I have a simple HTML site that I need to add windows authentication to so that I can limit certain resources.
I currently have the site running in a dev environment (IIS on my local machine) and I cannot seem to achieve the results that I need.
The main site needs to be open......anyone can access it. However, the subpages and their resources (downloadable pdfs and such) need to be blocked to certain AD security groups.
1) Using the web.config file below - the WHOLE site is asking for authentication (which is not what I want) and once I provide authentication, I am NOT being blocked from the location path that I provide.
2) This web.config IS NOT what my final one will look like, I was just testing to see if I could block a resource before I actually drop in my real allow/deny logic
Here is my simple web.config file:
<configuration>
<system.web>
<authentication mode="windows" />
</system.web>
<location path="district/district.html">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
To secure a Single Page or document in IIS 7.5 with Windows authentication simply follow these steps:
1. Open IIS 7 Manager.
2. Click on “Content View “at the bottom of the IIS 7 Manager and navigate to the file you want to password protect.
3. Right click on the target file and choose “Switch to Features View”.
4. Double click on Authentication under IIS Area.
5. Disable “Anonymous Authentication”.
6. And Enable “Windows Authentication”.
Related
I want to configure the IIS to accept only the request from users who belong to a particular AD Group. This configuration is required at Default Website level. So on Default Website I enabled Windows Authentication, went to Authorization rules option,choose Add Allow Rule and put the AD group in "Specified roles or user groups:".
This does not work with any AD group (for which I am a member). This work well when I put the AD user in the next option "Sepcified User" https://i.stack.imgur.com/hbqhK.png .
Can some one please help on what I am missing. As stated above I want to do it at Default Website level on IIS so there is no Web.config invovled.
Cheers.
Real old thread, but in case anyone Googling this issues comes across the same problem:
I could only get this to work with AD groups that are have their Group Type set to "Global" in AD. Ones set to "Security" wouldn't work for me.
In IIS this is specified under the "Roles" section on the IIS Authorization rules.
I have only Windows Authentication selected as an authentication method. Strange IIS bug?
Here is the web.config for reference
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="DOMAIN\TestGroup" />
</authorization>
</security>
</system.webServer>
</configuration>
On a windows server 2012r2 box with IIS 8.5, I have an plain html site with a web.config in it.
My config:
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows"/>
</system.web>
</configuration>
Unfortunately, IIS doesn't seem to be picking up my Authentication Mode setting. I could make this work in IIS by setting the auth type to be windows, but that would involve me updating every server. Isn't there some way for IIS to pull the configuration from the web.config so that the value is set correctly on deployment? This seems to be the case for almost everything else dealing with IIS and the web.config, so I would venture to say that I'm not doing something right.
is your site a sub application?
try adding
<authorization>
<deny users="?" />
</authorization>
or
<identity impersonate="true" />
So apparently IIS doesn't really listen to the web.config unless you unlock the corresponding section in the application host config.
qBernardhttp://forums.iis.net/members/qbernard.aspx posted the answer here: http://forums.iis.net/t/1146296.aspx?How+to+set+authentication+with+appcmd+exe+or+ServerManager
(here's what he said for when the link might break)
For appcmd, you can set it via /section:xxxx. all auth schemes are locked except Form, so you either unlock it first or commit it at apphost level (meaning store the config in applicationHost.config, which is not so good as in xcopy deployment via web.config file.
Example.
appcmd set config "default web site" /section:windowsAuthentication /enabled:true /commit:apphost
or unlock first:
appcmd unlock config /section:windowsAuthentication
appcmd set config "default web site" /section:windowsAuthentication /enabled:true
I have a website that is deployed on IIS 7.0 . The requirement i am looking for is very simple . The authentication at root level has form authentication enabled . But i need to disable forms authentication end enable windows authentication in one of the sub folders . But i am unable to do this ! I have tried differnt forums but nothing seems to work . Please help on this !
Problem is that with forms authentication enabled at the root level i am unable to disable forms authentication in one of the sub folders for which windows authentication needs to be enabled !
Please help!
This solution works for me, I have used it with ASP.NET applications with Forms Authentication to disable authentication:
<configuration>
...
<location path="subfolder/images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
...
</configuration>
However, as I far as I know you can't have 2 authentication methods inside the same application. In this scenario your described you need to create a "Virtual Directory" in IIS for the subfolder instead of making it a "Sub Folder".
The Virtual Directory will allow you to declare a new web.config where you set the new authentication method in this case Windows.
For a full walkthrough on how you can perform this please refer to this site:
http://msdn.microsoft.com/en-us/library/vstudio/bb763173(v=vs.100).aspx
I have a static site (i.e all html files, no .Net project) that is being hosted in Azure. I'm trying to password protect this site. I've read that I could create a custom authorisation module, which I've done, but I can't install this as I need to run a appcmd.exe command to allow the correct bit of the web.config to be edited.
Either; how can I password protect a static azure site, or how can I take advantage of the features of the ServiceDefinition.csdef without having a visual studio project?
On the management portal, you can configure that your site needs to use credentials. Credentials are managed via the Azure portal if you use this method.
You could use Forms Authentication which should be pretty straightforward to implement and won't require any startup task (necessary to run appcmd.exe).
Set your application to use forms authentication in your web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/myadminlogin.aspx" protection="All" path="/" timeout="120" />
</authentication>
Define the protected folders in your web.config.
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Within your login area check a condition and set the auth cookie:
'SET AUTH COOKIE
FormsAuthentication.SetAuthCookie(sessionID, False)
response.redirect(/secure/securearea.html)
This unfortunately is the one page where you will need some server side code.
To optimize the images and automatically generate CSSprites use a microsoft package called Sprite Optimization and Image Preview 4
Error
Locally everything works perfectly, but to publish my site the following error occurs:
Access to the path 'D:\Hosting\8399780\html\dev\App_Sprites\blank.gif' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path 'D:\Hosting\8399780\html\dev\App_Sprites\blank.gif' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Attempt
In an attempt to resolve the problem within 'App_Sprites' folder, added the following web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="*" />
</authorization>
</security>
</system.webServer>
</configuration>
'blank.gif' image is not used anywhere in my application!
Inside the App_Sprites folder there are a only one subfolder called hire;
I believe that this framework is trying to write a blank.gif file to that directory. You need to give the account under which the IIS app pool runs write access to that folder in windows.