My WebSite runs fine on iis6, as you can see here: http://93.115.250.xxx/
I recently tried to migrate it to iis7, and after a lot of hussle I now can see the starting page, but all urls rewritten through mappageroute give a 404 as you can see here: 94.75.xxx.xxx
Any ideas as to why iis7 is trying to access a physical file and ignores the pageroute?
I am currently programming in a mixed environment. My alpha server is Server2008, beta and production are still 2003. You need to modify the config file to have system.webServer node with the following entry:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
I am not sure if this is applicable in your instance, but my application required log-in accept for publicly available image files available from a re-written directory. Don't forget to add an except to where the route is mapped:
<location path="{target path}">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Related
I have a legacy web app hosted using PHP by IIS. Access to some of the directories of that app is restricted using the following configuration in web.config of the root directory. That makes the Windows username available as REMOTE_USER, so that the app can map that username into an individual database to check authorization. This works and MUST NOT be changed.
<location path="lsgprog/bibliothek/adm">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Access to some other directories is restricted as well and as well using credentials provided by Windows. So those other directories have anonymousAuthentication disabled and windowsAuthentication enabled as well. The difference is 1. that those settings are made in the GUI of IIS and 2. that authorization is actually checked against the file system. This means that the directories simply have read access only for some special groups of users, those groups and users are maintained by some Active Directory and because the app uses Windows auth, things simply work. Users authenticate at their Windows, open Internet Explorer, request the restricted parts of the site, IIS gets the username, group membership etc., checks access to the restricted directories in the file system and grants or denies it.
All of that is configured manually using the GUI of IIS and I want to migrate that to web.config. Enabling Windows auth for some directories is already documented above, what I'm missing is how to allow/deny access to users and groups, which is the file system part. I've already found the element authorization, which pretty much looks like what I want, but whatever I try doesn't work.
<location path="lsgprog/vfristen">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"
roles="*"
verbs="GET,HEAD,POST" />
</authorization>
</system.web>
</location>
My expectation was that the above is enough to DENY access to all users, but that doesn't work and any approach based on ALLOW doesn't as well. I hoped that users and roles could simply be mapped against the username and group names of the currently requesting user. What I don't want is form based authorization or converting directories to "apps" or anything that needs to be done outside of web.config.
So, is what I'm trying to do possible at all and if so, how? Thanks!
In this scenario there are multiple options, first - try and add a web.config file to the folder that needs to have its' own permissions e.g. under lsgprog/vfristen, the minimum web.config example which will deny all users access:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Why does it work - IIS looks at each folder structure for web.config files, in this case the child will overwrite the parent but only the nodes that are inside the child - meaning it will preserve all other settings from the parent (root) web.config:
Make application and directory-specific configuration settings in an ASP.NET application
Although the documentation above is for ASP.NET it applies at the IIS level as well.
Second option to try - since the question mentioned the root of the project is lsgprog then this setting in web.config:
<location path="lsgprog/vfristen">
Should be changed to (remove the root folder of the project from the path):
<location path="vfristen">
Finally third option which could also work is overwriting it at the Machine.config level as mentioned in the above document:
Use the location element in the Machine.config file
When the allowOverride attribute is false, the Web.config files in the web application directories can't override the settings that you specified in the element. This is a useful setting in environments where you must restrict application developers in how they configure a web application. The following example shows a part of a Machine.config file that requires authentication to access the MyApp application on the default Web site and that can't be overridden by settings in a Web.config file:
Machine.config
<configuration>
<location path="Default Web Site/MyApp" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
You could try to add the below code in your site web.config file:
<location path="foldername">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
<location path="foldername/page1.php">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="DOMAIN\ADGROUP" />
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>
Edit: need to install the URL Authorization in iis to make this rule work.
https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization
I have an ASP.NET MVC website. There is a "booklist.csv" file in the "~/booklist" folder, which is not supposed to be served to the public.
To prevent the public from downloading this file using
www.mywebsite.com/booklist/booklist.csv
I have the following web.config file in the "~/booklist" folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I have also the following in the root web.config:
<modules runAllManagedModulesForAllRequests="true">
On our test server, it works, and public cannot download that "booklist.csv" file. But on our production server, it doesn't work. Public can still directly download that CSV file.
What could be the problem?
I worked out. The production server was actually behaving as expected, the same as the testing server. It was my browser caching that CSV file. So my settings were correct.
I have this in the web.config
<location path="SomeDir/SomeSubDir">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
How do I change this so that this rule only applies when the app is not running on localhost? Is there a way to make the rule detect the environment?
I would remove the deny from the web.config and use something like this in the page load event.
if(!HttpContext.Current.Request.IsLocal && !User.Identity.IsAuthenticated)
Response.Redirect("Login.aspx");
Config Transformations will give you a Web.Release.config that will transform your Web.Config when you publish with the Release settings.
