what Scott H suggested but it didn't work...
It turns out the user assigned to Anonymous Authentication was set to IUSR (right-click 'Anonymous Authentication' -> Edit), which didn't have access to my code. I had given access to the Application pool identity, so I selected that option, clicked 'OK', and bingo it worked.