Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Web.config Authorization in a subdirectory using Windows Authentication

Posted on 2006-11-23
17
Medium Priority
?
1,032 Views
Last Modified: 2008-03-03
Hello,

I have a sub-directory (folder) called 'Administration' within which I have a page Admin.aspx that I want to restrict access to.  To do this, I created another web.config file in the Administration sub-directory to override the web.config Authorization settings file in the root directory.  I'm using Windows authentication as part of an intranet.

For testing I did this:

    <authorization>
        <deny users="*" />
        <allow users="CH\KathrynSchmidt" /> <!-- Allow all users -->


            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

Now when I run the application and try to access the Administration/Admin.aspx page, I don't have any problems doing so, despite the fact that I'm not KathrynSchmidt.  What am I doing wrong?

Thanks-
0
Comment
Question by:tmccrank
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 15

Expert Comment

by:Solar_Flare
ID: 18005416
have you set up the admin subfolder as a web application in IIS?
0
 
LVL 28

Expert Comment

by:mmarinov
ID: 18006468
you can protect different pages in one web.config file using <location> element
see the msdn snippet

<configuration>
   <location path="Logon.aspx">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>
0
 

Author Comment

by:tmccrank
ID: 18008008
Solar_Flare: Yes, I set up the subfolder as an application in IIS.  Are there any special configurations for the Administration subfolder in IIS?  I renamed web.config folder to web1.config... is there anything that I need to change as a result?

mmarinov: I know about that.  I prefer to put a separate web.config folder because I have a number of pages in the 'Administration' sub folder.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18018093
You need to configure windows authentication under IIS/Security for the sub-directory as well as in web.config since its really IIS that handles this not asp.net.
0
 

Author Comment

by:tmccrank
ID: 18029825
Thanks dale_burrell.  
Could you be more specific about what I have to do to configure window authentication for the sub-directory?  
Here's what I've done:
1) Created a folder in IIS
2) In IIS --> Local Path pointing to the sub-directory in the wwwroot folder.
3) I have anonymous access enabled.  Is this right?
4) Integrated windows authentication is checked, all users that will be using the app are on a single domain.

In testing the app, I have the following in the web1.config:

    <authorization>
        <deny users="*" />
    </authorization>

This should deny everyone, including me, shouldn't it?  I still have access to pages in the Administration sub-folder though.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18030921
In point 2 when you say a sub-directory I assume you mean a virtual directory?

Point 3 - you don't want to enable anonymous access because you want to force them to login. Integrated windows authentication is correct. (NOTE: I just checked the setup of one of my sites and found that enable anonymous is enabled along with Integrated windows authentication so maybe its OK).
0
 

Author Comment

by:tmccrank
ID: 18031859
Sorry, I was going about it all wrong.... I actually added an entirely new website in IIS called Administration and tried to configure it that way.  Whoops :-|

So, now what I've done is open the root node for my application in IIS.  I then went into the properties for the Administration folder (virtual directory?) and clicked on the "Create" button.

That definitely did something, as now I can't get any page in the Administration directory to load in the browser, I just get a parser error saying "Could not load type 'NurseEducationModules.Admin'."

I get this error even when I include my domain name in the web1.config file in the <authorization> section of the Administration folder.

Is there anything else that I need to configure in IIS?
0
 

Author Comment

by:tmccrank
ID: 18032058
>>I get this error even when I include my domain name in the web1.config file in the <authorization> section of the Administration folder.

Sorry, I meant <authorization> section of the web1.config file in the Administration folder.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18033598
Right the problem is that now you have your a seperate virtual directory, this is actually a seperate web app, and needs its own bin folder, app_code folder etc etc as it doesn't have access to the resources of the main web app.

HTH
0
 

Author Comment

by:tmccrank
ID: 18050028
Sorry, you lost me.... the Administration sub-directory needs its own bin file?  This is obviously way more involved than I thought!  Could you point me to a good resource that will explain how to do this in a step-by-step way?
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18050461
I don't know of a good online explaintation but lets see if I can make it simple. To run a website based on asp.net you need what is called a web application. Web applications that run under IIS come in 2 flavours a 'Website' and a 'Virtual Directory'.

A website needs an IP address and often a host header whereas a virtual directory is a sub-site of another website.

Now a web application (e.g. either a website or a virtual directory) has certain requirements such as a bin directory if you want to use DLL's, a web.config file if you want to change any of the default settings.

So here is the important bit... EVEN IF the virtual directory is under a REAL website, the virtual directory DOES NOT have access to the parent websites bin directory, web.config etc BECAUSE it is its own web application.

e.g. To solve your original problem you are creating a completely new web application, which just looks like it resides under the main site, because when you use windows authentication this is the only way you can change the authentication for a select group of files.

I hope this helps... I know its complex - took me years to fully understand it - probably still don't.
0
 

Author Comment

by:tmccrank
ID: 18057194
Thanks dale_burrell for taking the time to explain...

So: 1) I need to create a whole new ASP.NET web application just for the Administration of my site... and copy the files from the Administration sub-folder of my current app;  2) Although I've now created a new application with all of the Administration pages from my original app, I keep the Administration folder and files from my current application; 3) Go to IIS, where - now that 'Administration' as a separate application has its own node under 'Default Web Site' - I should ignore the new website and somehow configure the 'Administration' virtual directory under my original website's node?

Is this on track?
0
 
LVL 21

Accepted Solution

by:
Dale Burrell earned 1000 total points
ID: 18058736
Lets see...

You can leave the admin folder as a sub-directory of the main site if you'd like - might make things easier to maintain. Its just that the admin folder has to be created as a virtual directory within IIS AND it needs its own bin directory because it is a web app in its own right - but physically its fine to have it as a sub-directory of the site it relates to.

The virtual directory needs to come under the main site as you say.

I think you had it right the way you set it up earlier but you didn't give the admin virtual directory its own bin directory and its own web.config - I'm basing that assumption on the fact that the error you got involved 'NurseEducationModules.Admin' which I assume is a DLL?
0
 

Author Comment

by:tmccrank
ID: 18086295
Hi dale_burrell, sorry for the late reply - got side-tracked.

Thanks for the info, here's what I have at the moment:

1) Configured the Administration virtual directory under the main application in IIS (right-clicked on the Administration folder in IIS --> properties --> clicked 'Create' --> OK.
2) I do have a web.config in the Administration folder (called web1.config to avoid possible conflicts) in which I configured <authorization> as per my original post.
 
Question...: You mention that the Administration sub-folder needs its own bin folder because Administration is an application in its own right (and therefore needs its own dll).  How is this done?   It's not as simple as creating a sub-folder called 'bin' in the Administration sub-folder and building the application (I didn't think it would be, but tried it anyway with no luck).

Thanks very much-
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 18090645
It is as simple as creating a bin directory and adding the dll's - also note web.config must be called web.conifg - it can't be called web1.config.
0
 

Author Comment

by:tmccrank
ID: 18239955
Sorry, I let this slide... dale_burrell has definitely been a help, although I'm still trying to figure this out (I got side-tracked over the last few weeks).

Thanks Dale.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question