**After login i am not able to access page.After login again redirect to login page.
I am using two level of folder structure. CMS folder contain two folder.
1. User.
2. Admin.
---CMS
----User
----Admin
Means CMS/{USER}{Admin}.**
In main web.config
In main web.config i am set loginurl and allow all user.
<system.web>
<compilation debug="true" targetFramework="4.0">
</compilation>
<authentication mode="Forms">
<forms name="HESCMS1.0" loginUrl="~/CMS/User/Login.aspx" timeout="40" slidingExpiration="true" cookieless="UseCookies" protection="All" requireSSL="false" enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="Off"></customErrors>
</system.web>
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
In User folder web.config:
Set role for admin user
<system.web>
<authorization>
<allow roles="CMSUserAdmin" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
In Admin folder web.config:
Set role for super admin.
<system.web>
<authorization>
<allow roles="CMSSuperAdmin"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
This is my first post in stack so have not so much experience.
Related
I have got an app service with 3 virtual paths shown below.
Virtual path Physical path Type
/ site\wwwroot Application
/app2 site\wwwroot\app2 Application
/app3 site\wwwroot\app3 Application
How can I use web.config to control access to my site using Azure Security Groups? I've got 3 security groups and I want to allow access as below.
Allow sg1 to have access to my root /.
Allow sg2 to to have access to my root & /app2.
Allow sg3 to to have access to my root & /app3.
In my on-prem IIS box i was able to do something like below to control access.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="app2">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="app3">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg3"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can I replicate this in Azure app services?
I tried a simple base case, as per below. I can go to my / fine as it has no restrictions but I get the error The page cannot be displayed because an internal server error has occurred., when browsing to /app2
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="app2">
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<allow roles="GLOBAL\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Please help :(
Can I replicate this in Azure app services?
No, you cannot since what you describe is Active Directory behavior. App Services do not integrate with AD.
Next best thing would be Azure AD authentication, but this will require code changes and look quite different in the end: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
We have tried below code in web.config
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
in your web.config, at the bottom just before the closing configuration tag put the following:
<location path="WebResource.axd">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="ScriptResource.axd">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have a simple internal site using IIS 8.5 Basic Authentication.
In one specific html file I want to restrict even further to some users/roles.
UPDATE: This is my Web.config, I can still access the inhouse.html file in a browser with my Windows (LDAP) account. I want to block all users to access this. Then to only allow a few users.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
</system.web>
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</system.web>
</location>
</configuration>
Try this:
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
--add the users you want here.
</authorization>
</system.web>
</location>
It depends on the rest of your web.config as to whether system.webserver or system.web applies.
I've recently created an MVC application that leverages Windows Authentication. I have a subdirectory named "EventReceivers" that a want to allow anonymous access on. I've updated my web.config with the proper location element and all works fine on Windows Server 2012 w/ IIS8. However, when I deploy the same project to Azure pack, the files in the EventReceivers directory prompt users for credentials.
Below is my web.config snippet. Any suggestions?
<system.web>
<customErrors mode="Off"/>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<allow verbs="OPTIONS" users="*" />
<deny users="?" />
</authorization>
</system.web>
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
You must also disable windows authentication within the location element like so:
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
I want to secure the application pages in SharePoint 2013 with Claims authentication, it does not seem to be working.
<configuration>
<location path="_layouts/15/settings">
<system.web>
<authorization>
<allow users="demo\user1"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
however it works on Windows based authentication.
Update: 21-May-15:
I have fixed this
<configuration>
<location path="_layouts/15/settings">
<system.web>
<authorization>
<allow users="0#.w|demo\user1"/>
<deny users="*" />
</authorization>
</system.web>
</location>
however It is not authorizing the AD group, have tried as mentioned below.
<allow users="c:0+.w|demo\group1"/>
<allow roles="c:0+.w|demo\group1"/>
<allow users="0+.w|demo\group1"/>
<allow roles="0+.w|demo\group1"/>
<allow users="demo\group1"/>
<allow roles="demo\group1"/>
<allow users="c:0+.w|sid"/>
<allow roles="c:0+.w|sid"/>
<allow users="0+.w|sid"/>
<allow roles="0+.w|sid"/>
<allow users="sid"/>
<allow roles="sid"/>
How do I authorize both the individual user and AD groups?
update : 22-May-2015
<location path="_layouts/15/viewlsts.aspx">
<system.web>
<authorization>
<allow users="Group1" />
<allow users="Domain\Group1" />
<allow users="0#.w|Domain\Group1" />
<allow users="c:0+.w|Domain\Group1" />
<allow users="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow users="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow users="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="Group1" />
<allow roles="Domain\Group1" />
<allow roles="0#.w|Domain\Group1" />
<allow roles="c:0+.w|Domain\Group1" />
<allow roles="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<deny users="*" />
</authorization>
</system.web>
</location>
Still it is not working.
The prefix is different for groups.
Have you tried ?
<allow users="c:0+.w|demo\group1"/>
If it works, you can then authorize groups and users like this
<allow users="c:0+.w|demo\group1,0#.w|demo\user1"/>