Allow anonymous access to a directory in a IIS site that uses Windows Authentication

Question

I have an IIS8 site which runs ASP.NET 4.0 using Windows Authentication.

In my IIS Authentication Settings, all are disabled except Windows Authentication. Users are able to authenticate properly and use the site as intended.

However, I now have an Uploads folder which contains images which I want to expose to non-authenticated users from other applications.

In my web.config files I have the following lines that relate to Authentication/Authorization:

  <system.web>
    <authentication mode="Windows"/>
  </system.web>
  <location path="Uploads">
    <system.web>
       <authorization>
          <allow users="*" />
       </authorization>
    </system.web>
  </location>

How do I allow anonymous access to the uploads folder, while keeping Windows Authentication for everything else? Currently they have to login to the other application, and then when accessing images from the site in question, they have to authenticate in order to gain access to them.

Also, the location path is relative to the web.config file correct?

Edit: Not sure if this matters, but our site is both internally and externally available. If access from computers on our domain, it logs in automatically, if it's a computer that is not on the domain, they are redirected to a login page.

What exactly the `Uploads`'s location (according to the root)? — Royi Namir, Sep 23 '15 at 20:45
@RoyiNamir Uploads is in the root on the same level as web.config — yoshi0423, Sep 23 '15 at 20:46

score 2 · Accepted Answer · answered Sep 24 '15 at 17:51

I found the answer on another question: Allow anonymous authentication for a single folder in web.config?

First, I had to go into C:\Windows\System32\inetsrv\config\applicationHost.config
Search for this line , and change to "Allow" instead of "Deny"
Then put the code below into web.config file

Code:

<location path="Path/To/Public/Folder">
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
</location>

score 0 · Answer 2 · answered Sep 23 '15 at 22:06

What you need to do is remove the "Deny" rule for anonymous since it gets inherited it will still block users, something like:

<system.webServer>
    <security>
        <authorization>
            <remove users="?" roles="" verbs="" />
            <allow users="*" />
        </authorization>
    </security>
</system.webServer>

Indeed the location path is relative to the folder where the web.config is located.

I also just noticed that you are using system.web instead of system.webServer which is the one you should be using.

this is not a valid configuration (anymore) – Allie Jan 03 '19 at 10:37 — Allie, Jan 03 '19 at 10:37

Allow anonymous access to a directory in a IIS site that uses Windows Authentication

2 Answers2