ASP.NET 3.5 IIS7 Roles Security Implementation - iis-7

I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).
We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.
I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.
Here are the relevant bits of my current configuration:
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
...
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
...
</system.webServer>
<location path="admin">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" roles="SysAdmins,AppAdmins" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="SysAdmins,AppAdmins"/>
</authorization>
</system.web>
</location>
</configuration>
I believe this configuration currently blocks everyone. I've done similar configurations that block no one.
I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.
UPDATE
Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.

Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:
Added <deny users="?" /> to the first authorization block
Switched the order of <allow> and <deny> in location-specific authorization block
Removed <system.webServer> location-specific authorization blocks
To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.
Please let me know if that works for you!
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow roles="SysAdmins,AppAdmins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="js">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>

Related

Restrict access to entire website

How can I restrict access to the root folder and all sub folders of my website? I have an ASP.Net Webforms application using Identity for authentication. Users will have accounts created for them. When a user goes to the website the first thing they should see is the login page. I've tried "/", "~/", "", values in the Location tag, as well as simply not having the location tag in the web.config file but none of these produces the desired result.
<location path="/">
<system.web>
<authorization>
<allow users="user1#mydomain.com"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
<compilation debug="true" targetFramework="4.5.2"/>
<httpRuntime targetFramework="4.5.2"/>
<pages>
<namespaces>
<add namespace="System.Web.Optimization"/>
<add namespace="Microsoft.AspNet.Identity"/>
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt"/>
</controls>
</pages>
<membership>
Remove the <location> element and try the following config:
<system.web>
<authentication mode="Forms">
<forms name="FormsAuth" loginUrl="/your-login-path" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
....
</system.web>
There may be further adjustments you'll need to make on the <forms> element depending on your enviroment/setup etc, but this should get you going.
EDIT
The above doesn't work for ASP.Net Indentity. The only way I could get this to work was creating individual <location> elements for every page, in the root and subfolder web.config, explicitly denying or allowing users as needed.
<location path="Default.aspx">
<system.web>
<authorization>
<deny users ="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
...
</system.web>
In your Root Web.Config Add:
<authorization>
<deny users ="?"/>
</authorization>
In your Account/Web.Confing Add:
<system.web>
<authorization>
<allow users="*"/>
</authorization>
That worked for me

Can't access css after adding <authentication> to web.config

The webpage that I am creating can't access the CSS file.
Take a look at my webconfig:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="MySql.Data, Version=6.2.5.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
<add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Web.Extensions.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
</system.web>
<location path="css">
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="Login.aspx" protection="All" path="/" timeout="60"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I found some answer here:
Authorization Issue - anonymous users can't access .jpeg or .css
But when I tried to put
<location path="css">
on top of 'system.web' it didn't work. Please help me fix this. Thanks for all your help guys!
The location tag has to be a direct child of configuration
Put this under your existing <system.web>
<configuration>
<system.web>
...
</system.web>
<location path="css">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
as you are using <authentication mode="Forms"> and protection="All" so you can't access any file other than loginUrl without login.
If you want to access any file or folder without login you should tell this in you web.config file as follows
<location path="file_name">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Or if you want any folder to be accessible without login then you should be using this as follow
<location path="folder_name">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The tag <allow users="*" /> works for you. It allows the user to access that path without login.
Here are some good links
http://msdn.microsoft.com/en-us/library/b6x6shw7%28v=vs.71%29.aspx
http://msdn.microsoft.com/en-us/library/ms178692%28v=vs.100%29.aspx

