0

Can someone please tell me why my IIS subdirectory authorization rules are not working?

I suspect it's something to do with using a custom membership and role provider.
All users, anonymous AND users who are logged in get a 401.2 Unauthorized error for all files in the /users subdirectory.

I'm trying to restrict access to static files and asp.net pages in a subdirectory. I used the Authorization Rules button in IIS7 manager.

In /users it has created a web.config file with this section:

<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="auth_users" />
</authorization>
</security>
</system.webServer>

In the web.config of the site root are these custom role and membership settings. The membership and role providers are working fine - user are added to the role, it's just the authorization rules that aren't working.

<roleManager enabled="true" defaultProvider="MyRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" applicationName="MyUsersApp" />
</providers>
</roleManager>
<membership defaultProvider="MyMembershipProvider">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider" applicationName="MyUsersApp" />
</providers>
</membership>
hg8
  • 1,082
  • 2
  • 15
  • 28
Jon.A
  • 13
  • 7
  • Try this config: – Kami Apr 29 '15 at 12:42
  • Hi, Just tried that config in the subdirectory but now with a static file site.com/users/test.jpg anonymous users and logged in users can all see the file. – Jon.A Apr 29 '15 at 13:09
  • In IIS disable Anonymous Authentication for the users folder. – Kami Apr 29 '15 at 13:18
  • Didn't really help unfortunately. With your subdirectory config and anonymous authentication disabled, a logged on user gets 401.2 error the only difference is on the error page the Logon User is set to 'Not yet determined' and with the original config the logon user was 'Anonymous' – Jon.A Apr 29 '15 at 13:35
  • http://stackoverflow.com/questions/4824494/deny-access-to-admin-folder-in-web-config – Kami Apr 29 '15 at 14:03
  • The link I just shared describes the same issue as your I guess. – Kami Apr 29 '15 at 14:04
  • Yes - as you say, same issue. – Jon.A Apr 29 '15 at 17:32
  • That didn't work for you at all? – Kami Apr 29 '15 at 20:47

1 Answers1

0

Still playing with this, it looks promising.. but I'm thinking there's probably a more elegant solution out there.

<location path="users">
<system.web>
<authorization>
<allow roles="auth_users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<add name="JS" path="*.js" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<!--More static file types...-->
</handlers>
</system.webServer>
</location>
Jon.A
  • 13
  • 7