Allow/Deny users using web.config in Azure app service - azure

I have got an app service with 3 virtual paths shown below.
Virtual path Physical path Type
/ site\wwwroot Application
/app2 site\wwwroot\app2 Application
/app3 site\wwwroot\app3 Application
How can I use web.config to control access to my site using Azure Security Groups? I've got 3 security groups and I want to allow access as below.
Allow sg1 to have access to my root /.
Allow sg2 to to have access to my root & /app2.
Allow sg3 to to have access to my root & /app3.
In my on-prem IIS box i was able to do something like below to control access.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="app2">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="app3">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg3"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can I replicate this in Azure app services?
I tried a simple base case, as per below. I can go to my / fine as it has no restrictions but I get the error The page cannot be displayed because an internal server error has occurred., when browsing to /app2
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="app2">
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<allow roles="GLOBAL\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Please help :(

Can I replicate this in Azure app services?
No, you cannot since what you describe is Active Directory behavior. App Services do not integrate with AD.
Next best thing would be Azure AD authentication, but this will require code changes and look quite different in the end: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

Related

IIS Limit access to file + Basic Authentication

I have a simple internal site using IIS 8.5 Basic Authentication.
In one specific html file I want to restrict even further to some users/roles.
UPDATE: This is my Web.config, I can still access the inhouse.html file in a browser with my Windows (LDAP) account. I want to block all users to access this. Then to only allow a few users.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
</system.web>
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</system.web>
</location>
</configuration>
Try this:
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
--add the users you want here.
</authorization>
</system.web>
</location>
It depends on the rest of your web.config as to whether system.webserver or system.web applies.

Anonymous Directory in Azure Pack

I've recently created an MVC application that leverages Windows Authentication. I have a subdirectory named "EventReceivers" that a want to allow anonymous access on. I've updated my web.config with the proper location element and all works fine on Windows Server 2012 w/ IIS8. However, when I deploy the same project to Azure pack, the files in the EventReceivers directory prompt users for credentials.
Below is my web.config snippet. Any suggestions?
<system.web>
<customErrors mode="Off"/>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<allow verbs="OPTIONS" users="*" />
<deny users="?" />
</authorization>
</system.web>
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
You must also disable windows authentication within the location element like so:
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>

Deny acces to any directory for everyone web.config

I wan't to deny acces to the directories for everyone in web.config. Is this possible? Or should be an Deny from ALL enough? I host this on a IIS server.
<location path="folder">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>

asp.net C# - set roles in web.config for subdirectory

**After login i am not able to access page.After login again redirect to login page.
I am using two level of folder structure. CMS folder contain two folder.
1. User.
2. Admin.
---CMS
----User
----Admin
Means CMS/{USER}{Admin}.**
In main web.config
In main web.config i am set loginurl and allow all user.
<system.web>
<compilation debug="true" targetFramework="4.0">
</compilation>
<authentication mode="Forms">
<forms name="HESCMS1.0" loginUrl="~/CMS/User/Login.aspx" timeout="40" slidingExpiration="true" cookieless="UseCookies" protection="All" requireSSL="false" enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="Off"></customErrors>
</system.web>
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
In User folder web.config:
Set role for admin user
<system.web>
<authorization>
<allow roles="CMSUserAdmin" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
In Admin folder web.config:
Set role for super admin.
<system.web>
<authorization>
<allow roles="CMSSuperAdmin"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
This is my first post in stack so have not so much experience.

Forms Authentication & Virtual Directory

We're having trouble getting Forms Authentication to work with a virtual directory in IIS.
We have a main site, and then a microsite setup within a virtual directory. This mircosite has its own admin system within an "Admin" folder, which has authentication on it but currently it is not kicking in and the admin section is browsable by anyone.
The web.config with the admin folder has the following:
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<customErrors mode="RemoteOnly" defaultRedirect="~/Admin/Error.aspx"/>
</system.web>
</configuration>
Could anyone give me any clues as to why this might not be working?
Cheers!
What happens if you set this in the web.config at the root of your site instead:
<location path="MicroSite/Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

Resources