Allow anonymous authentication for a single folder in web.config?

Question

So here is the scenario, I have an Asp.Net application that is using a custom authentication & membership provider but we need to allow completely anonymous access (i.e.) to a particular folder within the application.

In IIS manager, you can set the authentication mode of a folder, but the settings are saved within C:\Windows\System32\inetsrv\config\applicationHost.config file as described here

To make installation easier, it would be great if I could set this within my web.config but after a couple of attempts I think this may not be possible.

Does anyone know otherwise?

Many thanks

Most of the app should only be accessible to folk who have bought access but we want to expose some free content to the outside world (to tempt people to buy access). — Chris Fewtrell, Apr 27 '12 at 14:29

Tim Lewis · Answer 1 · 2014-09-22T21:25:15.297

74

The first approach to take is to modify your web.config using the <location> configuration tag, and <allow users="?"/> to allow anonymous or <allow users="*"/> for all:

<configuration>
   <location path="Path/To/Public/Folder">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>

If that approach doesn't work then you can take the following approach which requires making a small modification to the IIS applicationHost.config.

First, change the anonymousAuthentication section's overrideModeDefault from "Deny" to "Allow" in C:\Windows\System32\inetsrv\config\applicationHost.config:

<section name="anonymousAuthentication" overrideModeDefault="Allow" />

overrideMode is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. If you don't have this level of access on your target system you have to take up that discussion with your hosting provider or system administrator.

Second, after setting overrideModeDefault="Allow" then you can put the following in your web.config:

<location path="Path/To/Public/Folder">
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
</location>

edited Sep 22 '14 at 21:25

answered Jul 11 '12 at 14:20

Tim Lewis

3,335
1
36
26

-1 what about not hosting localy? when you dont have access to the apphost.conf ? – Rafael Herscovici Sep 22 '14 at 13:26
12

The original post specifically referenced the applicationHost.config file. A down-vote on an answer seems harsh for the original post not matching the specific limitations of your scenario. – Tim Lewis Sep 22 '14 at 15:42
1

"it would be great if I could set this within my web.config" – Rafael Herscovici Sep 22 '14 at 19:49
2

Unfortunately that is not the case since overrideMode is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. Therefore you have to take up that discussion with your hosting provider or system administrator if you don't have that level of access on your target system. – Tim Lewis Sep 22 '14 at 20:04
1

Now, THAT'S an answer. if you'll bother to add it to the answer you posted, ill remove my -1 and even +1 your answer. – Rafael Herscovici Sep 22 '14 at 20:42
2

Updated answer based on feedback, please take another look. – Tim Lewis Sep 22 '14 at 21:26

score 54 · Accepted Answer · answered Apr 27 '12 at 13:05

54

Use <location> configuration tag, and <allow users="?"/> to allow anonymous only or <allow users="*"/> for all:

<configuration>
   <location path="Path/To/Public/Folder">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>

answered Apr 27 '12 at 13:05

Serge S.

4,855
3
42
46

17

This is what I first tried but it does not work. I suspect that these location authorization settings only have effect when running with Forms authentication. – Chris Fewtrell Apr 27 '12 at 14:28
5

that seems to be the case Chris Fewtrell. Certainly, With Windows authentication, it doesn't seem to matter what you set these to. – mattpm Feb 27 '18 at 00:42

Imran Rizvi · Answer 3 · 2012-04-27T14:40:43.453

3

<location path="ForAll/Demo.aspx">
 <system.web>
  <authorization>
    <allow users="*" />
  </authorization>
 </system.web>
</location>

In Addition: If you want to write something on that folder through website , you have to give IIS_User permission to the folder

edited Apr 27 '12 at 14:40

answered Apr 27 '12 at 13:17

Imran Rizvi

7,331
11
57
101

score 1 · Answer 4 · edited Jul 18 '23 at 07:39

To make it work I build my directory like this:

Project
- Public
- Restrict

So I edited my webconfig for my public folder:

<location path="Project/Public">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>

And for my Restricted folder:

 <location path="Project/Restricted">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

See here for the spec of * and ?:

https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authorization/add

I hope I have helped.

score 0 · Answer 5 · answered Aug 19 '16 at 16:46

I added web.config to the specific folder say "Users" (VS 2015, C#) and the added following code

<?xml version="1.0"?>
 <configuration>
  <system.web>
    <authorization>     
    <deny users="?"/>
  </authorization>
</system.web>
</configuration>

Initially i used location tag but that didn't worked.

Allow anonymous authentication for a single folder in web.config?

5 Answers5

Linked