WEB.CONFIG and IIS 6.0 Anonymous

Posted on 2005-04-06
Last Modified: 2008-02-01
Hello Gurus,

                   I am trying to find the most secure way to implement apps on our web server. I would like to know if you can use anonymous access in IIS and use the credentials in the web.config to authenticate. I have read where other developers just put a user account in IIS and turn off anonymous on the security tab??? I have pasted the code below that I am using in the web.config. Can anyone out there tell me the correct way to have an app authenticate.

<?xml version="1.0" encoding="utf-8" ?>

            <add key="keysConnString" value="Server=testserver;Database=Keys;uid=expert;pwd=exchange;" />
            <!--<add key="keyChainsConnString" value="Server=DLS-DEV-02\Development;Database=Keys;uid=sql;pwd=blank;" />
             <add key="keys" value="Server=testserver;Database=Keys;uid=sa;pwd=blank;" /> -->
            <add key="ErrorLogFile" value="~/ErrorLog.txt" />  <!-- create this file at the root of the app & give full control to everyone -->
            <!-- KeyChains.Systems.SystemId -->
            <add key="keysSystemId" value="1" />
            <add key="keysSystemId" value="2" />
            <!-- Urls, email servers -->
            <add key="SmtpServer" value="" />
            <add key="keysDefaultPage" value="" />
            <add key="keysRegisterPage" value="/testing/Profile.aspx" />
            <add key="keysDefaultPage" value="/websites" />
            <add key="keysLoginDefaultPage" value="/Research" />

          Set compilation debug="true" to insert debugging symbols (.pdb information)
          into the compiled page. Because this creates a larger file that executes
          more slowly, you should set this value to true only when debugging and to
          false at all other times. For more information, refer to the documentation about
          debugging ASP.NET files.
    <compilation defaultLanguage="vb" debug="true" />

          Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.
          Add <error> tags for each of the errors you want to handle.

          "On" Always display custom (friendly) messages.
          "Off" Always display detailed ASP.NET error information.
          "RemoteOnly" Display custom (friendly) messages only to users not running
           on the local Web server. This setting is recommended for security purposes, so
           that you do not display application detail information to remote clients.
    <customErrors mode="RemoteOnly" />

          This section sets the authentication policies of the application. Possible modes are "Windows",
          "Forms", "Passport" and "None"

          "None" No authentication is performed.
          "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to
           its settings for the application. Anonymous access must be disabled in IIS.
          "Forms" You provide a custom form (Web page) for users to enter their credentials, and then
           you authenticate them in your application. A user credential token is stored in a cookie.
          "Passport" Authentication is performed via a centralized authentication service provided
           by Microsoft that offers a single logon and core profile services for member sites.
    <authentication mode="Windows" />

          This section sets the authorization policies of the application. You can allow or deny access
          to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
          (unauthenticated) users.
        <allow users="*" /> <!-- Allow all users -->

            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>

          Application-level tracing enables trace log output for every page within an application.
          Set trace enabled="true" to enable application trace logging.  If pageOutput="true", the
          trace information will be displayed at the bottom of each page.  Otherwise, you can view the
          application trace log by browsing the "trace.axd" page from your web application
    <trace enabled="false" requestLimit="100" pageOutput="false" traceMode="SortByTime" localOnly="true" />

          By default ASP.NET uses cookies to identify which requests belong to a particular session.
          If cookies are not available, a session can be tracked by adding a session identifier to the URL.
          To disable cookies, set sessionState cookieless="true".
    <!-- Original (default one) =
            sqlConnectionString="data source=;Trusted_Connection=yes"
            sqlConnectionString="data source=my-test-server\Development;uid=NT AD ACCOUNT;pwd=P@ssword;"
            sqlConnectionString="data source=my-test-server;uid=sa;pwd=blank;"
          This section sets the globalization settings of the application.
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />


Question by:SGKomen
    1 Comment
    LVL 8

    Accepted Solution

    Yes, you can disable anonymous access and then set permissions on the file level.  Then you should be able to pull the username who is logged in with Request.ServerVariables("HTTP_USER").

    If you don't want to set file permissions, you can have your application do the authentication logic with Forms Authentication:
    (For example, I use ASP.NET forms authentication to authenticate against Novell eDirectory)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Suggested Solutions

    I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
    I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now