In IIS 7 Web site I have web.config authorization configuration to allow only definite roles. But one page must be available for all users. The problem is that if user is not in allowed group DOMAIN\group1 then he gets authentication prompt (User name and password) when opening page public_page.aspx that is allowed for all. Despite of that he is in domain. User presses Cancel on the prompt and then this public page is opened successfully and he is even authenticated in it (<%=User.Identity.Name%> in it shows his Windows identity). Browser is IE8. In IIS6 there was no such issue. Why does browser show this username/password prompt if the user is authenticated successfully? And how can I disable it? Maybe I should somehow reconfigure a web.config? Thank you all for help!
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\group1" />
<deny users="*" />
</authorization>
</system.web>
<location path="public_page.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I resolved the issue by creating web.config by placing public_page.aspx to subfolder /public and created web.config file there with contents:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Related
I am currently preventing anonymous users access to my root application.
/web.config
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
But am allowing anonymous access to public resources (Images, CSS, etc.):
<location path="Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now, I would like to add a virtual directory which should be accessible to anonymous users. I added a configuration based on the Images path, but whenever I try to access that location, I get redirected to the login page with the ReturnURL set to the virtual directory.
<location path="virtualDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In addition, I tried to specify the global authorization within my virtual directory's web.config but get an error saying I can only have that once
/virtualDirectory/web.config:
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
How can I allow anonymous access to a virtual directory when my root application is preventing anonymous access?
In your global web.config encapsulate the
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
with
<location path="." inheritInChildApplications="false">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
It means - authorization is enforced only in root app, not for the child apps.
Some notes.
The asterisk mark (*) represents all identity.
The question mark (?) represents the anonymous identity.
So ideally, you don't need to set to allow authentication for the anonymous user for your virtualDirectory in the global web.config.
Go to IIS, under your Virtual Directory > select Authentication > Enable Anonymous Authentication.
Refer
ASP.NET Authorization
How to: Create and Configure Virtual Directories in IIS
In your global web.config remove
<location path="virtualDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Then go to IIS manager and
In the Virtual directory Home area, double-click Authentication
Right-click Anonymous Authentication, and then click Enable
Your authorization rules looks good. The last error you are getting is because you can have authorization section (in fact any section) only once per folder/file/path. So either have it globally i.e. under <location path="virtualDirectory"> or only in web.config of Virtual Directory. Having it in both places will give you an error. What is authentication set at Virtual Directory.
Make sure anonymous is enabled along with the allow authorization rule.
(IIS Manager ->Sites -> your specific site->virtual directory-> in the central pane Authentication )
Also in IIS GUI there are ASP.NET Authorization rules (the one you are using currently) and IIS Authorization rules. Make sure there aren't any deny IIS Authorization rules.
I am using Forms Authentication with ASP.NET Web Forms and it successfully authenticates the user.
With these authorization settings in the web.config an anonymous user can only access the Login page.
<authorization>
<deny users="?" />
</authorization>
or
<location path="SubFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
I am trying to use location tags to further allow anonymous access to additional pages, but they are ignored:
<location path="SubFolder/LoggedOut.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Following ASP.NET settings inheritance the authorization tag in the location tag should overwrite the global authorization tag.
The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list. (link)
How can I deny anonymous access to all pages but those that I specify?
The answers to this question state that what I am doing is correct. But it doesn't seem to work for me. So why does this happen? Is there a way to find out what setting blocks the acccess when I try to access a page? Is there anything I am missing?
Apparently a less-restricted file can not be in a restricted directory.
However, doing the same with a less-restricted directory is ok.
I ended up placing the public files in the root and all secured files in a subfolder using following web.config:
...
<authorization>
<allow users="*" />
</authorization>
...
<location path="SubFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
...
Tested in .NET-Framework 4.5, Visual Studio Enterprise 2015.
I have an ASP.NET 2.0 web application developed on my Win8/VS2012 machine (but using .NET2.0 and not 4.0). I want to protect direct acccess to a number of folders, e.g. the PDF files that are stored in the Content/Documents folder for particular roles, using forms authentication. It works with the below web.config file on my dev machine, and if I type in an URL of a PDF directly, I get redirected to the login page.
