Web.config Authorization in a subdirectory using Windows Authentication

Hello,

I have a sub-directory (folder) called 'Administration' within which I have a page Admin.aspx that I want to restrict access to.  To do this, I created another web.config file in the Administration sub-directory to override the web.config Authorization settings file in the root directory.  I'm using Windows authentication as part of an intranet.

For testing I did this:

    <authorization>
        <deny users="*" />
        <allow users="CH\KathrynSchmidt" /> <!-- Allow all users -->


            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

Now when I run the application and try to access the Administration/Admin.aspx page, I don't have any problems doing so, despite the fact that I'm not KathrynSchmidt.  What am I doing wrong?

Thanks-
tmccrankAsked:
Who is Participating?
 
Dale BurrellConnect With a Mentor DirectorCommented:
Lets see...

You can leave the admin folder as a sub-directory of the main site if you'd like - might make things easier to maintain. Its just that the admin folder has to be created as a virtual directory within IIS AND it needs its own bin directory because it is a web app in its own right - but physically its fine to have it as a sub-directory of the site it relates to.

The virtual directory needs to come under the main site as you say.

I think you had it right the way you set it up earlier but you didn't give the admin virtual directory its own bin directory and its own web.config - I'm basing that assumption on the fact that the error you got involved 'NurseEducationModules.Admin' which I assume is a DLL?
0
 
Solar_FlareCommented:
have you set up the admin subfolder as a web application in IIS?
0
 
mmarinovCommented:
you can protect different pages in one web.config file using <location> element
see the msdn snippet

<configuration>
   <location path="Logon.aspx">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
tmccrankAuthor Commented:
Solar_Flare: Yes, I set up the subfolder as an application in IIS.  Are there any special configurations for the Administration subfolder in IIS?  I renamed web.config folder to web1.config... is there anything that I need to change as a result?

mmarinov: I know about that.  I prefer to put a separate web.config folder because I have a number of pages in the 'Administration' sub folder.
0
 
Dale BurrellDirectorCommented:
You need to configure windows authentication under IIS/Security for the sub-directory as well as in web.config since its really IIS that handles this not asp.net.
0
 
tmccrankAuthor Commented:
Thanks dale_burrell.  
Could you be more specific about what I have to do to configure window authentication for the sub-directory?  
Here's what I've done:
1) Created a folder in IIS
2) In IIS --> Local Path pointing to the sub-directory in the wwwroot folder.
3) I have anonymous access enabled.  Is this right?
4) Integrated windows authentication is checked, all users that will be using the app are on a single domain.

In testing the app, I have the following in the web1.config:

    <authorization>
        <deny users="*" />
    </authorization>

This should deny everyone, including me, shouldn't it?  I still have access to pages in the Administration sub-folder though.
0
 
Dale BurrellDirectorCommented:
In point 2 when you say a sub-directory I assume you mean a virtual directory?

Point 3 - you don't want to enable anonymous access because you want to force them to login. Integrated windows authentication is correct. (NOTE: I just checked the setup of one of my sites and found that enable anonymous is enabled along with Integrated windows authentication so maybe its OK).
0
 
tmccrankAuthor Commented:
Sorry, I was going about it all wrong.... I actually added an entirely new website in IIS called Administration and tried to configure it that way.  Whoops :-|

So, now what I've done is open the root node for my application in IIS.  I then went into the properties for the Administration folder (virtual directory?) and clicked on the "Create" button.

That definitely did something, as now I can't get any page in the Administration directory to load in the browser, I just get a parser error saying "Could not load type 'NurseEducationModules.Admin'."

I get this error even when I include my domain name in the web1.config file in the <authorization> section of the Administration folder.

Is there anything else that I need to configure in IIS?
0
 
tmccrankAuthor Commented:
>>I get this error even when I include my domain name in the web1.config file in the <authorization> section of the Administration folder.

Sorry, I meant <authorization> section of the web1.config file in the Administration folder.
0
 
Dale BurrellDirectorCommented:
Right the problem is that now you have your a seperate virtual directory, this is actually a seperate web app, and needs its own bin folder, app_code folder etc etc as it doesn't have access to the resources of the main web app.

HTH
0
 
tmccrankAuthor Commented:
Sorry, you lost me.... the Administration sub-directory needs its own bin file?  This is obviously way more involved than I thought!  Could you point me to a good resource that will explain how to do this in a step-by-step way?
0
 
Dale BurrellDirectorCommented:
I don't know of a good online explaintation but lets see if I can make it simple. To run a website based on asp.net you need what is called a web application. Web applications that run under IIS come in 2 flavours a 'Website' and a 'Virtual Directory'.

A website needs an IP address and often a host header whereas a virtual directory is a sub-site of another website.

Now a web application (e.g. either a website or a virtual directory) has certain requirements such as a bin directory if you want to use DLL's, a web.config file if you want to change any of the default settings.

So here is the important bit... EVEN IF the virtual directory is under a REAL website, the virtual directory DOES NOT have access to the parent websites bin directory, web.config etc BECAUSE it is its own web application.

e.g. To solve your original problem you are creating a completely new web application, which just looks like it resides under the main site, because when you use windows authentication this is the only way you can change the authentication for a select group of files.

I hope this helps... I know its complex - took me years to fully understand it - probably still don't.
0
 
tmccrankAuthor Commented:
Thanks dale_burrell for taking the time to explain...

So: 1) I need to create a whole new ASP.NET web application just for the Administration of my site... and copy the files from the Administration sub-folder of my current app;  2) Although I've now created a new application with all of the Administration pages from my original app, I keep the Administration folder and files from my current application; 3) Go to IIS, where - now that 'Administration' as a separate application has its own node under 'Default Web Site' - I should ignore the new website and somehow configure the 'Administration' virtual directory under my original website's node?

Is this on track?
0
 
tmccrankAuthor Commented:
Hi dale_burrell, sorry for the late reply - got side-tracked.

Thanks for the info, here's what I have at the moment:

1) Configured the Administration virtual directory under the main application in IIS (right-clicked on the Administration folder in IIS --> properties --> clicked 'Create' --> OK.
2) I do have a web.config in the Administration folder (called web1.config to avoid possible conflicts) in which I configured <authorization> as per my original post.
 
Question...: You mention that the Administration sub-folder needs its own bin folder because Administration is an application in its own right (and therefore needs its own dll).  How is this done?   It's not as simple as creating a sub-folder called 'bin' in the Administration sub-folder and building the application (I didn't think it would be, but tried it anyway with no luck).

Thanks very much-
0
 
Dale BurrellDirectorCommented:
It is as simple as creating a bin directory and adding the dll's - also note web.config must be called web.conifg - it can't be called web1.config.
0
 
tmccrankAuthor Commented:
Sorry, I let this slide... dale_burrell has definitely been a help, although I'm still trying to figure this out (I got side-tracked over the last few weeks).

Thanks Dale.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.