ASP.NET web.config authorization settings ignored - asp.net

I have an asp.net (dynamic data) website set up as an application in a subdirectory of another site. This site requires different security settings from the top level site. Something like:
<authorization>
<allow roles="ADMIN"/>
<deny users="*"/>
</authorization>
These settings are ignored in the sub site. However, they work on the top level site, but even when set on the top level site, they are not inherited by the sub-site, and it's freely accessible. What could cause these settings to be ignored? I've tried adding:
<location path="." inheritInChildApplications="false">
to the top level web.config and then setting the above authorization rule in the sub site, even tried just denying all users. When visiting the site it looks like: http://mysite/mybrokensite
I am using windows authentication.

I think the key thing is this
website set up as an application in a
subdirectory of another site
If it's a separate application within IIS it should have it's own web.config file and the security settings can be set from there. So you'll have one web.config for the main site and one for the subsite. really they are two applications.
If it's just a subfolder under your website then this doesn't apply. It depends how you've set it up under IIS. If it's a seperate app then the icon will be a world/cabbage type icon. If it's a sub-folder they the icon will be ... well a folder.

To elaborate on Tim's answer, make sure in IIS that it is set up as a virtual directory. Look at the property page for that directory in IIS Admin, Directory (or Home Directory) tab. If the Application label is greyed out, hit the Create button. Now IIS will load the web.config from that directory.

I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

Related

IIS 7.5 and making anonymous authentication/forms authentication play nicely together

I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.

Developing public site using vs 2010, authentication should be?

I'm developing a public web site in vs2010,
can I keep the authentication as windows authentication and just enable anon access
or should I leave it with the default forms authentication.
The site will NOT require any type of logging in mechanism...so really I dont see a point in forms authentication, but most users will not have windows authentication either.
So I am confused, in my asp.net web.config file what authentication do I use for a public website?
I also asked this question which is kind of related: developing site in vs2010 but changed to local IIS and prompts
But I am not having any luck with this :(. The site when using local IIS keeps prompting for a user name and password (See the stackoverflow question I posted above), ive checked the app pools, the security, and the permissions and it still prompts me for a user name and password. It prompts me about 10 times and if I keep cancelling out of it the page comes up but the images are not displayed nor is the CSS rendered. So it looks like it prompts for each image on the site, but all folders inherit from the parent and I've added Network, Network service, ASPNET user, the default app pool user...I dont know what else to do.
So two issues:
1) What do I specify in my web config for a public site
2) How do I get rid of this prompting!
Thanks
You don't need to specify specify any authentication. Just deploy it as is, with the Web.Config out of the box.
<authentication mode="None" />
Go here for more reading.
Because it is prompting you with a login dialog, try using an authorization element in your web.config file with any authentication you like. Use "*" to allow access to all users by default. Refer to this article for more detail.
<authorization>
<allow users="*" />
</authorization>
Your web.config file has two sections that control requests for login. These are
<authentication> ... </authentication>
and
<authorisation> --- </authorization>
Authorization controls who can access what, and Authentication determines how the credentials of a particular user are established to see if they have the correct authorization to access your site.
An example of their usage might be
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="40320" cookieless="UseCookies" slidingExpiration="true" />
</authentication>
which allows access to all users to the root of my applications and their credentials are determined using forms authentication.
Other parts of your site are allowed to have alternate authorization requirements through the use of a location tag in your web.config
However, neither section is required if no part of your site requires this functionality. However, you should be aware that there other places that this might be determined. There is a file called machine.config that determines the settings for the machine. Your web.config has priority over the machine.config, but if the authorization and authentication settings are made in the machine.config and not in you web.config then the machine.config wins.
Hope that helps. If you can post your web.config that might help us to point you in the right direction.

ASP.net quick and dirty authentication

I'm currently working on a page within one of my company's internet sites that is in response to some production issues we have. The page will be published with the rest of the web site to our DMZ, however I'd like to set-up some quick authentication so only users on our domain (assuming they access the site internally) can access the page. I'd like to use Windows authentication to do so.
Is there a quick way to accomplish this?
If I understand the question correctly, you want to enable security just on one page in your application - not the entire app.
Under IIS, you can manage the security settings on a page by page basis. In the IIS manager, pick the page, and change the security settings so that anonymous is off, and only Windows auth is accepted. You should get prompted for a login when you visit that page.
From Scott Gu's blog
To enable Windows Authentication
within an ASP.NET Application, you
should make sure that you have
“Integrated Windows Authentication”
(formerly called NTLM authentication)
enabled within IIS for the application
you are building. You should then
add a web.config file to the root
directory of your ASP.NET application
that contains an
section which sets the mode to
“Windows”.
You should also then add an
section to the same
web.config file that denies access to
“anonymous” users visiting the site.
This will force ASP.NET to always
authenticate the incoming browser user
using Windows Authentication – and
ensure that from within code on the
server you can always access the
username and Windows group membership
of the incoming user.
The below web.config file demonstrates
how to configure both steps described
above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
EDIT:
You can apply the auth settings to just a path in this way:
<location path="mypath.axd">
<system.web>
<authorization>
<allow roles="MyRole, AnotherRole" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
</location>
You can simply use Windows Authentication settings in IIS. Just turn off Anonymous Access in IIS and set your NTFS permissions on the Web folder to the users whom you want to have access to the site. Your IIS admin should be able to handle this quite easily.

Add authentication to subfolders without creating a web application

We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.
Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).
Is there any way to secure the new section of the site while at the same time utilize the already existing resources?
In your web.config file in the root of your site, if you add:
<location path="relativePathToDir">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remove the application, then add this to the top-level web.config:
<configuration>
<system.web>
<!-- applies application wide -->
</system.web>
<location path="securedirectory" allowOverride="false">
<system.web>
<!-- applies only to the path specified -->
</system.web>
</location>
</configuration>
MSDN Reference

Multiple/Different authentication settings in web.config

How would I go about setting different authentication tags for different parts of my web app? Say I have:
/
/folder1/
/folder2/
Would it be possible to specify different <authentication/> tags for each folder?
I want folder1 to use Windows authentication but folder2 use Forms authentication.
I tried doing in a <location/> tag but it doesn't look like you can have <authentication/> tags in a <location/> tags, at least not via VS 2008 with it's built in webserver.
This errors out saying - Error 3 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
<location path="/folder1">
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
You can only have <authentication /> on the top level web.config. You may have to create multiple applications. ie you can create an application within an application and use different authentication modes in each one.
I think you can set the forms authentication authorization on folder1 to
<allow users="*" />
then control the windows access via setting windows permissions on the folder.
I haven't tried it, but I can't think of why that wouldn't work.
These settings are only valid at the root level of your ASP.Net application. To use different settings in a sub folder you will need to go into IIS and set that sub folder to be a new application.
Once you done this, the folder will have a different icon in the IIs manager. Inside your subfolder, create a new web.config file and add the new authentication settings there.
More information available at Creating Applications.

Resources