IIS 7 how to preserve website subfolder Authentication settings - asp.net

In IIS you can set folder-level settings using the Features view (see screenshot). I want to disable Anonymous authentication for several subfolders of my website and save those settings to source control. I want to know where does IIS save these settings. They are not in the website web.config or the web.config inside subfolders. Is there anyway I can save the IIS settings with the source code or do I have to perform these tasks with each fresh deployement?

Add the following to your root web.config for each folder you want to secure:
<location path="secure_folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
The above assumes that you're using Basic Authentication.
Alternatively create a web.config in each sub folder to be secured with pretty much the same (except without the <location> tag:
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
If receive an error such as:
There was an error while performing this operation.
Details:
Filename: \?\d:\sites\play1\www\web.config
Line number: 15
Error: This configuration section cannot be used at this path. This
happens when the section is locked at a parent level. Locking is
either by default (overrideModeDefault="Deny"), or set explicitly by a
location tag with overrideMode="Deny" or the legacy
allowOverride="false".
Then it means that the configuration settings for <anonymousAuthentication> and <basicAuthentication> haven't been delegated Read/Write permissions.
You can adjust this by launching IIS Manager and opening the Feature Delegation manager:
When you do this you'll see a list of features that can be controlled and their delegation state:
Right click on Authentication - Anonymous and select Read/Write. Do the same for Authentication - Basic.
This feature delegation setting will be applied globally across all sites on the server, however it is possible to fine tune this to specific sites using Custom Site Delegation.
You can read more about IIS 7.x/8.0 Feature Delegation here:
http://www.iis.net/learn/manage/managing-your-configuration-settings/an-overview-of-feature-delegation-in-iis

Related

Disable Basic-Authentication without IIS manager

My ASP.NET MVC web application handles the authentication itself by explicitly sending the 401 status code and the www-authenticate header to make the browser display the basic authentication dialog.
My hosting provider doesn't provide access to the IIS manager and has the IIS BasicAuthenticationModule always enabled.
Unfortunately, the custom basic authentication implemented by my application is therefore now "hidden" by the IIS BasicAuthenticationModule. Any time I send a 401, the BasicAuthenticationModule seems to think it's his responsibility to handle the authentication. It also overrides the custom www-authenticate header of my application.
Is there a way to disable the IIS module for just my web application using the web.config only? I already tried adding the following settings to the web.config:
<configuration>
<system.webServer>
<modules>
<remove name="BasicAuthenticationModule" />
</modules>
</system.webServer>
</configuration>
But that just generates a lock violation error. This setting didn't do the trick either:
<configuration>
<system.web>
<authentication mode="None" />
</system.web>
</configuration>
Any other suggestions?
If you disable any authentication on IIS manager and check web.config, you will find that there is no configuration about authentication in it. Because configurations are saving in applicationhost.config file. That is why you need to use IIS manager.(Only administrator can use IIS manager)
But according to microsoft docs, you can use appcmd to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
appcmd.exe set config "site name" -section:system.webServer/security/authentication/basicAuthentication /enabled:"False" /commit:apphost

Web.config: Allow all users on given path at machine level

I have successfully setup Elmah at machine level in order to have error logging for all web applications. Now I want to add the RSS feed of each application to Outlook. Problem is applications are secured and won't allow Outlook to access RSS feed (at my.web.application.com/elmah.axd/rss). Since I can't ask Outlook to login in the app, I figured I'd give access to anybody to the elmah path and restrict by IP address (actually restricting to our local network), with the following config:
<location path="elmah.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="10.0.0.0" allowed="true" subnetMask="255.255.255.0" />
</ipSecurity>
</security>
</system.webServer>
</location>
This actually works when put in the application's Web.config: I have access to the elmah.axd page without logging in. Perfect. Now I wanted to do this at machine level so every application behaves the same. So I put it at the same places I put the Elmah config, that is:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config
C:\Windows\System32\inetsrv\config\applicationHost.config (IIS config)
Although putting the config there made Elmah respond on every web application, it doesn't work with that security config: the applications still ask to login... What need I do to make it work at machine level ?
Would it be that in machine level web.config the path is not relative to the applications ? but then how can I make it work ? (I also tried ~/elmah.axd without success...)
Check for overrides in each application's configuration.
The local configuration settings override settings in parent
configuration files.
Source: https://msdn.microsoft.com/en-us/library/ms178685%28v=vs.140%29.aspx

