Web.config in folder allowing all or no user authentication

asp.netauthenticationiis-7locationweb.config

I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.

Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong?
Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.

This is what I've done:

   //Web Config that allows and denies:
   <?xml version="1.0"?>
        <configuration>
        <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
     </system.web>

    <location path="QualityCheckSurvey.aspx">
    <system.web>
      <authorization>
        <allow users="DomainName\User2" />
        <deny users="?" /> 
      </authorization>
    </system.web>
    </location>
    </configuration>

I have set my authentication mode to windows.

EDIT
It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access… I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same….

EDIT
This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access….

     <?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>

  <location path="QualityCheckSurvey.aspx">
    <system.web>

      <authorization>
        <deny users="?" />
        <allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
        <deny users="*" />
      </authorization>

    </system.web>
  </location>

In my main web.cofin in the root of the application I have set authentication mode to windows:

     <authentication mode="Windows">

<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
    </authentication>

Best Answer

On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'

<location path="foldername/QualityCheckSurvey.aspx">
    <system.web>
        <authorization>
            <allow users="DomainName\User2"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

EDIT

This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.

 <?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <authentication mode="Windows" />
    </authorization>
  </system.web>

  <location path="survey/QualityCheckSurvey.aspx">
    <system.web>
      <authorization>
        <allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

I am assuming the survey folder is inside the root folder.

Related Solutions

Receiving login prompt using integrated windows authentication

I have a Windows 2008 server that I'm working on, so my answer is not completely the same as what the OP has on a Windows 2003 server.

Here is what I did (recording this here so I can find it later).

I was having this same issue:

In my Web.config file, I had this section:

<system.web>
    <authentication mode="Windows" />
    <authorization>
        <allow users="*" />
        <deny users="?" />
    </authorization>
</system.web>

Under IIS, all of these seems to be solved under the Authentication icon.

Edit Permissions: Make sure your ASP.NET account has permission. Mine was not originally added.

ASP.NET permission

Now go into the features of Authentication:

Authentication Features

Enable Anonymous Authentication with the IUSR:

Anonymous Authentication

Enable Windows Authentication, then Right-Click to set the Providers.

NTLM needs to be FIRST!

Windows Authentication

Next, check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is CHECKED:

Advanced Settings

Once I did this, I went back to my web application, clicked the Browse link, and logged in without having to provide my credentials again.

I hope this proves beneficial to many of you, and I hope it is useful for me later as well.

IIS AppPoolIdentity and file system write access permissions

The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.

For example, if you try and create a folder in the C:\Windows folder then you'll find that you can't. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL's).

With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you'll see the following:

enter image description here

See that Special permission being inherited from c:\:

enter image description here

That's the reason your site's ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.

In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).

You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it's site root folder.

You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don't store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.

So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it's group membership dictates.

An ApplicationPoolIdentity's group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you're interested in (you will have to add the User Name column to the list of columns to display:

enter image description here

For example, I have a pool here named 900300 which has an Application Pool Identity of IIS APPPOOL\900300. Right clicking on properties for the process and selecting the Security tab we see:

enter image description here

As we can see IIS APPPOOL\900300 is a member of the Users group.

Best Answer

Related Solutions

Receiving login prompt using integrated windows authentication

IIS AppPoolIdentity and file system write access permissions

Related Topic