Develop Reference

How to allow anonymous user access to virtual directory

I am currently preventing anonymous users access to my root application.
/web.config
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
But am allowing anonymous access to public resources (Images, CSS, etc.):
<location path="Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now, I would like to add a virtual directory which should be accessible to anonymous users. I added a configuration based on the Images path, but whenever I try to access that location, I get redirected to the login page with the ReturnURL set to the virtual directory.
<location path="virtualDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In addition, I tried to specify the global authorization within my virtual directory's web.config but get an error saying I can only have that once
/virtualDirectory/web.config:
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
How can I allow anonymous access to a virtual directory when my root application is preventing anonymous access?

In your global web.config encapsulate the
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
with
<location path="." inheritInChildApplications="false">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
It means - authorization is enforced only in root app, not for the child apps.

Some notes.
The asterisk mark (*) represents all identity.
The question mark (?) represents the anonymous identity.
So ideally, you don't need to set to allow authentication for the anonymous user for your virtualDirectory in the global web.config.
Go to IIS, under your Virtual Directory > select Authentication > Enable Anonymous Authentication.
Refer
ASP.NET Authorization
How to: Create and Configure Virtual Directories in IIS

In your global web.config remove
<location path="virtualDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Then go to IIS manager and
In the Virtual directory Home area, double-click Authentication
Right-click Anonymous Authentication, and then click Enable

Your authorization rules looks good. The last error you are getting is because you can have authorization section (in fact any section) only once per folder/file/path. So either have it globally i.e. under <location path="virtualDirectory"> or only in web.config of Virtual Directory. Having it in both places will give you an error. What is authentication set at Virtual Directory.
Make sure anonymous is enabled along with the allow authorization rule.
(IIS Manager ->Sites -> your specific site->virtual directory-> in the central pane Authentication )
Also in IIS GUI there are ASP.NET Authorization rules (the one you are using currently) and IIS Authorization rules. Make sure there aren't any deny IIS Authorization rules.

web.config in folder allowing all or no user authentication

I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.
Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong?
Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.
This is what I've done:
//Web Config that allows and denies:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2" />
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I have set my authentication mode to windows.
EDIT
It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....
EDIT
This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
In my main web.cofin in the root of the application I have set authentication mode to windows:
<authentication mode="Windows">
<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
</authentication>

On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'
<location path="foldername/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
EDIT
This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<authentication mode="Windows" />
</authorization>
</system.web>
<location path="survey/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
I am assuming the survey folder is inside the root folder.

Fixing this error if windows authentication is added to project after it's been created
That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works:
In Solution Explorer, Click on the project and then push F4. This should open up the Project properties.
In Project Properties and under the Development Server, make the following changes:
Anonymous Authentication: Disabled
Windows Authentication: Enabled
Include the following in the Web.config under <system.web>:
<authorization>
<allow users="DOMAIN\user"/>
<deny users="*"/>
</authorization>
Still in the Web.config under <appSettings>:
<add key="owin:AutomaticAppStartup" value="false"/>
This is what worked for me. If I'm doing something wrong, please let me know.
Hopefully this will help future individuals who are working with windows authentication after creating the project.

<deny users="?" />
<allow users="DomainName\User2" />
<deny users="*" />

Deny unauthorized users?

<location path="ArchiveNews.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
I want to deny un-authenticated users to the ArchiveNews.aspx. For some reason this code doesn't want to work. Can anyone help?

Does this web.config exist in the same directory as your ArchiveNews.aspx file? It needs to be in the same directory for your config snippet to control access to that file.

Just disable anonymous access in the gui iis manager for this site/application.

Is it possible to disable forms authentication for specific subdirectories of an application?

I have an asp.net application for which I need to expose a particular subdirectory to the public internet. When I go into the subdirectory's IIS configuration's authentication section, I cannot disable the Forms Authentication.
The setting is marked as read-only.
Google offers many discussions when I search for the error message, but I haven't found a clear, working solution.

You have to use location in root Web.config.
http://support.microsoft.com/kb/815174
<location path="Your directory" allowOverride=”false”>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

In the application's root web.config, open it up and find the "</system.web>" line. Then add something like the code below to enable unrestricted access to a directory:
<location path="MY FOLDER/PATH">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

asp.net forms authentication - make a folder publicly available

I am using forms authentication in a MVC 2 project.
I have this in my web.config:
<authorization>
<deny users="?" />
</authorization>
I want the /Content folder to be available to users that haven't been authenticated yet. The login view uses the css in that folder, which should be available at login time.
Thanks

you can use the css file as a location in your config file like this:
<location path="whatever.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
This would be external of your main system.web block i believe
if this content folder is a separate folder it can have its own web.config file that you can set to allow=*

do you mean:
<authorization>
<allow users="*" />
</authorization>