MVC Web Api won't allow Windows Authentication

I have a simple MVC web api 2 IIS hosted application which I want to enable windows authentication (initially not using Owin). I am running this on my development machine and running as local IIS.
So, from what I could find, I need to add the following to the web.config
1: to the following section the authentication mode="Windows"
<system.web>
<compilation debug="true" targetFramework="4.5.1"/>
<httpRuntime targetFramework="4.5.1"/>
<authentication mode="Windows" />
</system.web>
2: Then add the following
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
When I add the above and run the application (in debug from Dev studio), I get the following error
HTTP Error 500.19 - Internal Server Error
Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
and then it specifically points to this web config entry
Config Source:
37: <authentication>
38: <windowsAuthentication enabled="true"/>
39: </authentication>
Anyone have any ideas why I would be getting this?
Also, I noticed when I switch to IIS express, that in the project properties, the Windows Authentication is set to disabled, and grayed out so I cannot set it here either.
Thanks in advance for any help!
If you read applicationHost.config, you will see that authentication related sections are locked down and cannot be overridden in web.config,
<section name="windowsAuthentication" overrideModeDefault="Deny" />
Thus, you need to specify that in applicationHost.config, instead of web.config. Both IIS and IIS Express have such restriction.

Is "management" section not allowed in web.config?

I'm trying to add users to IIS Manager via web.config, but whenever I add the following lines, the web site stops working and says web.config is not valid.
The web site works if I add those lines in administration.config, but I like to keep the scope small by sticking with web.config.
<system.webServer>
<management>
<authorization defaultProvider="ConfigurationAuthorizationProvider">
<authorizationRules>
<scope path="/MyApp">
<add name="domain\user" />
</scope>
</authorizationRules>
</authorization>
</management>
</system.webServer>
A simple Google search can answer your question.
IIS Management element
From that page:
Note: The settings in the management element can only be configured in the Administration.config file.

Authorize a directory for anonymous users IIS 7.5?

I'm trying to add a directory for anon access in IIS 7.5. It works under Web Dev but not IIS 7.5
I'm currently using this web.config in the directory. This is a directory with style sheets:
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Update:
I've went to the folder and under Authentication, I've changed anonymous authentication from IIS_USR to pool. This seems to have correct it.
I will reward anyone who provides a very good explanation and resources for understanding this setting. Also, how to apply it globally would be good to know -- for all folders.
Since you answered your own question, here is the explanation that might help
Authorization deals with who IIS will offer resources to. Those resources, however, have their own security as they are just files on a file system.
The Authentication element in the config assists in determining how IIS will identify a user's requests after its accepted and as it accesses resources beyond/external to IIS.
This is set at the site level, typically in the applicationHost.config file for your server. It can, if properly setup, be overridden at the site level.
IIS.net pages about this:
http://www.iis.net/ConfigReference/system.webServer/security/authorization/add
http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication
The .config version of what you did in the UI is:
<location path="/yourSite">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" username="" />
</authentication>
</security>
</system.webServer>
</location>
On the anon. auth method, the username field is who IIS will impersonate when resources are accessed. When you don't specify one, it defaults to use the identity of the apppool.
Now, as to why this mattered ... check the actual file on disk (the .css). If this fixed the problem that would mean IUSR doesn't have access to read that file.
You don't have a location defined for your authorization. You also don't specify what sort of authentication you're using within the web.config (if any).
<location path="/">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

Resources