Solved

Web.config Authorization in a subdirectory using Windows Authentication

Posted on 2006-11-23
17
897 Views
Last Modified: 2008-03-03
Hello,

I have a sub-directory (folder) called 'Administration' within which I have a page Admin.aspx that I want to restrict access to.  To do this, I created another web.config file in the Administration sub-directory to override the web.config Authorization settings file in the root directory.  I'm using Windows authentication as part of an intranet.

For testing I did this:

    <authorization>
        <deny users="*" />
        <allow users="CH\KathrynSchmidt" /> <!-- Allow all users -->


            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

Now when I run the application and try to access the Administration/Admin.aspx page, I don't have any problems doing so, despite the fact that I'm not KathrynSchmidt.  What am I doing wrong?

Thanks-
0
Comment
Question by:tmccrank
17 Comments
 
LVL 15

Expert Comment

by:Solar_Flare
ID: 18005416
have you set up the admin subfolder as a web application in IIS?
0
 
LVL 28

Expert Comment

by:mmarinov
ID: 18006468
you can protect different pages in one web.config file using <location> element
see the msdn snippet

<configuration>
   <location path="Logon.aspx">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>
0
 

Author Comment

by:tmccrank
ID: 18008008
Solar_Flare: Yes, I set up the subfolder as an application in IIS.  Are there any special configurations for the Administration subfolder in IIS?  I renamed web.config folder to web1.config... is there anything that I need to change as a result?

mmarinov: I know about that.  I prefer to put a separate web.config folder because I have a number of pages in the 'Administration' sub folder.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18018093
You need to configure windows authentication under IIS/Security for the sub-directory as well as in web.config since its really IIS that handles this not asp.net.
0
 

Author Comment

by:tmccrank
ID: 18029825
Thanks dale_burrell.  
Could you be more specific about what I have to do to configure window authentication for the sub-directory?  
Here's what I've done:
1) Created a folder in IIS
2) In IIS --> Local Path pointing to the sub-directory in the wwwroot folder.
3) I have anonymous access enabled.  Is this right?
4) Integrated windows authentication is checked, all users that will be using the app are on a single domain.

In testing the app, I have the following in the web1.config:

    <authorization>
        <deny users="*" />
    </authorization>

This should deny everyone, including me, shouldn't it?  I still have access to pages in the Administration sub-folder though.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18030921
In point 2 when you say a sub-directory I assume you mean a virtual directory?

Point 3 - you don't want to enable anonymous access because you want to force them to login. Integrated windows authentication is correct. (NOTE: I just checked the setup of one of my sites and found that enable anonymous is enabled along with Integrated windows authentication so maybe its OK).
0
 

Author Comment

by:tmccrank
ID: 18031859
Sorry, I was going about it all wrong.... I actually added an entirely new website in IIS called Administration and tried to configure it that way.  Whoops :-|

So, now what I've done is open the root node for my application in IIS.  I then went into the properties for the Administration folder (virtual directory?) and clicked on the "Create" button.

That definitely did something, as now I can't get any page in the Administration directory to load in the browser, I just get a parser error saying "Could not load type 'NurseEducationModules.Admin'."

I get this error even when I include my domain name in the web1.config file in the <authorization> section of the Administration folder.

Is there anything else that I need to configure in IIS?
0
 

Author Comment

by:tmccrank
ID: 18032058
>>I get this error even when I include my domain name in the web1.config file in the <authorization> section of the Administration folder.

Sorry, I meant <authorization> section of the web1.config file in the Administration folder.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18033598
Right the problem is that now you have your a seperate virtual directory, this is actually a seperate web app, and needs its own bin folder, app_code folder etc etc as it doesn't have access to the resources of the main web app.

HTH
0
 

Author Comment

by:tmccrank
ID: 18050028
Sorry, you lost me.... the Administration sub-directory needs its own bin file?  This is obviously way more involved than I thought!  Could you point me to a good resource that will explain how to do this in a step-by-step way?
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18050461
I don't know of a good online explaintation but lets see if I can make it simple. To run a website based on asp.net you need what is called a web application. Web applications that run under IIS come in 2 flavours a 'Website' and a 'Virtual Directory'.

A website needs an IP address and often a host header whereas a virtual directory is a sub-site of another website.

Now a web application (e.g. either a website or a virtual directory) has certain requirements such as a bin directory if you want to use DLL's, a web.config file if you want to change any of the default settings.

So here is the important bit... EVEN IF the virtual directory is under a REAL website, the virtual directory DOES NOT have access to the parent websites bin directory, web.config etc BECAUSE it is its own web application.

e.g. To solve your original problem you are creating a completely new web application, which just looks like it resides under the main site, because when you use windows authentication this is the only way you can change the authentication for a select group of files.

I hope this helps... I know its complex - took me years to fully understand it - probably still don't.
0
 

Author Comment

by:tmccrank
ID: 18057194
Thanks dale_burrell for taking the time to explain...

So: 1) I need to create a whole new ASP.NET web application just for the Administration of my site... and copy the files from the Administration sub-folder of my current app;  2) Although I've now created a new application with all of the Administration pages from my original app, I keep the Administration folder and files from my current application; 3) Go to IIS, where - now that 'Administration' as a separate application has its own node under 'Default Web Site' - I should ignore the new website and somehow configure the 'Administration' virtual directory under my original website's node?

Is this on track?
0
 
LVL 21

Accepted Solution

by:
Dale Burrell earned 250 total points
ID: 18058736
Lets see...

You can leave the admin folder as a sub-directory of the main site if you'd like - might make things easier to maintain. Its just that the admin folder has to be created as a virtual directory within IIS AND it needs its own bin directory because it is a web app in its own right - but physically its fine to have it as a sub-directory of the site it relates to.

The virtual directory needs to come under the main site as you say.

I think you had it right the way you set it up earlier but you didn't give the admin virtual directory its own bin directory and its own web.config - I'm basing that assumption on the fact that the error you got involved 'NurseEducationModules.Admin' which I assume is a DLL?
0
 

Author Comment

by:tmccrank
ID: 18086295
Hi dale_burrell, sorry for the late reply - got side-tracked.

Thanks for the info, here's what I have at the moment:

1) Configured the Administration virtual directory under the main application in IIS (right-clicked on the Administration folder in IIS --> properties --> clicked 'Create' --> OK.
2) I do have a web.config in the Administration folder (called web1.config to avoid possible conflicts) in which I configured <authorization> as per my original post.
 
Question...: You mention that the Administration sub-folder needs its own bin folder because Administration is an application in its own right (and therefore needs its own dll).  How is this done?   It's not as simple as creating a sub-folder called 'bin' in the Administration sub-folder and building the application (I didn't think it would be, but tried it anyway with no luck).

Thanks very much-
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18090645
It is as simple as creating a bin directory and adding the dll's - also note web.config must be called web.conifg - it can't be called web1.config.
0
 

Author Comment

by:tmccrank
ID: 18239955
Sorry, I let this slide... dale_burrell has definitely been a help, although I'm still trying to figure this out (I got side-tracked over the last few weeks).

Thanks Dale.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now