IIS7 Authorization Rules / Config - Prompting Perpetually - asp.net

I am trying to secure an application in IIS7 using .NET Authorization Rules.
By default, the web server allows all users access (which is inherited).
I have added, just for this one application directory, a deny all users command, as well as an allow command for specific users.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="myusername" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
I have Windows Authentication enabled, and I can verify that without the line that my REMOTE_USER is MYDOMAIN\myusername.
However, when I try to deny all users, I am prompted with the typical Windows domain username/password box. If I enter the username password, the prompt comes back up again 3 times until finally presenting me with a failure message. (I have also tried to no avail)
Looking in the event viewer, it appears as if my login using the username and pw is successful in the audit ... and to further that point, my account is not being locked out (which it would if I were failing to login over and over). So it's as if I am logging in, but the configuration is not seeing what I entered as matching my login.
Below is the message I see (even when connecting from the server using localhost):
**Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.**

First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:
http://www.iis.net/ConfigReference/system.webServer/security/authorization
The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"
Another note worth mentioning, if you put the following config in place:
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="unknownname" />
<add accessType="Allow" users="knownname" />
</authorization>
</security>
</system.webServer>
</configuration>
This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.
Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.

Configure Basic Authentication in IIS 8 on Windows Server 2012
01-Authentication-Add Features
02-Authentication-Server Roles
03-Authentication-Server Management
04-Authentication-Set Password for user
05-Authentication-Authentication in IIS setup

Could you change your code as below
<deny users="*" />
<allow users="myusername" />

I spent 4 hours trying to set this up (to use domain role) :). Final solution was to use domain name in the role too:
`<system.web>
<authorization>
<allow roles="DOMAINNAME\rolename" />
<deny users="*" />
</authorization>
</system.web>`

Related

401 error: unable to access start page of IIS website with accessType="Allow" users="?"

Anonymous Authentication is enabled on the Authentication dialog and IIS_IUSRS have read & execute on the website folder, but I'm unable to access website with the web.config shown below. When I type http://servername I get the following error:
401 - Unauthorized: Access is denied due to invalid credentials.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="?" />
</authorization>
</security>
</system.webServer>
</configuration>
I had added an application beneath the website and set up a role-based authorization for it using a AD Security Group, but I've since removed that application.
As you know, * means all users and ? means anonymous users. the above section allows anonymous users to allow the website, in other words, there are no authenticated rules for anonymous users. On my side, the website with Anonymous Authentcation mode enabled and with the above settings works properly. I doubt if there is a local cache in your browser or some problem with the website project.
Please confirm the issue by applying the configuration in the default IIS website.
Feel free to let me know if there is anything I can help with.

Failed to load resource: the server responded with a status of 401 (Unauthorized) /App/AngularJS/angular.min.js

I am having the following error:
Failed to load resource: the server responded with a status of 401 (Unauthorized) http://localhost/App/AngularJS/angular.min.js
The project works fine on localhost. But when I run it on IIS (7.5) I get the above exception.
[Image]
My project is .net 4.5 project (Web.API 2.2), I am using AngularJS for UI in this project.
I have tried running "aspnet_regiis - i" as somewhere this was accepted as solution. But it didn't work in my case. I don't know is there any thing required to execute [AngularJS].js files on IIS for Web.API project?
EDIT:
I have made following changes to web.config file:
<location path="AngularJS">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow users="*" />
</authorization>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
Also I have set the read/write/modify access for "IUSR" & "IIS_ISURS" users of whole project.
But still I get the same exception on IIS. But same running fine with VS2013.
Error:
When servers respond with access denied message (401 Unauthorized access), it means that the anonymous IIS user account is unable to access the resources because of permission issues.
By default, IUSR account is used for anonymous user.
All you need to do is:
IIS ->
Authentication -->
Set Anonymous Authentication to Application Pool Identity.
Problem solved :)
Also I have set the read/write/modify access for "IUSR" & "IIS_IUSR"
users of whole project.
this was enough for me to get around the same issue.
PS. sorry for using your image, just want to emphasize the step you mentioned that worked for me.
Assuming that you are using form authentication and you are trying to get it before login. You can use the following in your web.config file inside <configuration>.
<location path="AngularJS">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
It will make you files inside AngularJS folder available without login
Well,
It's strange but It worked. The solution was to set the default user for "Connect as" in IIS. See the image given below.
I specified the administrator user & this started to work in IIS. I think this is some kind of requirement with AngularJS to work on IIS.
Thanks for replies.
It will work when you add IUSR into the application folder security.
I had this problem and disabled my VPN and it was solved.

