Environment: IIS 6.0, ASP.NET 3.5
I have the need to secure just one file with windows authentication and just want to ensure that I understand my options correctly.
Through IIS turn off anonymous
access for the file I want to
secure, and make sure Integrated
Windows Security is checked
Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication
Is there a way to setup the web config to control access to a single file? Will any of the security attributes help me here to lock down the single file?
Thanks in advance
Kevin
Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication
You can't mix authentication providers for a single app. So, eg., you can't have Forms Authentication for ~/ and Windows Authentication for ~/Secure. You may be able to get around it by making ~/Secure another app in IIS - but that greatly complicates deployment and testing IMO.
I've run into this problem while trying to secure ASMX services with basic authentication from a domain, but being in the same app as Forms Authenticated pages. I ended up hacking in a basic auth challenge in the ASMX service itself to prompt for credentials.
This should be possible using the <location> tag.
http://support.microsoft.com/kb/316871
I know in the past I have done the opposite and used it to enable access to a single resource and denied all others to unauthenticated users. Should work the same in reverse.
If you want the web.config to apply then you need to ensure that the directory in which it is placed is an IIS virtual directory. That ought to do the trick as the web.config's security restrictions will govern all files in that directory.
Related
I have an asp.net mvc 3 app installed on IIS6 and I am getting ACL errors (401.3 errors) when trying to access it. It is running as a virtual app under the default web. I have gone through what I believe are the correct security setting on the respective folders.
I have given the Network Service and in IUSER_ users access to the root folder of the default web. I have also given access to the microsoft.net, temp and system32 folders under c:\windows.
I still get the 401.3 error. When I set the app to use both anonymous and windows authentication I get prompted for credentials. Entering the credentials allows me to access the app. This means that there is some file/folder that needs permissions.
So I used FileMon to see what was going on. I hit the site and get the ACL error but I see no ACCESS DENIED errors in FileMon nor so I see any reference to the site itself. It is like I never made a request. (Yes I cleared my cache).
I am tapped out on what to do next. Any suggestions on where to look to determine what resources needs permissions?
Thanks in advance!
In order for MVC to work on IIS6, you need to do some configuration changes in IIS. Specifically, you should tell IIS to handle all request, in order to ensure that the .NET routing engine kicks in.
http://haacked.com/archive/2010/12/21/asp-net-mvc-3-extensionless-urls-on-iis-6.aspx/
This is one of the best tutorials on getting MVC to work with IIS6.
We setup multiple Websites based on single Assembley. All sites use Forms authentication mode, set on single Web.config file. Now we need to setup an Intranet site based on the same assembley (as well as same Web.config file) but this time it should authenticate users with Windows authentication mode.
Can anyone be able to give some guidelines about this?
It would be ideal if we can do it with IIS7 module without tweaking the Web.config file.
Sounds impossible. You need to put the "Windows Authentication" site in it's own directory. The Web.config (and linked configs) and License.config needs to be unique for that site. But the rest of the application files can be an exact copy of the other dir.
I would like to apply a basic 2nd level of security by adding some form of web folder password protection, so that we only allow users with the global username and password to be able to access the logon page, where we are using forms based authentication.
I am not sure whether this is done from the IIS Manager (Windows 7) or by editing a web.config file ?
If you google for "Forms Authentication IIS", first item returned is this:
http://msdn.microsoft.com/en-us/library/ff647070.aspx
This does a good cover of the issue.
If you need to apply that to a particular folder, use location and authorization in web.config as below:
http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx
I have been in the same situation. Given that you can't enable forms authentication and basic/windows authentication at the same time in IIS we ended up using Helicon Ape and .htaccess files for the digest based authentication and configured the web app itself to use forms authentication. It works well so far. We needed this because of client requirements. I wouldn't really recommend this in practice. It's fairly annoying for users having to log in twice.
I'm creating a website which besides other tasks will play some recorded files. these recorded files are on a remote server with private ip address, so I've created a virtual directory which points to a share directory on the mentioned server.
now I'm able to playback the files using client side controls like wmplayer. BUT the problem is sound file urls are accessible without any authentication and authorization.
is there anyway to enforce .net authorization and authentication (in web.config) on this virtual directory? I also should mention I can not use solutions like httphandlers to download the files because file are streamed using iis so user could navigate on the file without downloading all of it)
thanx
Open IIS (I suppose you use IIS7.0 or later). Find the mentioned virtual directory and click on it. In the listed features find Authentication, right click on it and press Open Feature. Then disable anonymous authentication for this folder. Does the problem persist?
I have ASP.NET project which do some file access and manipulation, the methods which I use for file access are below. Now I need to access files on another server shared folder, how to do that? I easily can change file path to shared folder path but I get "can't access" error because shares are password protected.
As I understand I need somehow to send credentials to remote server before executing methods below. How to do that?
FileStream("c:\MyProj\file.doc", FileMode.OpenOrCreate, FileAccess.Write)
Context.Response.TransmitFile("c:\MyProj\file.doc");
Regards,
Tomas
An ASP.NET application (by default) will execute in IIS6 under the "ASPNET" computer account. You therefore have a couple of options:
Configure your ASPNET application to run under a (weak) domain account with permissions to access the remote computer's share
Set the permissions on the share to enable access to "Everybody" (not recommended)
Disable Forms authentication and use Windows authentication in your ASP.NET app. Turn off impersonation in web.config and IIS should pass the credentials of the user who is currently using your web application through to the underlying share (I think).
The latter option is only useful, of course, if your users all have domain accounts on your intranet, for instance. I'll continue to look around for ways to add credentials but I'm not sure off the top of my head if that's possible.
HTH,
Richard.