I am trying to get started with using IIS. I created a new site on IIS Manager, mapped it to a folder on my file system and added index.html to the folder. I have set the port to 85 for this site. When I try to access http://localhost:85/index.html, I get the following error message:
401.3 - unathorized - You do not have permission to view this directory or page because of the access control list (ACL)
configuration or encryption settings for this resource on the Web
server.
I gave read access to everybody on the folder and tried again. I could then access the page.
I then compared the properties of my folder with that of wwwroot. I found that wwwroot had read access on IIS_IUSRS...When I did the same on my folder and tried again, I got the above error again.
I checkedthat anonymous access is enabled by default, but I still get this error.
Why does this happen? What is the correct way to resolve the problem?
I have struggled on this same issue for several days. It can be solved by modifying the security user access properties of the file system folder on which your site is mapped. But IIS_IUSRS is not the only account you must authorize.
In IIS management console, in the Authentication part of the configuration of your site, modify the "Anonymous authentication" line and check the account set as "Specific user" (mine is IUSR).
Give read and execution permission on the folder of your site to the account listed as the specific user.
OR
In IIS management console, in the Authentication part of the configuration of your site, modify the "Anonymous authentication" line by selecting "Identity of the application pool" instead of "Specific user".
Here is what worked for me.
Set the app pool identity to an account that can be assigned
permissions to a folder.
Ensure the source directory and all related files have been granted
read rights to the files to the account assigned to the app pool identity property
In IIS, at the server root node, set anonymous user to inherit from
app pool identity. (This was the part I struggled with)
To set the server anonymous to inherit from the app pool identity do the following..
Open IIS Manager (inetmgr)
In the left-hand pane select the root node (server host name)
In the middle pane open the 'Authentication' applet
Highlight 'Anonymous Authentication'
In the right-hand pane select 'Edit...' (a dialog box should open)
select 'Application pool identity'
TL;DR;
In most cases, granting access to the following account(s) (one|both) will be enough:
IIS AppPool\DefaultAppPool
IUSR
with Access Rights:
Read & Execute
List folder contents
Read
That's it!
Read on for a more detailed explanation...
Open IIS and select your application.
On the right side click on Authentication.
Select "Anonymous authentication"
here.
The following dialog pops up.
Grant access to the web application folder's ACL depending what is selected in the pic above:
Specific user: grant access for both IUSR (in my case) + IIS AppPool\DefaultAppPool
Application pool identity: grant access for IIS AppPool\DefaultAppPool only
IIS AppPool\DefaultAppPool account is the default AppPool account for new IIS web applications, if you have set a custom account, use the custom one.
Give the following permissions to the account(s):
Read & Execute
List folder contents
Read
Since you're dealing with static content...
On the folder that acts as the root of your website- if you right click > properties > security, does "Users" show up in the list? if not click "Add..." and type it in, be sure to click "Apply" when you're done.
Try this solution:
https://serverfault.com/questions/38222/iis-7-5-windows-7-http-error-401-3-unauthorized
Also check if the user running the IIS AppPool has read access to that folder/file.
Have a look at this:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Also have a look at this:
http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis
Just in case anyone else runs into this. I troubleshooted all of these steps and it turns out because I unzipped some files from a MAC, Microsoft automatically without any notification Encrypted the files. After hours of trying to set folder permissions I went in and saw the file names were green which means the files were encrypted and IIS will throw the same error even if folder permissions are correct.
Create a new Site, Right Click on Sites folder then click add Site
Enter the site name.
Select physical path
Select Ip Address
Change Port
Click OK
Go to Application Pools
Select the site pool
Right-click the click Advance Settings
Change the .Net CLR Version to "No Manage Code"
Change the Identity to "ApplicationPoolIdentity"
Go to Site home page then click "Authentication"
Right-click to AnonymousAuthentication then click "Edit"
Select Application Pool Identity
Click ok
boom!
for routes add a web.config
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="React Routes" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_URI}" pattern="^/(api)" negate="true" />
</conditions>
<action type="Rewrite" url="/" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Another problem that may arise relating to receiving an unauthorized is related to the providers used in the authentication setting from IIS.