Allow anonymous user to browse the Style and Images folder

I am writing an ASP.NET web application.
I have a login screen that has some CSS styles and images on it. I ran into an issue where the styles and images weren't displaying. I read online and it said I needed a web.config inside my Content folder. I added the following to the web.config:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
This seemed to work on my local machine. However, when I publish to inetpub on the server, it does not work.
Here is my folder structure:
Login/Login.aspx - my login screen
Content - this is my root content folder
Content/Styles - this is where my CSS is housed
Content/Images - this is where my images are stored
I tried putting the same web.config inside Styles and Images as well but that didn't work either.
Any help would be appreciated.
Updated:
Here is what I have in my main web.config related to user access:
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Updated 2:
Here is all that's in my root web.config besides connection string info:
<system.web>
<httpRuntime requestValidationMode="2.0"/>
<compilation debug="true" targetFramework="4.0"/>
<sessionState cookieless="UseCookies"/>
<authentication mode="Forms">
<forms name="CMS" loginUrl="Login/Login.aspx" timeout="25" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
</providers>
</profile>
<roleManager enabled="false">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/"/>
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/"/>
</providers>
</roleManager>
</system.web>
<location path="Content" allowOverride="false">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
Could there be something in here interfering with the user access?
See my answer here. Some people would recommend putting a web.config file in the folder you want to be open to the public, but I prefer to monitor everything from the root web.config element. Basically, you insert the same snippet that you already have, but into the web.config file in the root of your website. Don't forget the "allowOverried=false" attribute, too. :)
Something else than can be really tricky is getting the path right. Make sure you've got it just right! :)
<location path="Path to your folder" allowOverride="false">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Basically, you want to allow any user to access files in the Content folder.
add this to your main web.config:
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I realize this is an old question, but I had this same trouble and hope this helps someone.
In my case, I had to alter the Authentication settings in IIS to let it work. This sounds like what happened once you moved it to a remote server where the default configuration may have been different.
We have Windows Authentication mode enabled by default, but when the web.config specifies Forms Authentication, it will actually enable both of them on in the IIS configuration.
With your web.config, you have something like this
<system.web>
<authentication mode="Forms">
<forms name="CMS" loginUrl="Login/Login.aspx" timeout="25" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<!-- ...etc... -->
</system.web>
If the server you moved to has Windows Authentication enabled, it will look like this in IIS
Notice both Forms and Windows are enabled, despite your config saying only Forms. What this will do is undermine your added web.config files in the subdirectories.
When you have the below in your Content folder, it appears to have a conflict with Windows vs Forms and no matter what you put, it doesn't appear to honor your web.config
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
If you are in this same situation, make sure to disable Windows Authentication, or any other unused authentication modes, like in the image below. You need to also make sure Anonymous is enabled to allow it to be open to all.
Hope this helps someone.
By way of documenting what helped in my case:
This discussion was useful
I had another application where I didn't have the problem and the only difference was that IUSR had permissions in the folders. Adding IUSR permissions helped
Using 'inspect' in the browser to display the console makes it clear when files are not accessible (otherwise local caching obscures the results)
I tried using web.configs at various levels as described above but those solutions didn't work for me.

Web.config Forms Auth > protect root but allow access to subdirectory

Here's my problem...
I have a website running in II7 integrated pipeline mode and I want to enable forms auth on the entire website apart from the '/secure/' directory which contains the login form.
My web config currently looks something like this...
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="secure/login.aspx" protection="All" path="/" timeout="999999" slidingExpiration="true" enableCrossAppRedirects="true">
<credentials passwordFormat="Clear">
<user name="user1" password="xxxxxx"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="user1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="secure">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<!--Enabling Forms Authentication for the Entire Application-->
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
</configuration>
When I visit the website URL I just get an endless loop of redirects. I've tried putting the location specific auth rules above the system.web section but this had no effect.
Any ideas?
Cheers,
Robin
Access permissions are hierarchical. That is if you are forbidden to access some parent, you are forbidden to access all of its children, no matter what permissions are set to children.
You can move login form to the root directory and set permissions for the form - it will work.

ASP.NET Active Directory roles - managing overlapping roles

I'm probably missing something easy here, but I've never done this before, so I thought I'd ask the Stackers.
I've implemented Windows Authentication on my ASP.NET app (IIS 7.5). I have rules for both the application (system.web) and IIS (system.webServer) that deny anonymous users, deny built in admins, and allow members of "Demolitions Repayment".
The trouble is, I am a built in admin AND in "Demolitions Repayment", but I'm locked out. Is it a matter of precedence?
<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off" defaultRedirect="~/errors/Unknown.htm" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<deny roles="BUILTIN\Administrators" />
<allow roles="gc\Demolitions Repayment" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
<add accessType="Deny" roles="BUILTIN\Administrators" />
<add accessType="Allow" roles="gc\Demolitions Repayment" />
</authorization>
</security>
</system.webServer>
Try denying all users (authenticated and not authenticated) and then grant only a certain role:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?,*" />
<allow roles="gc\Demolitions Repayment" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?,*" />
<add accessType="Allow" roles="gc\Demolitions Repayment" />
</authorization>
</security>
</system.webServer>

Resources