2

We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.

Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."

In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).

Is there any way to secure the new section of the site while at the same time utilize the already existing resources?

ddechant
  • 151
  • 2
  • 4
  • 14

3 Answers3

6

In your web.config file in the root of your site, if you add:

<location path="relativePathToDir">
        <system.web>
            <authorization>
                <deny users="?"/>
            </authorization>
        </system.web>
    </location>

This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated

JoshBerke
  • 66,142
  • 25
  • 126
  • 164
  • Even though this wasn't the exact answer we were looking for it gave us some very helpful hints to the fact that the authentication settings shouldn't be included in the location section. Thanks for the help. – ddechant Feb 03 '09 at 22:31
  • What was your final solution? – JoshBerke Feb 03 '09 at 22:38
  • Basically all we did was move the authentication settings for the secure directory outside of the location section. We had assumed that the authorization and authentication settings were to be applied to the secure directory only. – ddechant Feb 04 '09 at 15:59
  • What would you do if you had a site that used Forms Authentication but you needed a Virtual Directory to only have Anonymous Authentication enabled? Is this possible? – lhan Dec 10 '12 at 21:59
  • @lhan16 without looking into it I would assume it is possible. If it's just a virtual directory, it should work the same as above I believe. If it's an application it might be different. But again this is just my gut instinct – JoshBerke Dec 11 '12 at 22:22
  • It wouldn't have to be a virtual (a regular folder would work too). The reason I ask is because I've got a site with Forms Auth enabled, but I need to disable it on a subfolder so that I can connect anonymously when mapping a drive to that folder. With this answer above, Forms Auth still takes over and tries to redirect me to "login.aspx" (as seen in Fiddler). Any ideas? – lhan Dec 11 '12 at 22:33
4

I typed up a summary since many were facing the same situation regarding subfolder authentication.

Subfolder Authorization

  1. ASP.NET can only have a single authentication mode for one application.
  2. The different applications CANNOT share resource among them.

Scenario

Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.

The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.

1 In IIS, configure Authentication as follows:

  • Enable Anonymous Authentication,
  • Enable Windows Authentication

2 Add the followings in Web.Config.

<authentication mode="Windows" />
  <authorization>
   <allow users="*" />
</authorization>

<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
  <system.web>
    <authorization>        
        <deny users="?" />
    </authorization>
  </system.web>
</location>
devXen
  • 3,013
  • 3
  • 35
  • 44
1

Remove the application, then add this to the top-level web.config:

<configuration>
    <system.web>
        <!-- applies application wide -->
    </system.web>

    <location path="securedirectory" allowOverride="false">
        <system.web>
            <!-- applies only to the path specified -->
        </system.web>
    </location>

</configuration>

MSDN Reference

John Sheehan
  • 77,456
  • 30
  • 160
  • 194