R – asp.net authorization

asp.netauthorization

In my ASP.NET Application, I have an asmx Web Service which is in it's own directory. For this WS I have set the basic authentication under IIS 6.0 and put the separate web.config for that folder, with following nodes:

    <system.web>
      <authorization>
        <allow users="domain\username"/>
        <deny users="*"/>
      </authorization>
    </system.web>

With settings like these I get
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

when webmethod is invoked with SOAPUI or with browser. If I remove the deny node, any valid user in domain can get a web service response.

Any suggesstions how to make it work for one domain user only?

Maybe I should mention also, that authentication in main web.config is set to "Windows".

Best Answer

updated:

Oops, I overlooked the fact that you have a parent involved, my fault. Once permission defaults are set on the parent, you can just setup per-user access to the child web service/app.

The tightest configuration I could setup was the following.

For the parent, I used this barebones setup (nobody is allowed in):

<?xml version="1.0"?>
<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <compilation debug="true" />
    <authentication mode="Windows" />
    <identity impersonate="true" />
    <authorization>
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

Then for the child (web service, in your case), I used this setup (only the DOMAIN\username principal is allowed in):

<?xml version="1.0"?>
<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <authorization>
      <allow users="DOMAIN\username" />
    </authorization>
  </system.web>
</configuration>

This resulted in no access at the parent level, but only the given user at the child (web service) level. Also, as you mentioned, setting the authentication mode doesn't work on the child web.config.

Without setting up at least one allow entry at the child web.config, though, nobody can get in, as the parent's deny entry takes precedence.

original

Your settings work for me, but I believe you are missing a few elements.

Try including the impersonation element, make sure the authentication mode is set to Windows, and if deploying for IIS, make sure the IIS location has anonymous access off.

Try the following barebones config, with debug on or off as needed:

<?xml version="1.0"?>
<configuration>
    <appSettings />
    <connectionStrings />
    <system.web>
      <compilation debug="true" />
      <authentication mode="Windows" />
      <identity impersonate="true" />
      <authorization>
        <allow users="DOMAIN\username" />
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>
Related Topic