I've a website running under IIS7. Everything works fine with this website. I've copied the directory and created a clone website on a different port. When I browse to the new website on the different port, I do not get any of the style settings until I log in -- then all appears normally.
The problem appears to do with the ASP.NET Membership/Authorization. I have a web.config in the subdirectories to allow all users (web.config) but the clone website is not using them even though all the config, directories, etc are the same. Only the port is different or non .config settings that IIS 7 uses.
I've discovered the problem but not the whole answer. The directories needed the IUSR permission to work but the original website doesn't have those permissions. It only had IIS_IUSRS. IF anyone can fully explain this behavior and how to fix the problem without granting IUSR then I will award the bounty for that answer.
The answer should be fully explanatory.
One potential issue would be with authorization settings in your config.
Look for something like this:
<location path="MyResourcesFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
The above example would produce the effect that you've described assuming that your resources (css, jscript, etc) were located in a folder named MyResourcesFolder. Check the web.config that's in the actual website and not necessarily the project. This is because your website config may not be the same as your project config if you are using config transformations.
Related
I have a website that runs on IIS on an internal server.
It display fine when running from my local host. however, whenever I try to publish to my dev server, the images don't work.
And It looks like this
My first thought was that the images were not being transferred to the server. However I discovered this wasnt true, as I remotely connected to the server and found the images.
When I inspect the page, I get 404 errors for all the images. But the path for them seems correct. Goes to the properly named 'img' folder
I thought maybe it was a permissions issue with the images folder as indicated by this post
Images not showing on published ASP.NET MVC Website
So I added
<location path="img">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
And this did not change anything.
I checked to make sure none of the images in question were Encrypted through windows with the 'Encrypt contents to secure data' option under advanced image options.
After some more searching I came across this post,
http://blogs.msdn.com/b/ajay_pathak/archive/2011/08/06/website-deployed-on-iis-7-5-not-showing-images-and-css-files.aspx?CommentPosted=true#commentmessage
But i already have StaticFile enabled.
Finally I found this thread
CSS, Images, JS not loading in IIS
That suggested making sure anonymous authentication was set to 'application pool identity' instead of 'specific user'. I changed this and once again nothing has happened. I'm banging my head against a wall with this one. Please help.
So as it turns out there was a folder structure issue.
Was deploying from an svn where the folder structure was placed in another project incorrectly. As a result the 'img' folder was actually in a different location then specified. Once I cleared this up and properly nested the project, my issues vanished.
Thanks for the help everyone.
when I debug my website locally using Visual Studio, the change to the web.config goes into the effect without any problem.
However, when I make the same change to the web.config on my server host (running IIS 7.5) it looks like the site is still running off the old version of web.config when I load it up in my browser. The new changes aren't applied.
I have tried stopping and starting my site's application pool on the server using IIS Manager, but still no change. I've also tried stopping and starting IIS, which isn't working either.
The change I am making to my web.config involves removing entries in the block to allow and deny users.
It is currently set up to prompt for credentials, and if valid, the site is accessible. If not, access is denied. The change I am trying to make is to allow access to all users and not prompt them for their credentials.
BEFORE:
<authorization>
<deny users="?" />
<allow roles="admins" />
<deny users="*" />
</authorization>
AFTER:
<authorization>
<allow users="*" />
</authorization>
What is the reason for this?
You have to reset IIS. Just open command prompt and run IISRESET and you should be good.
I have found that if I attempt to modify the Web.config directly through the file system (on an IIS server), my changes fail to be saved, and thus, are not applied. This is what I have found works for me, provided you have access to IIS on the host server:
NOTE: These instructions are based on IIS 8 on Windows Server 2012, but may still work for IIS 7.5.
Go to the IIS Manager on the host server
Drill down in the Sites until you find your application
Using the Features view, double-click the Authorization Rules
Use the Add Allow Rule... and Add Deny Rule... link in the Actions panel (on the right) to configure all your authorization rules.