In My case I was experience that problem If I set the Windows Authentication provider as "Negotiate". After I selected "NTLM" option the access was granted.
More Information on Authentication providers
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/providers/
Please enable the following items in Windows 2012 R2
If you are working with Application Pool authentication (instead of IUSR), which you should, then this list of checks by Jean Sun is the very best I could find to deal with 401 errors in IIS:
Open IIS Manager, navigate to your website or application folder where the site is deployed to.
Open Advanced Settings (it's on the right hand Actions pane).
Note down the Application Pool name then close this window
Double click on the Authentication icon to open the authentication settings
Disable Windows Authentication
Right click on Anonymous Authentication and click Edit
Choose the Application pool identity radio button the click OK
Select the Application Pools node from IIS manager tree on left and select the Application Pool name you noted down in step 3
Right click and select Advanced Settings
Expand the Process Model settings and choose ApplicationPoolIdentityfrom the "Built-in account" drop down list then click OK.
Click OK again to save and dismiss the Application Pool advanced settings page
Open an Administrator command line (right click on the CMD icon and select "Run As Administrator". It'll be somewhere on your start menu, probably under Accessories.
Run the following command:
icacls <path_to_site> /grant "IIS APPPOOL\<app_pool_name>"(CI)(OI)(M)
For example:
icacls C:\inetpub\wwwroot\mysite\ /grant "IIS APPPOOL\DEFAULTAPPPOOL":(CI)(OI)(M)
Especially steps 5. & 6. are often overlooked and rarely mentioned on the web.
Related
Not sure if this is the right place to ask but... We have an older application that is set up to use SSO, currently Azure ADFS. I want to use login.microsoft.com url instead of our organizational url that has been used in the past.
I replaced the currently working links in web.config with the endpoints from Azure
<appSettings>
<add key="FederationMetadataLocation" value="https://login.microsoftonline.com/dfmi.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml" />
</appSettings>
and
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://login.microsoftonline.com/0845a734g7-6d23-7c96-9f4x-3427v39n4sd5/wsfed/" realm="https://customdfmi.dfmi.net/" requireHttps="true" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
I get to the sign-in page. When I put in the credentials it shows "AADSTS700016: Application with identifier 'https://customdfmi.dfmi.net/' was not found in the directory".
It is set up in Azure. Redirect URI is the exact copy of what's in web.config. What am I putting wrong in web.config? Do I need to put the Application ID somewhere in it? Any pointers would be great. Thanks!
Did you received this message?
AADSTS700016
UnauthorizedClient_DoesNotMatchRequest - The application wasn't found in the directory/tenant.
This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have misconfigured the identifier value for the application or sent your authentication request to the wrong tenant.
Can Orchard work with AD and Windows authentication?
I need to allow only specific AD groups access to a blog. The rest of the site should be accessible to any valid domain user. The admin dashboard should only be accessible by another specific AD group.
[ update ]
At the suggestion of ViRuSTriNiTy, I tried the following:
- install the windowsauth module
http://gallery.orchardproject.net/Packages/Orchard.Module.AlexZh.WindowsAuthentication
- in the admin settings, I added a user for myself as "my-domain\my-user-name", where the domain name and user are mine.
- added a role to match a AD role that I am a member of and gave this role access to everything.
- switched the iis settings over to use windows auth, and turned off anonymous
- updated the web.config to use windows auth and specify the role that I setup previous
However,I cant get to the admin panel now. What could I be missing?
[ update 2 ]
After noticing the documentation link he provided (duh), I saw that I needed to enable windows auth for the modules. So I enabled IIS anonymous again (so I could log in), and updated the settings for the modules, but I see no option under Settings\Users for to enable windows auth. Did it move?
