My site has 2 logins. 1 on the front end for regular users, and one in the admin section, for admins (I need 2 logins because each one asks for different login criteria). To authenticate the admin directory, I setup a "location" element in my main site's web.config like this:
<location path="Admin">
<system.web>
<authentication mode="Forms" >
<forms loginUrl="/Accounts/adminLogin.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
If I try to type any page from my "Admin" directory, into my browser, I get the following error:
It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This
error can be caused by a virtual directory not being configured as an
application in IIS.
How can I setup my location element to redirect properly?
Thanks
There are mainly one of the two reason why you got this error message.
If you have not configured your asp.Net application in iis. If you have not configure your application to run on iis first configure your site to run on iis.For that create virtual directory from iis and give permission to application (read,write)
If above is not problem then there are mainly problem of two or many web.Config exists on your site.When you open some site and if software crate backup of that application then software mainly do create subfolder and copy all files + web.Config in application.Just remove this subfolder web.Config from subfolder.
Check the web.Config in your admin folder and main root folder for settings and configurations.
You can't change the Authentication mode within a subdirectory. Only WebApplications can define this setting which applies to the entire application. A location element is only used in subdirectories to change authorization, not authentication settings.
Related
How can I prevent a User to see the file system in asp.net ? Do I need to change something in my IIS settings or on my Web.config ?
Thanks for help and fast answer
Lets starts from the fact that a remote user to been able to see a file is must know the full path of it on the browser.
To prevent that you disable the directory browsing and/or you have a default.aspx page on each directory. When there is a default page, then the IIS show that page.
Now the second security measure is not let the asp.net application user that runs yous site to have accesss to any file beyond the site running files.
The site is run under two accounts. One for the IIS, and one for the Pool. both this accounts must have limited access only to your site directory and only for read, and for write only on the files/directories that needed to your application.
Additional you can use a web.config on some directories to prevent the run of any aspx page as:
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
but this is not prevend to see files that are not pass from asp.net (like images)
Also you can read
How to find out which account my ASP.NET code is running under?
im using visual studio 2008. in my project im using forms authentication, my project structure is as follows
root
|
login.aspx
home.aspx
web.config
admin (folder)
|
admin.aspx
web.config
here in root web.config is as follows
<authentication mode="Forms">
<forms name="Authen" protection="All" timeout="60" loginUrl="Login.aspx" enableCrossAppRedirects="true" cookieless="AutoDetect"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
and in inner web.config
and my users are
Username Role
admin1 Admin
admin2 Admin
user1 User
user2 User
as you can see that in second web.config, i gave access to users with "Admin" role and "user1" user.
for giving access to "admin" folder, i wrote the following:
Configuration config = WebConfigurationManager.OpenWebConfiguration("~/HR");
SystemWebSectionGroup systemWeb = (SystemWebSectionGroup)config.GetSectionGroup("system.web");
AuthorizationSection section = (AuthorizationSection)systemWeb.Sections["authorization"];
AuthorizationRule newRule = new AuthorizationRule(AuthorizationRuleAction.Allow);
newRule.Users.Add("user1");
section.Rules.Add(newRule);
and saved the web.config as
config.Save();
this is working fine when i run it from visual studio development server, when i host it in IIS, im getting the following error
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: An error occurred loading a configuration file: Access to the path 'F:\dotnet\samples\myproj\UI\hr\f-q_g-yn.tmp' is denied.
Source Error:
[No relevant source lines]
Source File: F:\dotnet\samples\myproj\UI\hr\web.config Line: 0
here the problem is, it is not able to save the web.config
i got one solution, that is, i added
<identity impersonate="true" userName="myusername" password="mypassword"/>
to root web.config and it is working fine. but my boss says that is not the correct way. what is the correct way to solve this problem ??
please help
The account your website is running under does not have permissions to write to the directory your web.config is in. There are two options how to solve that:
Run your website under another account which does have the required permissions. You set the account in the settings of the respective Application Pool in IIS Manager.
Modify the security settinsg (ACLs) of the directory/directories, and add write permissions for the user your application pool is running under.
You should probably combine both methods – use a separate user account and add the write permissions only to this account, not to e.g. Network Service.
(But note that I am not sure whether a website modifying its own web.config files is a good idea at all.)
I have an asp.net (dynamic data) website set up as an application in a subdirectory of another site. This site requires different security settings from the top level site. Something like:
<authorization>
<allow roles="ADMIN"/>
<deny users="*"/>
</authorization>
These settings are ignored in the sub site. However, they work on the top level site, but even when set on the top level site, they are not inherited by the sub-site, and it's freely accessible. What could cause these settings to be ignored? I've tried adding:
<location path="." inheritInChildApplications="false">
to the top level web.config and then setting the above authorization rule in the sub site, even tried just denying all users. When visiting the site it looks like: http://mysite/mybrokensite
I am using windows authentication.
I think the key thing is this
website set up as an application in a
subdirectory of another site
If it's a separate application within IIS it should have it's own web.config file and the security settings can be set from there. So you'll have one web.config for the main site and one for the subsite. really they are two applications.
If it's just a subfolder under your website then this doesn't apply. It depends how you've set it up under IIS. If it's a seperate app then the icon will be a world/cabbage type icon. If it's a sub-folder they the icon will be ... well a folder.
To elaborate on Tim's answer, make sure in IIS that it is set up as a virtual directory. Look at the property page for that directory in IIS Admin, Directory (or Home Directory) tab. If the Application label is greyed out, hit the Create button. Now IIS will load the web.config from that directory.
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.
Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).
Is there any way to secure the new section of the site while at the same time utilize the already existing resources?
In your web.config file in the root of your site, if you add:
<location path="relativePathToDir">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remove the application, then add this to the top-level web.config:
<configuration>
<system.web>
<!-- applies application wide -->
</system.web>
<location path="securedirectory" allowOverride="false">
<system.web>
<!-- applies only to the path specified -->
</system.web>
</location>
</configuration>
MSDN Reference
How would I go about setting different authentication tags for different parts of my web app? Say I have:
/
/folder1/
/folder2/
Would it be possible to specify different <authentication/> tags for each folder?
I want folder1 to use Windows authentication but folder2 use Forms authentication.
I tried doing in a <location/> tag but it doesn't look like you can have <authentication/> tags in a <location/> tags, at least not via VS 2008 with it's built in webserver.
This errors out saying - Error 3 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
<location path="/folder1">
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
You can only have <authentication /> on the top level web.config. You may have to create multiple applications. ie you can create an application within an application and use different authentication modes in each one.
I think you can set the forms authentication authorization on folder1 to
<allow users="*" />
then control the windows access via setting windows permissions on the folder.
I haven't tried it, but I can't think of why that wouldn't work.
These settings are only valid at the root level of your ASP.Net application. To use different settings in a sub folder you will need to go into IIS and set that sub folder to be a new application.
Once you done this, the folder will have a different icon in the IIs manager. Inside your subfolder, create a new web.config file and add the new authentication settings there.
More information available at Creating Applications.