I have a website on IIS 7 using Basic authentication. There are some pages that must be public. I added an this exception in a location element in the web.config and it looks like this:
<location path="Errors">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="*" />
</authorization>
</security>
</system.webServer>
</location>
However, if I try to access some files from that folder, I get this error:
HTTP Error 401.2 - Unauthorized You are not authorized to view this
page due to invalid authentication headers. Detailed Error Information
Module IIS Web Core Notification AuthenticateRequest Handler
StaticFile Error Code 0x80070005 Requested URL
http://srv/Errors/error401.htm Physical Path
D:\www\MyApp\Errors\error401.htm Logon Method Not yet determined
Logon User Not yet determined
How can I have Basic Auth over my site, but allow everyone access on the Errors directory?
IIRC, "?" is for anonymous users... So turn on Anonymous authentication aswell and put this in your web.config... Hope it works for you...
IIS7
<location path="Errors">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="*" />
</authorization>
</security>
</system.webServer>
</location>
IIS6 (or IIS7 Classic mode)
<location path="Errors">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
EDIT
I'm not sure removing the authenticatied users (*) for errors is a good idea, though... Authenticated users can get errors, too... Show them some love... ;)
EDIT 2 (Changed for Classic mode in IIS7)
Related
I have some folders in my ASP.Net applications which requires access without login. For that I have already setup this configurations in my web.config file
<location path="XXXX">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now I want to restrict the "path" to have anonymous/unauthorized access from one specific IP address or domain only. How do I setup this security configuration ?
<location path="XXXX">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true"/> <!-- change ip here-->
</ipSecurity>
</security>
</system.webServer>
</location>
Note 1 : you will need the IP Secuity module installed. Can be found here: Windows Features/Internet Information Services/World Wide Web Services/Security/IP Security
Note 2: you will need to allow ipSecurity to be overridden in your applicationHost.config. You can change this by changing the ipSecurity section.
e.g.
<section name="ipSecurity" overrideModeDefault="Allow" />
The applicationHost.config file is usually found here: C:\Windows\System32\inetsrv\config
If you don't have access to this file then you wont be able to do it without asking the server admin.
I am using ASP.NET 4.5 OWIN Identity and attempting to block access to a directory for all but authenticated users. The directory contains raw files, so it isnt possible to wrap them in the ASP LoggedInTemplate tag.
When I try and prevent access to the directory to anonymous users, it fails.
I have tried adding the following to the main Web.config file:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="/docs">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Doing this gives server 500 errors and highlight the location path="/docs" line as the source of the error. This is a hosted solution, so options for changing the IIS server config to allow overrides arent available to me, though that does seem one potential solution for anyone experiencing this issue.
I have now removed the above from the main web.config and added a separate web.config file in the directory that I want to protect. The new web.config contains this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
This gives no errors, but allows unauthenticated users access to the folder, which is what I am trying to prevent.
Any ideas or pointers to any article that describes how to resolve this would be much appreciated.
The solution to this for my environment was to use the web.config file in the sub directory, but to add a custom handler definition for the file types in question.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="PDFHandler" verb="*"
path="*.pdf"
type="System.Web.StaticFileHandler"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
The web server then allows authenticated users only to access the files in the sub directory.
This article led my to the solution: http://www.primaryobjects.com/CMS/Article112
I am using Elmah (Error Logging Modules And Handlers) with Asp.net web forms application.
I have enabled Elmah for remote access.
Is it possible for Elmah to password protect like windows authentication, keeping web forms application anonymously accessible?
Following solution is working for window "Roles". But direct access to users isn't working.
<location path="admin" >
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<allow roles="WindowsGroupName" />
<deny users="*" />
</authorization>
</system.web>
</location>
Note: Elmah is also secured by serving through root/admin/elmah.axd as instructed by Phil Haack.
You can secure Elmah by adding the allowed users in your web.config:
<location path="elmah.axd" inheritInChildApplications="false">
<system.web>
<authorization>
<allow users="YOUR-WINDOWS-USERNAME" />
<deny users="*" />
</authorization>
</system.web>
...other config settings
</location>
Assuming you are using Windows authentication
<authentication mode="Windows">
In IIS 7 Web site I have web.config authorization configuration to allow only definite roles. But one page must be available for all users. The problem is that if user is not in allowed group DOMAIN\group1 then he gets authentication prompt (User name and password) when opening page public_page.aspx that is allowed for all. Despite of that he is in domain. User presses Cancel on the prompt and then this public page is opened successfully and he is even authenticated in it (<%=User.Identity.Name%> in it shows his Windows identity). Browser is IE8. In IIS6 there was no such issue. Why does browser show this username/password prompt if the user is authenticated successfully? And how can I disable it? Maybe I should somehow reconfigure a web.config? Thank you all for help!
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\group1" />
<deny users="*" />
</authorization>
</system.web>
<location path="public_page.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I resolved the issue by creating web.config by placing public_page.aspx to subfolder /public and created web.config file there with contents:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
My ASP.NET Forms 4.0 site is running with forms authentication. By default unauthorized users are denied, and then I allow access to certain pages.
I have a problem allowing access to the default url: http:/example.com. I have this entry in web.config that defines default page:
<defaultDocument>
<files>
<clear/>
<add value="default.aspx" />
</files>
</defaultDocument>
and I have this location override:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
It works OK when I go to the full url: http://example.com/default.aspx, but redirects to the login page if I go to http://example.com
Any ideas what am I doing wrong?
I just found answer in a response (by Dmitry) to a similar question here in SO: Forms Authentication Ignoring Default Document:
In Global.asax, method: Application_BeginRequest, place the following:
if (Request.AppRelativeCurrentExecutionFilePath == "~/")
HttpContext.Current.RewritePath("default.aspx");
Worked like charm!
I've just figured out how to solve this without having to fudge a redirection.
If just happened to me after converting from .Net 2 to .Net 4 and I've never found my solution anywhere on the internet so here goes.
If like me your login page is also your default page you need to make sure you do the following two things in the web.config file
Add this to exempt to default.aspx from authentication (didn't need this in .Net 2)
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
And change the login url from this
<forms name="myform" loginUrl="~/default.aspx" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />
to this
<forms name="myform" loginUrl="~/" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />
and you should fine it all work nows, just tried it out on two different sites and it did the trick for me
I didn't like making a code change for this issue, especially because my site was working fine on my Windows Server 2008 R2 machine, but not on my Windows 7 SP1 development machine.
It turns out that the root cause of this issue is an update in Service Pack 1 for Windows 7:
http://support.microsoft.com/kb/2526854
The solution appears to be to disable the new "ExtensionlessUrl" feature that was added in SP1:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrl-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
Obviously if you're using the ExtensionlessUrl feature this won't work for you, but I've documented it here for those migrating a legacy site and are wondering what has suddenly gone wrong.
This works for me in a test web app:
<location path="">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
Now I can't get to either "/" or "/Default.aspx" - give that a try (but use allow instead).