Im using v1.10.2
You can use the module AlexZh.WindowsAuthentication.
Documentation: http://orchardwinauth.codeplex.com/documentation
First you need to change the Orchard.Web project properties (in Visual Studio, click on project + F4) to ...
Anonymous Authentication: Disabled
Windows Authentication: Enabled
... and then you need to change the Orchard.Web\Web.configto something like this
<authentication mode="Windows">
<forms loginUrl="~/Users/Account/AccessDenied" timeout="2880" />
</authentication>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<allow roles="YourDomain\Domain Users" />
<deny users="?" />
</authorization>
The permissions can be configured as usual based on Orchard roles.
I've been using this module since 2 years now and i'm pretty happy with it but be aware that the module has several bugs:
it might cause a deadlock, see https://github.com/OrchardCMS/Orchard/issues/7688
it creates a new user when the logged in domain user cannot be found in the Orchard DB, you might want to alter the class CustomAuthenticationService to avoid this (i can provide some code if you need it)
I just start to learn new Office 365 API. I'm also not so deep understand server-side programming. I have VS2013 and all pre-requisites as pointed in the link bellow. Some example with Windows Desktop App worked. But when I get example https://code.msdn.microsoft.com/Office-365-APIs-Get-d75d1c8a - it fails during setting up in Service Manager after Sign-In to O365.
The error message - "Unsupported or invalid query filter clause specified for property '' appId of resource 'Service Principal' ". This message appear instead permissions in Service Manager. When I press OK - "Sign In" point in Service Manager still there - Authentication Failed.
Please help!
You need to remove the existing client id and settings from app.config (or web.config in web project). When I removed the following from App.config in the Office365Api.Demo project, I was able to register the app in my own Azure AD.
<add key="ida:ClientId" value="[put here your ClientID]" />
<add key="ida:RedirectUri" value="http://localhost/eb2c041088c22f67fecaffda29528308" />
<add key="ida:AuthorizationUri" value="https://login.windows.net/" />
I have a simple HTML site that I need to add windows authentication to so that I can limit certain resources.
I currently have the site running in a dev environment (IIS on my local machine) and I cannot seem to achieve the results that I need.
The main site needs to be open......anyone can access it. However, the subpages and their resources (downloadable pdfs and such) need to be blocked to certain AD security groups.
1) Using the web.config file below - the WHOLE site is asking for authentication (which is not what I want) and once I provide authentication, I am NOT being blocked from the location path that I provide.
2) This web.config IS NOT what my final one will look like, I was just testing to see if I could block a resource before I actually drop in my real allow/deny logic
Here is my simple web.config file:
<configuration>
<system.web>
<authentication mode="windows" />
</system.web>
<location path="district/district.html">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
To secure a Single Page or document in IIS 7.5 with Windows authentication simply follow these steps:
1. Open IIS 7 Manager.
2. Click on “Content View “at the bottom of the IIS 7 Manager and navigate to the file you want to password protect.
3. Right click on the target file and choose “Switch to Features View”.
4. Double click on Authentication under IIS Area.
5. Disable “Anonymous Authentication”.
6. And Enable “Windows Authentication”.
To optimize the images and automatically generate CSSprites use a microsoft package called Sprite Optimization and Image Preview 4
Error
Locally everything works perfectly, but to publish my site the following error occurs:
Access to the path 'D:\Hosting\8399780\html\dev\App_Sprites\blank.gif' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path 'D:\Hosting\8399780\html\dev\App_Sprites\blank.gif' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Attempt
In an attempt to resolve the problem within 'App_Sprites' folder, added the following web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="*" />
</authorization>
</security>
</system.webServer>
</configuration>
'blank.gif' image is not used anywhere in my application!
Inside the App_Sprites folder there are a only one subfolder called hire;
I believe that this framework is trying to write a blank.gif file to that directory. You need to give the account under which the IIS app pool runs write access to that folder in windows.