I really hope this isn't a duplicate, but I wasn't able to find anything like this on here.
My issue is: I have a subdirectory on a Windows (not sure if 2008 R2 or 2012) server with IIS 8.5 that I want to protect with basic authentication. I've talked to the server admin and he activated basic auth for me and added a Windows user for me. The protection works, but only for directories, not individual files.
This leads to bizarre situations like "sub.domain.com/subsubdir/" is only accessible with the correct user/password combination, but "sub.domain.com/subsubdir/index.php" is open for all to visit, and I can't figure out why. The way I've implemented this in the web.config is this:
<location path="dir/subdir">
<system.web>
<authorization>
<allow users="authorizedUser"/>
<deny users ="?" />
</authorization>
</system.web>
</location>
Where the subdomain points to "dir/subdir", thus "sub.domain.com/subsubdir/" to reach the subdirectory.
I tried dir/subdir/ and dir/subdir/*, but both lead to errors. Either I'm using the wrong keywords, or Google doesn't know about my problem.
I'm not even sure if that's something I have to fix on my side (only access via FTP) or if it's some Windows setting that the admin has to change. Does anyone know what's happening here?
Edit: I got confused with my own subdirectories and forgot a level. Not sure if that's relevant, but I edited it anyway.
Best Answer
You should disable anonymous authentication for the directory if there is no need to have anonymous users. This will take care of the problem