User name in asp.net

I tryed this ways:
Request.ServerVariables["LOGON_USER"]
or
HttpContext.Current.User.Identity.Name
or
User.Identity.Name
-- If i run it by F5 from VS2010, it runs OK.
-- If i run it on IIS (I tryed it on 5.1 and 6.0, other IIS i can't use) there are empty strings.
In web.config i have:
<authentication mode="Windows"/>
<authorization>
<allow users="*"/>
</authorization>
so, all users should by autentificated.
Maybe, there should be more things in web.config.
I tryed it in IE, Firefox, and Chrome.
I post this question before, but there was some misleading information, so i post it again.
so, all users should by autentificated.
Exactly. All users include anonimous.
Any web browser will attempt an anonymous request at first, if it's successful it won't try to authenticate. So you want to deny anonymous requests:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Note that the order of items in the authorization element is important - they're like any access rules in that they're processed from top to bottom.
In this case the ? is anonymous users and * is all users (including anonymous) but as the deny anonymous user statement comes first - they will be denied and never get to see the allow statement which allows everyone else.
Also, if this is an ASP.NET MVC 3 web application, there're some quirks to be heedy of - please correct me if I'm wrong as I don't recall all the details right now:
<appSettings>
<add key="autoFormsAuthentication" value="false" />
</appSettings>
The autoFormsAuthentication has to be disabled to enable Windows authentication in an MVC 3 web application - or it was anyway, it might have been fixed by now but as it took quite some time to figure it out, I'm including it here. The symptom when not disabling it is every authentication request is redirected to the account forms url (which you might not even have).

ASP.net quick and dirty authentication

I'm currently working on a page within one of my company's internet sites that is in response to some production issues we have. The page will be published with the rest of the web site to our DMZ, however I'd like to set-up some quick authentication so only users on our domain (assuming they access the site internally) can access the page. I'd like to use Windows authentication to do so.
Is there a quick way to accomplish this?
If I understand the question correctly, you want to enable security just on one page in your application - not the entire app.
Under IIS, you can manage the security settings on a page by page basis. In the IIS manager, pick the page, and change the security settings so that anonymous is off, and only Windows auth is accepted. You should get prompted for a login when you visit that page.
From Scott Gu's blog
To enable Windows Authentication
within an ASP.NET Application, you
should make sure that you have
“Integrated Windows Authentication”
(formerly called NTLM authentication)
enabled within IIS for the application
you are building. You should then
add a web.config file to the root
directory of your ASP.NET application
that contains an
section which sets the mode to
“Windows”.
You should also then add an
section to the same
web.config file that denies access to
“anonymous” users visiting the site.
This will force ASP.NET to always
authenticate the incoming browser user
using Windows Authentication – and
ensure that from within code on the
server you can always access the
username and Windows group membership
of the incoming user.
The below web.config file demonstrates
how to configure both steps described
above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
EDIT:
You can apply the auth settings to just a path in this way:
<location path="mypath.axd">
<system.web>
<authorization>
<allow roles="MyRole, AnotherRole" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
</location>
You can simply use Windows Authentication settings in IIS. Just turn off Anonymous Access in IIS and set your NTFS permissions on the Web folder to the users whom you want to have access to the site. Your IIS admin should be able to handle this quite easily.

Add authentication to subfolders without creating a web application

We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.
Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).
Is there any way to secure the new section of the site while at the same time utilize the already existing resources?
In your web.config file in the root of your site, if you add:
<location path="relativePathToDir">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remove the application, then add this to the top-level web.config:
<configuration>
<system.web>
<!-- applies application wide -->
</system.web>
<location path="securedirectory" allowOverride="false">
<system.web>
<!-- applies only to the path specified -->
</system.web>
</location>
</configuration>
MSDN Reference

Resources