This process updates the Web.config for you. If you need to edit or delete a rule, click on the applicable rule, then click the Edit... or Remove link in the Actions panel.
I hope this helps.
Are you deploying,publishing or copying? Make sure that your debug and release settings are the same. There are also instances when the virtual directory is not setup correctly and the correct webconifg is not loading.
Copy the web.config file from your server and place it in your local machine and modify according to your requirements. And then delete the web.config file in the server and copy and paste the modified web.config from local machine to server.
This work for me, but for me connectionstring was the Issue.
From MSDN - Web.Config
Any changes to the web.config file will require restarting the "Microsoft IIS Administration" service to take effect.
Maybe, maybe and maybe it help some one. I have the same problem. with IIS reset not work. with recycling AppPool not work. Maybe your drive have not free space.
This work sometimes after I delete some unwanted files. but I think important reason is Permission. we must use Editor like notepad or Run editor as administrator or web.Config need permission to change and then change Web.config. then Save.This works for me.
For me the problem was that I was building multiple solutions in the Azure DevOps pipeline and the deploy.cmd took the first web.config file as given. Therefore, I had changed the wrong web.config and the solution was to build via the csproj file and not via the solution.
Hope this helps somebody! :-)
You have to do following action
Click the BUILD menu
select the Clean Solution
after then
select the Re-build Application
Published the files (codes)
Above this action done, It is working fine without issue.
Reflecting changes in IIS services
How can I prevent a User to see the file system in asp.net ? Do I need to change something in my IIS settings or on my Web.config ?
Thanks for help and fast answer
Lets starts from the fact that a remote user to been able to see a file is must know the full path of it on the browser.
To prevent that you disable the directory browsing and/or you have a default.aspx page on each directory. When there is a default page, then the IIS show that page.
Now the second security measure is not let the asp.net application user that runs yous site to have accesss to any file beyond the site running files.
The site is run under two accounts. One for the IIS, and one for the Pool. both this accounts must have limited access only to your site directory and only for read, and for write only on the files/directories that needed to your application.
Additional you can use a web.config on some directories to prevent the run of any aspx page as:
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
but this is not prevend to see files that are not pass from asp.net (like images)
Also you can read
How to find out which account my ASP.NET code is running under?
When I run my website through debug mode in visual studio everything looks great and all the images on the page show up fine. But once I deploy my website to an IIS7 web server (doubt that other versions would make any difference, but you never know) then users can't see the images on the site until they log in.
The website is an asp.net MVC site and I'm new to MVC, though I do have lots of experience with asp.net forms. It seems that only authenticated users are allowed to access the images folder, and there is an authorization section in my web.config saying that only admins can access the site, so how do I make it so that all users, authenticated or otherwise can view the images?
-- Update --
I tried putting in the configuration block suggested, which from everything I can tell makes perfect sense, but it didn't seem to make a difference. The sample below has Content/Images for the path but before that I tried just Content, since it's OK for everything in there to be accessible. I also tried setting the allowOverride setting to false, which also didn't seem to make a difference.
<location path="Content/Images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
--Update 2--
Funny thing is that I don't even see any explicit deny entries in my web.config, just an allow for admin's, and when I went into IIS 7 and used the UI to allow all users access to the Content directory it didn't show any deny's on the list either. But then again, this project works fine when I just debug it from my personal computer, it's only after I deploy it that I have problems...
<authorization>
<allow roles="admin" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
In your web.config file, after the </system.web> tag, add the following
<location path="images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
where path="images" is the name of the folder with your images/css.
Update:
If you're using ASP.NET MVC, I would remove the authorization declaration in the web.config file and use the [Authorize] attribute on the controllers that need to be locked down.
You can also specify the roles you want to grant access to using [Authorize("admin")].
