authenticate file in _layouts folder - sharepoint

I have a public facing website www.abcd.com .. I have added a file "Authenticated.html" in _layouts folder of it. so now when user is going to this url
www.abcd.com/_layouts/authenitcated.html ... one can see all the content in it. I want this particular file to be only shown to authenticated users and asks for authentication. If there is any way i can achieve this?

Here is a couple of alternatives:
Put the following into _layouts/web.config:
<location path="Authenticated.html">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Or as I'd prefer change your extension from html to aspx and put these two lines at the top:
<%# Assembly Name="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"%>
<%#page Inherits="Microsoft.SharePoint.WebControls.LayoutsPageBase" %>

Alrite I figure it out...go to IIS select the web application you want...go to the file in _layouts folder you want to authenticate ->properties->File Security->uncheck anonymous access...

Related

404 Custom errors not shown for aspx extensions

I created a 404.html page and set it in Error Documents. It works well for everything except aspx pages. How can I redirect those pages also?
Thanks
As far as I know, if you want to show custom 404 error in asp.net web form application, you should use the asp.net custom error page not IIS error page.
About how to set it ,you could refer to below config.
<system.web>
<customErrors mode="On" >
<error statusCode="404" redirect="error.html"/>
</customErrors>
</system.web>
Notice: The error.html should put in your asp.net web applicaton's root path.
More details,you could refer to below article:
https://learn.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/displaying-a-custom-error-page-cs

static HTML site on Azure; 500.19 error; configuration section 'customerrors' cannot be read be read...missing a section declaration

I have inherited the occasional duties for updating my agency website. The website is a very basic, static HTML site that runs on Azure. Only gets updated with new PDF documents. A few weeks ago I got notified by some security people wanting the website to NOT display a yellow screen of death and instead only show a generic 500 status page. The yellow screen of death says that the web.config file can be modified to do this. OK, fine by me.
After looking it appears I don't have a web.config file so I created one but when I copy it via FTP to my Azure account it immediately kills the website. After looking in the error logs in Azure I see that there is a "500.19 error; configuration section 'customerrors' cannot be read be read...missing a section declaration".
Here is my web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<customerrors mode="off" />
</system.web>
</configuration>
Any ideas on what is going on? Thanks!
To handle 500 errors, aka Yellow Screens of Death, the following is added to the web.config, again shown as a config transformation.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="500.aspx" redirectMode="ResponseRewrite" xdt:Transform="SetAttributes">
<error statusCode="500" redirect="500.aspx" xdt:Transform="Insert" />
</customErrors>
</system.web>
</configuration>
The 500.aspx page added to the site root contains the following markup at the top of the file:
<%
Response.StatusCode = 500;
Response.TrySkipIisCustomErrors = true;
%>
Note: This is not ideal for a multi-site environment where the 500 page should be site-specific. To account for this, add logic to the 500.aspx page to transfer requests appropriately given the hostName requested.
For more details, you could refer to this article.

Turn off / Disable windows authentication for asp.net-mvc

I created a new asp.net-mvc project and during setup I chose to use Windows Authentication.
Now I like to turn it off(at least for a while).
I changed the web.config to this
<authentication mode="None" />
But that does change anything. It will still prompt me. I am using the IIS Express.
UPDATE: I mean it still prompts me when using Firefox. Internet Explorer will continue and not show my domain username
1.) Close VS
2.) Remove the .vs/config or the .vs folder next to your solution. The IIS Express regenerates the config/applicationhost.config file. Changing this file does NOT help - it is regenerated
3.) Edit the <project>.csproj.user file. There change the lines
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
to
<IISExpressAnonymousAuthentication>enabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>disabled</IISExpressWindowsAuthentication>
4.) Edit and change the web.config
Change
<authentication mode="Windows" />
to
<authentication mode="None" />
or comment the whole authentication XML element.
The web config should overwrite the IIS express config but in this case it seems it does not. What you can try to do is to turn it off on the IIS level as well.
You can go to this directory \IISExpress\config\applicationhost.config open up this file and set the <windowsAuthentication enabled="false" />.
I found this was possible in the web config by using the following documentation:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio
The relevant bloc of web.config is:
<security>
<authentication>
<windowsAuthentication enabled="false" />
</authentication>
</security>
You should unload the project, edit the project .csproj file and change the lines:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
Then, you should delete the .csproj.user file for your project, and remove de .vs directory for your solution.

mvc 5 controlling authorization for entire controller or entire view folder

I have a mvc 5 application with a product controller and a corresponding view folder for all product related views. I'd like to make this entire thing only accessible to user with username "admin" instead of manually assigning a tag [Authorize(Users = "admin")] on top of every controller method. I tried to add a new web.config in Product views folder with the following content, but didnt work.
<configuration>
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Is this possible to achieve at all if yes how?
thanks in advance
The AuthorizeAttribute can be added both on a specific method and on the controller class. The second will affect every action method in that controller.
[Authorize(Users = "admin")]
public class AdminController
{
public ActionResult Index() { ... }
}
If you want to use Web.config you must remember that IIS will load the Web.config file based on the URL without any knowledge of Views. So if the URL is http://server/Products/Something then you must place your configuration file in a folder called Products in the application root. Alternatively you can use <location path="/Products"> in your root Web.config file.

Request.ServerVariables("LOGON USER") returns empty

Web.config file
<authentication mode="Windows" />
<authorization>
<allow users ="*" />
</authorization>
IIS permissions
(Unchecked)Enable ananymouse access
(Checked)Integrated windows authentication
C# code,
welcomeUser.InnerText = Request.ServerVariables.Get("LOGON USER");
What am I missing to be able to display Windows User ID ?
I think the variable is LOGON_USER isn't it? (With underscore) See here
You may find that this gives you IUSR_MachineName though, so you might want to look up better ways of finding the actual logged in user, such as User.Identity.Name or by using WindowsIdentity.GetCurrent().Name;

Resources