I tried to do something in IIS which I though is very simple, but I am unable to make it work.
I created a web page with simple html+js page and web api backend. (It means I have one single plain old html page with one single JavaScript file and it uses AJAX call back to the same server to get data from backend. The backend is written in C# with .NET Framework 4.7 and current version of ASP.NET. It is not MVC, it is not .NET Core, it is not ASP.NET Core.)
Now I want to allow this web page only for some users on local network and I expect this can be somehow configured in web.config file. The IIS is running on a computer in a domain, so I set up the web application in its web.config to use Windows authentication and provided the list of allowed users in authorization section (the user accounts are in the same domain as the web server). I though this would prevent other users to access the web, but apparently all authenticated users can display it. So it seems that Windows authentication works correctly, but there is no authorization check performed and all users are allowed. Can this be done easily in web.config in this kind of html+js+webapi scenario?
Currently, the related section in web.config looks like this:
<system.web>
<compilation targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="alloweduser1,alloweduser2" />
</authorization>
</system.web>
Try :
<system.web>
<compilation targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" />
<authorization>
<allow users="domain\alloweduser1,domain\alloweduser2" />
<deny users="*" />
</authorization>
</system.web>
Related
I know that this has been asked before here, but I couldn't find a way to fix this. I'm using VS 2022/MVC 5/IISExpress and these are my configs:
web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
And these lines in my vbproj file:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
According to the approved solution in this post the above should work, but doesn't. I am logged in to Windows using my domain account and have been added to local administrators group (Of course I'm not a domain admin, just a standard user). I can login to my web app using my own domain account, but not with other domain accounts (I have tried two different accounts). Any credentials other than mine is rejected by application. How can I fix it?
I have one server, which allows users to host their web app free of cost.
In server I have 4 different pools.
2 pools are for .Net Framework,
1 pool is for .Net MVC,
1 pool is for .Net Core 3.1
Each pools has 50+ appliations.
For security testing I have created one program, Which takes fullpath/location of file and read that file form IIS server. If any user upload that type of code in my server then they can assess any files.
Now, that is the issue with my server.
Now, I want to do, My users can access only their application resources not other's too.
But, I don't know how to do this.
In order to restrict users to access files in IIS, we could refer to the below configuration in root web.config file.
<location path="myfolder">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<!--for authentication, we should enable either windows authentication or form authentication in IIS authentication module.-->
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
It will restrict everything under Myfolder. In particular, rule out a specific file.
<location path="my.jpg">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
Feel free to let me know if there is anything I can help with.
I'm trying to secure a simple ASP.net website hosted on an internal IIS10 instance so that only a specific AD group can access it.
All my testing (and the final usage) would be internal to the same domain on which the IIS server resides - no external or cross-domain usage will occur.
Within Site Authentication I only have Windows Authentication enabled with a HTTP 401 Challenge response type. Enabled providers are Negotiate and NTLM (in that order), Extended Protection is Off and Kernel-mode authentication is enabled
In .NET Authorisation Rules I have no explicit Deny Rules.
If I add a 'Specified users' Allow Rule for my user account (and thus the user for which I'm testing access to the website) then I am able to access the website. At this point the relevant area of the web.config file looks like this:
<authorization>
<allow users="MYDOMAIN\MYUSERACCOUNT" />
</authorization>
If I remove that Allow Rule and add a 'Specified roles or user groups' Allow Row for an AD group for which my user account is a member of then I am unable to access the website and browsing to it prompts me for a Sign in dialog box which entering my AD credentials then gives a 401 error.
At this point the relevant area of the web.config file looks like this:
<authorization>
<allow roles="MYDOMAIN\AwesomeUsers" />
</authorization>
I've tried changing various Authentication settings (changing the order, disabling Kernel-mode authentication etc), adding the domain groups in the 'allow users' section in the Web.config but I just cant get AD group authentication working.
IIS isn't my strong point so would really appreciate any hints or tips I can try, Thanks! :)
try to use below code:
web.config:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\ADGROUP" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
applicationHost.config:
<configuration>
<location path="YOUR-APP">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
This is my web config below. All i'm really trying to do is deny all anonymous users to the entire site unless they have the cookie. However, nothing I do seems to be able to make the security work.
I'm using anonymous authentication enabled with application pool identity
and forms auth with cookies. The site always allows users in and it's driving me insane!
Thanks!
<configuration>
<location path=".">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Any and all help is welcomed!!
If you want to deny access to the whole site, then you don't need a location section. Just put the authentication and authorization sections directly in system.web, like so:
<configuration>
<system.web>
....
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="120" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
In IIS 7.5 under Windows 7 Utilmate, I have an application which is configured for authentication as follows:
Anonymous & Windows
In the ASP.NET Website, I have turned Forms authentication and identity impersonate = true
I also deny any anonymous users.
<authentication mode="Forms">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny user="?">
</authorization>
IIS complains. What am I doing wrong...
What I want to achieve :I want the windows Logged On User so I can build a FormsAuthentication ticket and pass it to a Passive STS.
So in IIS I have anonymous and windows...If have only windows ticked, I cannot go onto the Login.aspx page as I have an extra parameter to be passed from there.
So now in webconfig, I then disable anonymous users by saying deny user="?" , so it leaves me with the authenticated windows user but using Forms Authentication.You know what I mean??
http://msdn.microsoft.com/en-us/library/ff649264.aspx
If you see Table 4 IIS Integrated Windows for IIS then Web.config setting 3rd row, accordingly WindowsIdentity is Domian\Username .It works on IIS 6.0 win2003/IIS 5.1 under XP
If this is an application that leverages claims based identity, then the responsibility of authenticating users is in the STS itself, not in the app.
If you are configuring your (web) application to trust an external STS, then your authentication mode would be "None" and you'd have a whole section in the config file for "Microsoft.identityModel". You would then configure the STS address there (the issuer attribute). Something like this:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://aexpense-dev.adatum.com/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/Adatum.SimulatedIssuer/" realm="https://aexpense-dev.adatum.com/" requireHttps="true" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<serviceCertificate>
<certificateReference x509FindType="FindBySubjectDistinguishedName" findValue="CN=localhost"/>
</serviceCertificate>
<certificateValidation certificateValidationMode="None"/>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="f260042d59e14937984c6183fbc6bfc71baf5462" name="https://localhost/Adatum.SimulatedIssuer/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
The STS itself might use Forms authentication or something else, depending on the implementation.