Is there something wrong with my IIS setup? I have a 64-bit IIS 7.0 installation. My site has a web.config, with authorization rules specified.
In IIS Manager, when I open the authorization rules, I had expected the rules from the web.config to be displayed and be editable, with any changes I make synced back to the web.config. This does not seem to be the case.
From what I can tell, the site obeys whatever rules are put into the authorization settings in IIS, but completely ignores any rules that are put into the web.config.
Is this correct? How is this supposed to work? Is there some way to force a sync?
It appears that IIS puts the rules into the system.webserver section of the web.config.
Related
Current installation
I have two web applications app_A and app_B (same app with app_A but for test purposes) under IIS default website. A domain www.mydomain.com that points to the server needs to access app_A. That can be done by changing the physical path from \inetpub\wwwroot\ to \inetpub\wwwroot\app_A.
The second application should be access under www.mydomain.com/app_B/
Problem
When accessing www.mydomain.com/app_B/ because it's now a sub-directory of app_A it sees the web.config from app_A and I got error like "duplicate entries in web.config" when accessing the www.mydomain.com/app_B/ application. I can eliminate the errors by using the tag to remove first and declare again the entries in app_B web.config.
Questions
Is there any other way to make the installation in order app_A would be access from www.mydomain.com/ and app_B from www.mydomain.com/app_B without messing the web.config files as described above?
For the current installation, is there a way to set something on IIS in order for app_B not to see at all web.config from app_A because is a subdirectory?
For the current installation, do you see any real problems (possibly on security) by using the remove tag for the app_B application?
For the current installation I observer a strange behaviour. If I login to app_A and app_B and logout from app_A it also logout from app_B (not always). I am using Active Directory for authentication. Do I need to change something in app_B's web.config in order to say that it's totally different application?
I know this is an old question and you might have found out the solution. I am replying in case you need an answer.
There are two ways to avoid merging of parent’s config file and child’s config file. Either you can add
inheritInChildApplications="false" Tag in the parent’s config file. For example:
<location path="." inheritInChildApplications="false">
<connectionStrings>
</connectionStrings>
</location>
Or
you can add "Remove" tag or "Clear" in child’s config file to clear the parent’s settings.
Also, I don’t see any security threats by clearing parents settings.
By any chance are you using same cookie name in authentication for parent and child applications? If this is the case, once you login to child application, the cookie generated by the parent application will be overridden. Try specifying name of the cookie for at least one of the application.
when I debug my website locally using Visual Studio, the change to the web.config goes into the effect without any problem.
However, when I make the same change to the web.config on my server host (running IIS 7.5) it looks like the site is still running off the old version of web.config when I load it up in my browser. The new changes aren't applied.
I have tried stopping and starting my site's application pool on the server using IIS Manager, but still no change. I've also tried stopping and starting IIS, which isn't working either.
The change I am making to my web.config involves removing entries in the block to allow and deny users.
It is currently set up to prompt for credentials, and if valid, the site is accessible. If not, access is denied. The change I am trying to make is to allow access to all users and not prompt them for their credentials.
BEFORE:
<authorization>
<deny users="?" />
<allow roles="admins" />
<deny users="*" />
</authorization>
AFTER:
<authorization>
<allow users="*" />
</authorization>
What is the reason for this?
You have to reset IIS. Just open command prompt and run IISRESET and you should be good.
I have found that if I attempt to modify the Web.config directly through the file system (on an IIS server), my changes fail to be saved, and thus, are not applied. This is what I have found works for me, provided you have access to IIS on the host server:
NOTE: These instructions are based on IIS 8 on Windows Server 2012, but may still work for IIS 7.5.
Go to the IIS Manager on the host server
Drill down in the Sites until you find your application
Using the Features view, double-click the Authorization Rules
Use the Add Allow Rule... and Add Deny Rule... link in the Actions panel (on the right) to configure all your authorization rules.
This process updates the Web.config for you. If you need to edit or delete a rule, click on the applicable rule, then click the Edit... or Remove link in the Actions panel.
I hope this helps.
Are you deploying,publishing or copying? Make sure that your debug and release settings are the same. There are also instances when the virtual directory is not setup correctly and the correct webconifg is not loading.
Copy the web.config file from your server and place it in your local machine and modify according to your requirements. And then delete the web.config file in the server and copy and paste the modified web.config from local machine to server.
This work for me, but for me connectionstring was the Issue.
From MSDN - Web.Config
Any changes to the web.config file will require restarting the "Microsoft IIS Administration" service to take effect.
Maybe, maybe and maybe it help some one. I have the same problem. with IIS reset not work. with recycling AppPool not work. Maybe your drive have not free space.
This work sometimes after I delete some unwanted files. but I think important reason is Permission. we must use Editor like notepad or Run editor as administrator or web.Config need permission to change and then change Web.config. then Save.This works for me.
