6

I'm trying to add a directory for anon access in IIS 7.5. It works under Web Dev but not IIS 7.5

I'm currently using this web.config in the directory. This is a directory with style sheets:

<?xml version="1.0"?>
<!-- 
    Note: As an alternative to hand editing this file you can use the 
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in 
    machine.config.comments usually located in 
    \Windows\Microsoft.Net\Framework\v2.x\Config 
-->

    <configuration>
        <appSettings/>
        <connectionStrings/>
        <system.web>
            <authorization>

                <allow users="*" />

            </authorization>

        </system.web>
    </configuration>

Update:

I've went to the folder and under Authentication, I've changed anonymous authentication from IIS_USR to pool. This seems to have correct it.

I will reward anyone who provides a very good explanation and resources for understanding this setting. Also, how to apply it globally would be good to know -- for all folders.

Curtis White
  • 6,213
  • 12
  • 59
  • 83

2 Answers2

7

Since you answered your own question, here is the explanation that might help

Authorization deals with who IIS will offer resources to. Those resources, however, have their own security as they are just files on a file system.

The Authentication element in the config assists in determining how IIS will identify a user's requests after its accepted and as it accesses resources beyond/external to IIS.

This is set at the site level, typically in the applicationHost.config file for your server. It can, if properly setup, be overridden at the site level.

IIS.net pages about this:

http://www.iis.net/ConfigReference/system.webServer/security/authorization/add

http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication

The .config version of what you did in the UI is:

<location path="/yourSite">
   <system.webServer>
      <security>
         <authentication>
            <anonymousAuthentication enabled="true" username="" />
          </authentication>
      </security>
   </system.webServer>
</location>

On the anon. auth method, the username field is who IIS will impersonate when resources are accessed. When you don't specify one, it defaults to use the identity of the apppool.

Now, as to why this mattered ... check the actual file on disk (the .css). If this fixed the problem that would mean IUSR doesn't have access to read that file.

Taylor Bird
  • 7,767
  • 1
  • 25
  • 31
0

You don't have a location defined for your authorization. You also don't specify what sort of authentication you're using within the web.config (if any). 

<location path="/">
    <system.web>
    <authorization>
        <allow users="*"/>
        </authorization>
    </system.web>
</location>
Joel Etherton
  • 37,325
  • 10
  • 89
  • 104