We have IIS 7 running on the Windows 2008 Server which hosts many intranet websites. We want to use windows authentication for the website and its url will be http://pay
So, I add the C:\InetPub\pay folder and bind it to the IIS7.
Disable the Anonymous Authentication mode.
Enable the Windows Authentication mode.
When I access the website http://pay from the other computer, I got the message that
Unauthorized You do not have permission to view this directory or page
using the credentials that you supplied.
So, I go to the Windows Explorer and Add the Local\IUSR account and give access to the folder. But I still got the same error.
Finally, I added Everyone account and give access to the folder. This time, it works and windows authentication is also working well.
What I am afraid is that, does it open the read access to Everyone to the \MyServer\C$\Inetpub\pay folder? It contains the web.config which contains server and users credential and it would be the big security breach.
How can I achieve to use Windows Authentication without giving access to Everyone account?
Thanks in advance.
I believe what you you're looking for is the IIS_IUSRS group which you should give read access to your website folders when using Windows Authentication. The IUSR account you tried would be used in an Anonymous Authentication scenario.
More info on these groups in IIS7 here:
Understanding Built-In User and Group Accounts in IIS 7
Related
I have decided to transfer several of my web applications from one virtual server ot another. The way everything works on my current server is pretty bad - everyone has rights for reading and accessing the content of my "applications" folder on the machine, and so does the IIS. I want to organize stuff on the new server, so only IIS can access this folder.
I have installed IIS and the ASP.NET addons on the new server, and forced my test website to Windows Authentication, as all of my websites are configured on the current server. Then, after doing some reading regarding the permissions, I have given full control to the folder that contains my website to the next users: IIS_IUSRS & TestAppPool (which is the Application Pool I have created for my 'Test' application).
For some reason when I try to access the website from another user within the domain, through the browser, it promts for Login Credentials. I would like to understand why my application wont retrieve the permissions I have granted the IIS users upon accessing the website.
not sure if this would help, but can you try changing the app pool's identity to Network Service?
I have an IIS7.5 intranet website which I have secured using Windows Authentication.
I want to allow access to a file in a sub-folder of the website without prompting for Windows credentials.
My web.config is shown below. When I browse to http://myserver:9876/SomeFolder/test.html I am still prompted for Windows credentials :
I found a work around for the problem, which I thought wasn't possible due to wcf. I just changed the authentication scheme to 'Anonymous' on "SomeFolder" and it works.
I haven't answered my question, so it still would be interesting to know if my original approach was possible.
I built an INTRANET ASP.NET website for which authentication is set to "integrated windows authentication" and in authorization section of web.config, I have specified the AD groups (domain\groupname) to restrict the access to only to the members of those AD groups. multiple AD groups are specified in web.config (domain1\group1, domain2\group2 etc). now this works fine for users of one domain1 (where it is hosted), but for users of another domain (domain2), they get a prompt to enter their windows credentials and if they enter it, then it works and they can access the site without any problem. but I would like to avoid this login prompt, because I granted access to groups of both domains. why are they getting this prompt and is it possible to suppress it? do I need to configure something in IIS or web.config for it? Thanks in advance.
I believe users in Domain2 can add your website, hosted in Domain1, to their list of Intranet Sites in Internet Explorer->Internet Options->Security->Local Intranet Zone. This zone should automatically log on with the current user name and password. You could make this an AD policy.
I'm not sure that you can do this - I believe that users from outside the hosted domain will always be prompted for credentials with 'integrated' security.
You could probably use forms authentication to handle multiple domains. I am heading down the Windows Indentity Foundation path myself (which I have no desire to learn) so I'd love for someone to tell me I'm wrong about this!
Can you please post a small explanation of the prerequisites of using Windows Authentication?
I know that you have to turn Windows Authentication on from web.config or IIS and define domain.
Does the web server have to be connected to the Active Directory server or not, and how to get user info from Active Directory like name and description?
You don't have to be on a domain. The local server user accounts can be used with windows authentication. If the machine is on a domain, then either AD users OR local users can be used with windows authentication.
The minimum that has to be in place to use windows authentication in asp.net is that IIS has to have Windows Authentication enabled for the web site. IIS can still have other authentications enabled for the site too, even anonymous authentication can be used in conjunction with windows auth... as long as windows authentication is enabled also asp.net can use it.
Otherwise, your question is too broad for a good answer here. Authentication in asp.net is a very big topic; and when you add AD to the mix it gets bigger. I recommend checking out the MSDN documentation, reading through it, experimenting with it, then coming back here with more specific questions.
I have authentication mode set to forms in my asp.net web.config but am still getting a windows login prompt when i browse to the website.
Could authentication mode be set elsewhere, in IIS for example? My site runs on IIS 6.
Thanks.
This could be because the permissions on the folder that is being served is not allowed to be accessed by the user running the web site
I have had issues where the authentication was set to forms and the directory security was set to allow anonymous, but some resources (images in my particular case) did not have the proper permissions to allow the anonymous user to read them.
The effect is that the user was prompted to login so that the graphics could be displayed, after which the form was displayed and the user logged in (again) with the intended form.
Sounds like windows permissions problem.
Windows permissions will always override anything that you have set up in aspnet.
I would start by looking at "anonymous access" permissions in IIS admin, then work your way through the file system.
You have configured anonymous access in IIS Administrator, but the IIS user does not have permission to access the filesystem, defaulting to the login dialog to authenticate as Windows user.
As it happens a colleague updated my machine to .NET Framework 3.5 SP1 whilst I was away. So I compiled my project and released onto the server which does not have SP1 installed and the above happened.
I've installed SP1 on the server and it's working fine now.
Thanks for all your input.
Just to clarify : the login popped up because the application was unable to load a file due to the problem described in the following: Link