asp.net authorization - asp.net

In my ASP.NET Application, I have an asmx Web Service which is in it's own directory. For this WS I have set the basic authentication under IIS 6.0 and put the separate web.config for that folder, with following nodes:
<system.web>
<authorization>
<allow users="domain\username"/>
<deny users="*"/>
</authorization>
</system.web>
With settings like these I get
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
when webmethod is invoked with SOAPUI or with browser. If I remove the deny node, any valid user in domain can get a web service response.
Any suggesstions how to make it work for one domain user only?
Maybe I should mention also, that authentication in main web.config is set to "Windows".

updated:
Oops, I overlooked the fact that you have a parent involved, my fault. Once permission defaults are set on the parent, you can just setup per-user access to the child web service/app.
The tightest configuration I could setup was the following.
For the parent, I used this barebones setup (nobody is allowed in):
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Then for the child (web service, in your case), I used this setup (only the DOMAIN\username principal is allowed in):
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="DOMAIN\username" />
</authorization>
</system.web>
</configuration>
This resulted in no access at the parent level, but only the given user at the child (web service) level. Also, as you mentioned, setting the authentication mode doesn't work on the child web.config.
Without setting up at least one allow entry at the child web.config, though, nobody can get in, as the parent's deny entry takes precedence.
original
Your settings work for me, but I believe you are missing a few elements.
Try including the impersonation element, make sure the authentication mode is set to Windows, and if deploying for IIS, make sure the IIS location has anonymous access off.
Try the following barebones config, with debug on or off as needed:
<?xml version="1.0"?>
<configuration>
<appSettings />
<connectionStrings />
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="DOMAIN\username" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Related

What is the scope of system.webServer and system.web settings in a web.config file stored in a web application's folder in IIS?

I've added an Application in IIS Manager beneath the Default Web Server. I want to confirm that the system.webServer and system.web settings in the application's web.config are scoped to the application and have no effect on the settings of the Default Web Server or on other applications. Is that correct?
For example, if windowsAuthentication is enabled for this particular application, that setting will affect this application and only this application:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="myDomain\mySecurityGroup" />
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
Yes, you are right, only does this application, it also contains the application located in the virtual directory of the website.
Besides, the system.web section is for configuring IIS6.0 and the system.webserver is used to configure IIS7.
Check these links for more details.
Difference between <system.web> and <system.webServer>?
http://arcware.net/use-a-single-web-config-for-iis6-and-iis7/
Feel free to let me know if there is anything I can help with.

Unauthenticated Users Can't See Images In Virtual Directory Using IIS 7.5

I have a website that is hosted on my local machine for development. I have a virtual directory named "content" that contains the images for my website (mapped to the physical path "C:\Content" in IIS). The problem is that when a user is not logged into my website, the images don't show up. I've tried putting a web.config file in the content folder using this
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
but that doesn't work. I've also tried adding this to my website's web.config file
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
but that's not working either. Any suggestions?
The <system.web><authorization> element only refers to content handled by the ASP.NET runtime, not IIS itself (which is <system.webServer> and has a totally different schema). However the Cassini/dev server in VS does use <system.web><authorization> for all resources because ASP.NET handles every request under Cassini.
Check your IIS Authentication rules, as well as your NTFS ACLs. Ensure that Anonymous Authentication is enabled and the correct user identity is set. You can do this in IIS Manager.

Authentication Ignoring Default Document

Today I moved my application from a server with IIS6 to a new one with IIS7.5 (windows server 2008 R2).
The odd thing is that I cannot access the default document although it has been set in the default documents section. The file is the "deault.aspx" and when I try to access the page with ip I am getting http://[IP]/login.aspx?ReturnUrl=%2f, but it works fine If I access it directly.
This is the settings from web.config
<authentication mode="Forms">
<forms protection="All" loginUrl="login.aspx" name="CookieName" timeout="49200" requireSSL="false"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've already tried to solve this with some of the suggestions that are written here [ Forms Authentication Ignoring Default Document ]
, but with no luck.
I want to solve it by configure somehow the server and not the application.
Thanks
SOLUTION
I don't know if it is the correct one, but I change the mode of the application pool into classic instead of integrated.
Add the following to the web.config and it will allow you to access Default.aspx without requiring prior authentication. All other pages will require authentication.
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Just because a document is added as the default within the IIS configuration does not mean it bypasses the FormsAuthentication.
For me, removing the ExtensionlessUrl-* handler mappers in IIS Manager for the site in question did the trick. Even though all this does is adds the relevant entries to web.config that I had already tried with no luck.

Authentication settings in IIS 7.5 and ASP.Net, what is difference?

I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
<authorization>
<deny users="?" />
</authorization>
This specifies that all unauthenticated users are denied access to pages in your application. The authorization element is part of the system.web configuration section.
When you set something in IIS with authentication ( in your case form authentication). It also change your mapped project webconfig file with the same settings. That's why you see same information in both modules.

ASP.NET Authentication doesn't work

I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users

Resources