However, when copying the whole solution to the production server (windows server 2003R2 sp1, having .NET 2 and 4 installed) the files are directly accessible and it seems as if the forms authentication does not work.
How can I investigate this on the server?
What is wrong in my config?
Note: the roles are assigned at login time, without a roles provider (as demonstrated by many articles on the internet and on stackoverflow) and I guess I did that correct since it works on my dev machine.
Note 2: One strange thing I noticed is that in the IIS administration tool on the win2003R2 server, the configuration windows do not correspond with what I have in the web.config file. When I right click web app properties in IIS manager, go to ASP.NET tab, go to edit configuration and go to authorization tab for the different locations, it looks like it only states allow * while the config file clearly has deny *. Is it possible that on that server this type of configuration file is not supported (it does not generate any errors either however).
Thx in advance
Wim
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>
<add name="..." connectionString="..."
providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<httpRuntime maxRequestLength="102400" executionTimeout="600"/>
<authentication mode="Forms">
<forms name="MYWEBAPP.ASPXAUTH"
loginUrl="member_login.aspx"
protection="All"
path="/"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="Off"></customErrors>
<compilation debug="true"/>
</system.web>
<location path="Content/Documents">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/Events">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/News">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/PriceChange">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Administrator">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Member">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Nothing is wrong with your config. Rather, static files (jpgs, csses, pdfs) are handled by iis without involving asp.net pipeline. This means that your authorization rules are ignored when you ask for a pdf file.
To fix this you can either have an aspx page that gets a parameter that states which file should be downloaded or configure the application to run some (or all) static files through the asp.net pipeline. An easiest way to have all requests go through asplnet is to set
runAllManagedModulesForAllRequests="true"
in the modules section of the web.config.
I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.
Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong?
Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.
This is what I've done:
//Web Config that allows and denies:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2" />
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I have set my authentication mode to windows.
EDIT
It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....
EDIT
This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
In my main web.cofin in the root of the application I have set authentication mode to windows:
<authentication mode="Windows">
<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
</authentication>
On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'
<location path="foldername/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
EDIT
This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<authentication mode="Windows" />
</authorization>
</system.web>
<location path="survey/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
I am assuming the survey folder is inside the root folder.
Fixing this error if windows authentication is added to project after it's been created
That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works:
In Solution Explorer, Click on the project and then push F4. This should open up the Project properties.
In Project Properties and under the Development Server, make the following changes:
Anonymous Authentication: Disabled
Windows Authentication: Enabled
Include the following in the Web.config under <system.web>:
<authorization>
<allow users="DOMAIN\user"/>
<deny users="*"/>
</authorization>
Still in the Web.config under <appSettings>:
<add key="owin:AutomaticAppStartup" value="false"/>
This is what worked for me. If I'm doing something wrong, please let me know.
Hopefully this will help future individuals who are working with windows authentication after creating the project.
<deny users="?" />
<allow users="DomainName\User2" />
<deny users="*" />
I wanted to use FormsAuthentication to secure my static files as well on my site, so I followed the instructions located here http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/ under title "Enabling Forms Authentication for the Entire Application".
Now though, when I try to visit the site by going directly to http://www.mysite.com I get redirected to http://www.mysite.com/Login.aspx?ReturnUrl=%2f instead of it using my DefaultDocument I have set. I can go to my default document by just visiting http://www.mysite.com/Home.aspx without any issues because it is set to allow anonymous access.
Is there something I need to add into my web.config file to make iis7 allow anonymous access to the root? I tried adding with anonymous access but no such luck.
Any help would be much appreciated.
Both Home and the Login form allow anonymous.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Login form is set as the loginUrl
<authentication mode="Forms">
<forms protection="All" loginUrl="Login.aspx">
</forms>
</authentication>
Default document is set as Home.aspx
<defaultDocument>
<files>
<add value="Home.aspx" />
</files>
</defaultDocument>
I have not removed any of the iis7 default documents. However, Home.aspx is first in the priority.
Take a look: Allowing anonymous access to default page
Did you try this:
<authorization>
<allow users="?" />
</authorization>
I think that will fix it.