For me the problem was that I was building multiple solutions in the Azure DevOps pipeline and the deploy.cmd took the first web.config file as given. Therefore, I had changed the wrong web.config and the solution was to build via the csproj file and not via the solution.
Hope this helps somebody! :-)
You have to do following action
Click the BUILD menu
select the Clean Solution
after then
select the Re-build Application
Published the files (codes)
Above this action done, It is working fine without issue.
Reflecting changes in IIS services
I dont have access to IIS server, but I need to make the ASPSession cookies created by IIS HttpOnly. So my question is that how can I make the cookies HttpOnly by coding and not by any setting on IIS ? Please help its urgent and I have been looking for the solution but didn't get anything that related to my problem. I know the server version is IIS 6. On my testing server I have used ISAPI filter and it solved my problem but for that I needed to access the IIS and add ASAPI filter there which I cant do on the live server.
If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:
<httpCookies httpOnlyCookies="true"/>
You can edit this programmatically : http://www.dotnetcurry.com/ShowArticle.aspx?ID=102
I've created an httpModule to handle URL remappings, and it works great on my test system. A request for www.mydomain.com/Some_Fancy_URL gets rewritten to www.mydomain.com/some.aspx?fancy=23 and so on.
When I deploy to the actual web site, I'm getting the default IIS 404 page though.
After doing some research online, it would seem that I need to setup "Wildcard Mapping" in IIS 6 to get the request past IIS and in to my httpModule. The problem is that the site is hosted on a shared server, so it may not be possible to get the ISP to make that change.
My question is, can't I use an httpHandler to tell IIS how I want these requests handled? For example:
<httpHandlers>
<add path="*.aspx" verb="GET,POST" type="System.Web.UI.PageHandlerFactory" validate="false"/>
</httpHandlers>
It would seem like adding this to my Web.Config should tell IIS to stop validating the existence of .aspx files, and just pass the request along for me to process. It doesn't work though.
Any suggestions?
The problem with IIS 6 and ASP.NET is that they're aren't integrated. IIS needs to be told about ASP.NET via script mappings (.aspx, .asmx, wildcard and so on).
None of your web.config configuration settings will influence IIS because web.config is there to configure ASP.NET's behaviour, not IIS. IIS has no knowledge of web.config.
Unless you can hand off a request to the ASP.NET pipeline (via a script map) nothing will happen and all your web.config settings will be ignored.
With IIS 7 the story is quite different. In IIS7, ASP.NET and IIS are closely integrated and share the same pipeline thus permitting you to achieve the result you're looking for.
The alternative may be to find out if your hoster runs a URL rewriter such as ISAPI_Rewrite on their servers. That way you could rewrite urls without having to map a wildcard scriptmap to IIS6.
Through some trial and error, along with more web searches, I found a solution. It essentially parallels Kev's answer.
IIS won't treat a request as .NET unless it has a known file extension (.aspx, .ascx, etc.). When I send along something like www.mydomain.com/anything it looks for a file or folder named "anything", and when it doesn't find one, it just drops off to the default IIS 404 handler.
That's where I took over. I changed IIS 6 to forward 404 problems to /404.aspx. I then created that page with a generic "Your file wasn't found" message in the same style as my web site.
Here's the good part: Now that IIS is sending 404's to a .NET page, the custom httpModule I created is getting fired. The request is for 404.aspx, but IIS is nice enough to also append the original URL as well. You get something like:
www.mydomain.com/404.aspx?404;http://www.mydomain.com/anything
This allows me to parse the request in the httpModule, and rewrite as needed!
How can I deny access to particular directory in IIS.
In Apache I could just add .htaccess file:
Order allow,deny
Deny from all
to Logs or cache directory and nobody will allowed to see any content in that directory.
However when I add Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
it works only for files handled by asp and doesn't work for i.e. log.txt.
I don't have access to IIS server, I can only add and change files.
Thanks in advance for help.
In IIS6 when you open folder properties you will see a checkbox labeled "Read". Try unsettling it
If you don't have access to IIS, do you at least have access to the file system? As in, can you set security on folders?
If so, go to the security tab on the particular folder and remove all rights to whatever guest account the site is running under.
Seeing as the only .net file are handled by the .net process and security model under IIS 6 (which you learned), I don't see what else you can do.
One other possibility - that may not work in your application - you could move all non .net files that require permission into the /App_Data/ folder. .Net does seem to just into the pipeline and prevent these files from being loaded. You could stream them instead.
FYI - if you DID have access to IIS this is a good article on how to restrict access to non .net files:
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/tipstricks/default.aspx#securingnonaspnetcontent
Go to the folder properties in IIS Manager -> Directory Security tab -> Authentication and access control.
Uncheck 'Anonimous access' checkbox and disable all the authentication methods below.
There is no built-in file-based access management like htaccess. This can be achieved using third-party ISAPI modules like Helicon Ape