IIS ignores authorization in web.config - asp.net

I have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.
Why will it not work in IIS? And how to solve it?
<system.web>
<identity impersonate="true" />
<authentication mode="Windows" />
<authorization>
<deny users="*"/>
</authorization>
</system.web>

Without seeing the web.config it sounds like you haven't configured IIS. When you use Windows authentication what ASP.NET is expecting is for the web server to do the authentication - so you must configure it to do so, simply putting it in web.config is not enough.
For IIS6:
In IIS Manager, double-click the
local computer; right-click the Web
Sites folder, an individual Web site
folder, a virtual directory, or a
file; and then click Properties.
Click the Directory Security or File
Security tab, and then, in the
Authentication and access control
section, click Edit.
In the Authenticated access section,
select the Windows Integrated
Authentication check box.
Click OK twice.
For IIS7:
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
In Features View, double-click Authentication.
On the Authentication page, select Windows Authentication.
In the Actions pane, click Enable to use Windows authentication.

Related

ASP.NET login refers on Server IIS to the Home, Local IIS works

Although my tool works on my own machine (ASP.NET 4.5) It begins this:
http://localhost/KnownErrorDatabase/login?ReturnUrl=%2fKnownErrorDatabase%2fHome&AspxAutoDetectCookieSupport=1
And i did an exact copy of it from exporting it from the iis into an ZIP File, and importing it on the server (NOTE: I did check the authentification mode (Everythings Checked!)
Although my local IIS Starts with the Login, the Server not. The Page works and, on my local IIS, other PC's in the intranet can login etc. But now the Error: If i click the login button (that refers to the page) i get redirected to the Homepage of the WebApp... Does anybody know whats the matter at it? IIS is on both machines on version 7.5
Greetings Ethnor
This is the result of a setting in IIS. Your default page is probably set to your home page instead of your login page. Otherwise, your IIS server is set to allow Anonymous users. So, no authentication/login is happening. Check the authentication settings in IIS.
<location path="login.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
Adding this to my web.config fixed the problem

ASP.NET MVC 3 Allow intranet site access based on AD group

Is there a way to allow site wide access to my intranet site based on an AD group without having to use the [Authorize] attibute on every controller?
I am using Windows Authentication.
In webconfig use
<system.web>
<authentication mode="Windows">
</authentication>
<authorization>
<allow users="groupname"/>
<deny users="*"/>
</authorization>
</system.web>
You can add the AuthorizeAttribute to the global filters collection, as described here.
public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
filters.Add(new AuthorizeAttribute());
filters.Add(new HandleErrorAttribute());
}
It is usually not a good idea to use the Web.config authorization element for this since this restricts file-based access. But when you protect your entire site, using the Web.config file will work just as well.
IIS 7 & IIS 8
Open IIS Manager and navigate to your website.
In Features View, double-click Authentication.
On the Authentication page, select Windows authentication. If Windows authentication is not an option, you'll need to make sure Windows authentication is installed on the server.
To enable Windows authentication on Windows:
a) In Control Panel open "Programs and Features".
b) Select "Turn Windows features on or off".
c) Navigate to Internet Information Services > World Wide Web Services > Security and make sure the Windows authentication node is checked.
To enable Windows authentication on Windows Server:
a) In Server Manager, select Web Server (IIS) and click Add Role Services
b) Navigate to Web Server > Security and make sure the Windows authentication node is checked.
Finally
In the Actions pane, click Enable to use Windows authentication.
On the Authentication page, select Anonymous authentication.
In the Actions pane, click Disable to disable anonymous authentication.
IIS Express
Right click on the project in Visual Studio and select Use IIS Express.
Click on your project in the Solution Explorer to select the project.
If the Properties pane is not open, open it (F4).
In the Properties pane for your project:
a) Set "Anonymous Authentication" to "Disabled".
b) Set "Windows Authentication" to "Enabled".

Issue with forms authentication not working remotely

We have an issue where forms authentication works correctly locally when run from Visual Studio but not remotely from a server running IIS 7. We have also determined that it works correctly on the remote server if we browse to the local site from the server. More specifically, when logging in using the login screen sometimes we are taken into the application and sometimes we are redirected back to the login screen. For the times when we are taken in we are at a one click maximum situation where, if we click on any item inside the site, we are immediately sent back out to the login page. We are using .NET 4.0 We are using location to set permissions on a per directory basis in the web.config:
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
We have tested that the issue must have something to do with this setting because as soon as we change deny users="" to allow users="" it works when testing remotely to the test server. Again, the issue only occurs when promoting to the test environment and testing remotely and works perfectly when running in Visual Studio or when browsing to the localhost site from the remote server. My guess is an IIS 7 setting but we have played around with a few of the settings to no success.
It has a simple solution. in your IIS 7 click on the top most node(Your server node) then click on "Modules" in IIS part of the home page.
Double click Default Authentication and uncheck the "Invoke only for ..." option
Double click Forms Authentication and uncheck the "Invoke only for ..." option
your forms authentication will work perfectly

ASP.NET MVC3 401.1 Error in IIS7.5

I have setup an ASP.NET MVC3 website using Windows Authentication and am getting a 401.1. The error code is 0x8009030e on the 401 page. Users should be able to access the site using their domain credentials.
I don't get the error if I logon to the machine and hit the website via localhost (http://localhost/mysite). However, even logged onto the server, if I hit the website through the server name (ie http://machinename.com/mysite) I still get the error.
The website uses it's own .net 4.0 app pool and using integrated mode. The site is configured for Windows Authentication only in the config.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
...and in IIS. I don't have extended properties configured, and have enabled kernel-mode authentication (both are the default). I've tried toggling "IIS Manager Permissions" without any luck.
Any ideas?
I had to do two things to get this working properly:
Make the app pool use "Classic" instead of "Integrated" mode. After making, the change I was getting a 403.x error.
I solved the 403.x error by granting (Read/Execute) NTFS permissions to the "Domain Users" group.

iis 7 disable windows auth

I setup a test website on my IIS 7.5, I created a Web Application project in VisualStudio and set up a web site in a new application pool in Classic Pipeline Mode.
I have this line in C:\Windows\System32\drivers\etc\hosts:
192.168.50.142 dev.mybigdomain.org.uk
Now if I access my website with http://localhost/testHello/Default.aspx it works fine,
but when I try http://dev.mybigdomain.org.uk/testHello/Default.aspx I get a "Windows security" window asking for authentication, but if enter "administrator" and password it does not recognise them and just asks again.
How can I disable the authentication?
Have you try to change the web.config authentication mode to Forms or None?
<system.web>
...
<authentication mode="Forms">
instead of
<system.web>
...
<authentication mode="Windows">

Resources