If you don't already have the transform files, you will need to right-click the Web.config file and then click Add Config Transforms.
Here is the MSDN How to: Transform Web.config When Deploying a Web Application Project.
Your Web.Release.config file would look something like this:
<configuration xmlns:xdt="...">
<location xdt:Locator="Match(path)" xdt:Transform="Remove" />
</configuration>
Which will result in that location element being removed when you do a Release publish.
I have an ASP.NET website hosted on IIS 7.5 as below:
I have "customwebsite.com" as the website and in it I have two Web Applications - uk & us - so that I can access these application as customwebsite.com/uk & customwebsite.com/us.
customwebsite.com directory does not have any web.config and have only two folders for web application us and uk.
Both us and uk web application have their individual web.config and have Form Authentication specified as below:
<authentication mode="Forms">
<forms loginUrl="/static/login.aspx" name="login" timeout="20"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
At this path: /static, there is a web.config with following content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>
When I hit the root URL for us application, the Website loads correctly but if I loads from uk, I got the error as below:
I have checked the Folder Security, and all the required users have been granted permission and are same for both us and uk applications.
I have checked the IIS logs and below is the response codes of the request in case of failure: 401 0 0 1519 296
Can someone help me resolving this issue.
Got it resolved.
There was two more folders where the redirection of /static/login.aspx happens.
We need to allow access to all such redirecting folders by having a web.config files in those folders with below content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>
Ran into this same error, but had a different resolution. In our case we had to set:
<machineKey compatibilityMode="Framework45" />
Details here:
http://ardalis.com/asp-net-shared-authentication-problem-solved
In our case we had an error on the login page that redirected to the an error page that the user did not have rights to see, so it redirected to the login page... cycle rinse repeat.
We removed all the controls from the UI, then added them back one by one until the page crashed. Then we could narrow down the controls that had an error.
And yes, we gave all users access to the error page.
Check below IIS setting
Authorization Rules -must contain only allow user setting not any any other rule ex. deny user rule.
Context:
IIS 6 on Windows 2003 Server
ASP.NET 3.5 sp1
C# Web Application running from a virtual directory
There are a few files that I would like not to serve. For example, there's a hibernate.cfg.xml in the root directory that should not be accessible. There are also log files in a logs directory. On the local development server (Visual Studio 2008) The NHibernate config file can be protected in a couple of ways through Web.config:
<location path="hibernate.cfg.xml">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
OR
<httpHandlers>
...
<add path="*.cfg.xml" verb="*" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>
The logs in a different directory can be protected through another Web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
None of these work when the application is compiled using aspnet_compiler.exe and deployed to an IIS 6 server. No errors in the logs. The files are readable to anyone. The application is compiled and installed using MSBuild as follows:
<AspNetCompiler Force="true" Debug="true" PhysicalPath="$(DeploymentTempPath)\$(DeploymentAppName)" TargetPath="$(DeploymentPath)\$(DeploymentAppName)" VirtualPath="/$(DeploymentAppName)" />
How do I make IIS 6 respect the authorization rules in Web.config.
Note: assume that I can't move these files outside of the deployment directory.
It looks like IIS does not forward the request for .xml or .txt files to ASP.NET, so it has no chance to apply its authorization controls.
To work around this, I had to do the following (from this forum post):
From IIS Console, open properties of the virtual directory of my app.
Virtual Directory > Configuration
Add new handler for extension ".xml" using the ASP.NET filter (c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll in my case)
All verbs. Uncheck both "Script engine" and "Verify that file exists".
Is there any way to do this from within Web.config?
Try this:
<location path="hibernate.cfg.xml">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Static files such as .jpg, .xml and .pdf are by default handled directly by the kernel mode http.sys driver. Unless you've mapped these extensions to ASP.NET they will never hit the ASP.NET pipeline and hence the authorisation mechanism within ASP.NET.
To force static files such as .xml to be processed by .NET on .NET 2.0/3.5/4.0 and IIS6, do the following:
1) Add the entries for.xml (or other file type) to IIS as described above (IIS6 website properties, Home Directory, Configuration)
2) in web.config add the location for the restricted directory or file
<location path="directory_or_file_name">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
3) Add the following to the httpHandlers section:
<add path="*.xml" verb="*" type="System.Web.StaticFileHandler" validate="true" />
This will force .NET to only serve .xml files as specified in the <location> tag to authenticated users.
URL Authorization: The URLAuthorizationModule class is
responsible for URL authorization on
Windows 2003. This mechanism uses the
URL namespace to store user details
and access roles. The URL
authorization is available for use at
any time. You store authorization
information in a special XML file in a
directory. The file contains tags to
allow or deny access to the directory
for specific users or groups. Unless
specified, the tags also apply to
subdirectories.
You need to do the following:
<deny users="?"/>
<deny users="*"/>
The wild card entry "?" means that no one else will be able to gain access to this directory.