I have a web application and I want to provide anonymous access to a couple of the web services in it so that we can access the web services from computers without a windows login on our network.
I've tried the stuff here Disable authentication on subfolder(s) of an ASP.NET app using windows authentication. I've done this:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
...
<location path="Tests/QService.asmx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
These both "work" in that they allow access to the web service for anonymous users. However, it seems that IIS still sends an authorization challange because when I access the service from a browser I get a box to enter my username and password. If I hit cancel I get access to the page anonymously. However, some of our clients don't handle this well and just fail because of the 401 return code.
Is there a way to completely disable the windows authentication on that single location such that IIS will not try and establish a windows authentication?
You need to disable Windows Authentication on the Virtual Directory for that single location. Then you shouldn't be challenged.
Related
Some resources (images) don't appear when I visit the main page after login (using form authentication)
However, setting the attribute of anonymous authentication to 'application pool id' in iis manager works
what windows account is used for form authentication in iis?
Only the login Page need anonymous authorization access. It sounds like you didn't set anonymous authentication correctly.
When we implement form authentication in IIS, Both form authentication and anonymous authentication are enabled side-by-side. Then we will create allow auth rule for all user and deny anonymous user in site level.
<authentication mode="Forms">
<forms name=".MyCookie" loginUrl="Login" protection="All" timeout="60" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Secondly, we need to create a authorization rule to allow anonymous access to login page.
<location path="Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
When you pass the form authentication, IIS will send a form authentication cookie with the username which is decided by your application. It can be a key in appsetting or a username from database.
1.
FormsAuthentication.SetAuthCookie(UserInfo.UserName, false, FormsAuthentication.FormsCookiePath);
2.
FormsAuthenticationTicket
3.
FormsAuthentication.RedirectFromLoginPage(UserInfo.UserName, false);
You need to make sure the auth_user and application pool identity have permission to access the image sources.
https://support.microsoft.com/en-us/help/301240/how-to-implement-forms-based-authentication-in-your-asp-net-applicatio
I have ASP web site using Windows Authentication.
Here are the web.config settings
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
<deny users="?"/>
</authorization>
When I host the website in IIS 6 the user never gets authenticated so Request.IsAuthenticated is always null in Application_AuthenticateRequest method. Same about the identity of the CurrentPrincipal.
The weird thing is that when I switch the website to use Visual Studio Dev Server, everything works brilliantly.
I have Integrated Windows Authentication ticked in the IIS web directory settings.
What am I doing wrong? Any help or advise will by much appreciated.
I googled a lot but did not find an answer:
I have a webservice which requires windows-authentication.
part of my web.config
<!-- added for security reasons, in case of archiving from unix-clients remove it -->
<location path="Archive.asmx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
All windows-users can access this webservice normally.
BUT there is a service on a linux-server which should also use this webservice. So I want to allow the IP-Address of the Linux-server to call this webservice without authentication.
I don't want to remove the need to authenticate for all IPs (or users), only users from the linux-server should be able to access the webservice without authentication.
I would like my asp .net web application to only allow users belonging to DomainName\Domain Users to access the site. Right now I have "Anonymous access" disabled and "Windows Integrated Security" enabled on IIS. I also have the following code in my web config:
<authentication mode="Windows" />
<authorization>
<allow roles="DomainName\Domain Users" />
<deny users="*" />
</authorization>
When I attempt to access the website it prompts me for the username and password to connect to webserver.example.com. I am a member of the domain users group but it does not allow me access. What am I doing wrong either in the syntax or in my IIS settings?
Is Anonymous Authentication Disabled in IIS ? Only Integrated Windows Auth should be enabled on the web application.
EDIT from comments:
I see you have Anonymous disabled. Try adding <identity impersonate="true" /> within <system.web> and see if your behavior changes.
I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:
<location path="log">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
and this element before it in system.web:
<authorization>
<allow users="*"/>
</authorization>
but still I have access to this url: http://www.mydomain.com/log/log.txt
Any ideas?
Thanks.
.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.
If you're using IIS 7 you can use Request Filtering to achieve this.
to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.
If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)
Example:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>