By default, the configuration you define in a Web.config file, applies to every subdirectory of its containing folder. If you have a Web.config in the application root, that configuration will propagate to every subdirectory, including those where you have images and Css style sheets. So, if you have in your root Web.config a rule like this one:
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
anonymous users will not be able to access the resources needed to display the page like you would expect it.
To fix it, you need to include another Web.config in every subdirectory that has presentation resources, and apply the rules you want to override. In your case, this should do the work:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
If you are using Themes, place a single Web.config file in the theme folder.
Just ran into the same problem. We noticed it on our Login page. The CSS and images weren't loading (they were under the content directory). Adding IUSR to the folder with Read privileges fixed it for us.
Old question but I came across the same problem and found the answer.
I had created a new folder for the Membership pages that I wanted logged-in users to have access to, but the images wouldn't show up in them!
It turns out that no matter what I tried I couldn't set a relative path to the images from within the Members folder.
The problem was the html image (as far as I could tell anyway, correct me if I'm wrong).
I swapped it out for an asp:image with a relative path and now it works great.
My new code: asp:image runat="server" id="Logo" ImageUrl="~/Images/logo.jpg"
Notice the ' ~/ ', that wouldn't work for me with
I tried: img src="../Images/logo.jpg", img src="~/Images/logo.jpg", img src="/Images/logo.jpg", etc. to no avail.
Hope this answer helps someone solve this problem more quickly in the future.
Try browsing the image file directly and see if that comes up for an anonymous user. In IIS 7, there is a way in which you can authorize anonymous users directly from your UI [which in turn would create the web.config if it doesn't exist].
Folder -> .NET Authorization Rules -> Add Allow Rule
Are you using membership framework. I suspect that you have misconfigured your permission settings in web.config and your images folder is only allowing authorised requests. This can be easily change via web.config. Just remove the folder name from your authorised section and this should solve the problem.
For your reference this should be the section in web.config if you are using membership framework :
<authorization>
<deny roles="xyz" />
</authorization>
We came across the same problem in our project and found a solution, although we are not sure about the reasons of this behaviours.
We had a similar scenario, with a folder containing all our png images. Our marketing colleague wanted to rename some of them, so to make it easier for her, we shared (this might be the key) that folder, granting read/writer rights to her.
From this point, the images started behaving as you describe, requiring authorization for being accessed. No unauthorized user could see them any more.
We realized that the problem was related to sharing the folder because it started happening at that point of time. Otherwise we still don't see any relationship among ASP.NET MVP user authorization/login and hard disk user rights. We could have expected an IO Exception or something similar, but not this behaviour.
After checking the folder, and comparing with other folders, we realized that after sharing, the permissions on the folder had slightly changed. Mainly they did not inherit from its parent folder anymore and some permissions such as CREATOR OWNER and MACHINE_NAME\Users had dissapeared (although IUSR and the app pool user were still there).
So, we renamed that folder, created a new one with the same name, and copied the content from the old folder to the new one. The new folder had the permissions inherited from its parent and everything started to work perfectly again.
It solved our problem, but we are still not sure why this all happened this way.
Regards
On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.
Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?
e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?
Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:
<location path="Secret" allowOverride="false">
<system.web>
<authorization>
<deny users="*" />
</authorization>
<httpHandlers>
<remove path="*.*" verb="*"/>
</httpHandlers>
</system.web>
</location>
I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.
Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.
http://learn.iis.net/page.aspx/473/using-urlscan
http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/
There are some things you can do with web.config like defining security settings etc...
Other times you have to use HttpModules or HttpHandlers, look here:
http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx
If not, you can find different ISAPI, but in this case you need access to IIS.
For example, the ISAPI for emulating rewrite mod apache:
> http://www.codeplex.com/IIRF
The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.
There are two cases:
If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...
That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.
As per the [documentation on Application Folders][1], IIS won't serve requests to content stored in the /app_data folder although your application can read and interact with those files.
ASP.NET recognizes certain folder names that you can use for specific types of content. The following table lists the reserved folder names and the type of files that the folders typically contain.
Note
The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.