0

I have an IIS on a Windows Server 2016. It works as our intranet and it has windows-authentification enabled for using the user login. This works all perfect.

Now we do want to develop an api using the same server. Therefore i need to exclude a path from the windows authentification and make it available for anonymous connections. The path e.g. "[server]/api/" will be handled by an PHP, so there is no 'physical' /api folder.

I edited the web.config with the following part i found on the internet

<location path="Default Web Site/api">
    <system.web>
     <authorization>
        <allow users="?"/>
     </authorization>
  </system.web>
</location>

My second attempt was to change

<section name="anonymousAuthentication" overrideModeDefault="Deny" />

to

<section name="anonymousAuthentication" overrideModeDefault="Allow" />

in the applicationHost.config and adding the following to the web.config

<location path="Path/To/Public/Folder">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>

Both attempts do not work, if i open [server]/api it still asks for my credentials..any help is appreciated.

Update: i followed the given link from MisterSmith and edited the applicationHost.config Deny to Allow

<section name="access" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />

and added/replaced the following in my web.config

<location path="api">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
    <system.webServer> 
        <security>
            <authentication>
                <anonymousAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>

But i still get a Authentication Request for /api i think it's an easy error but i can't figure out what i am missing.. I have an 64bit OS and used a 64bit notepad++, but for making sure i tried the recommended notepad2 und the build in notepad.exe, with no luck. For making sure i didn't my editing of the web.config is not causing the error, here it is in total

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
         <customHeaders>
           <add name="Access-Control-Allow-Origin" value="<server>" />
           <add name="Access-Control-Allow-Credentials" value="true" />        
         </customHeaders>
       </httpProtocol>
        <rewrite>
            <rules>
                <rule name="Importierte Regel 1" stopProcessing="true">
                    <match url="^(.*)$" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="index.php/{R:1}" />
                </rule>
            </rules>
        </rewrite>
        <httpErrors errorMode="Detailed" />
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
    <location path="api">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
        <system.webServer> 
            <security>
                <authentication>
                    <anonymousAuthentication enabled="true" />
                </authentication>
            </security>
        </system.webServer>
    </location>
bob
  • 595
  • 2
  • 18
  • You deployed your application in IIS and enabled windows authentication. Have you tried to set up anonymous authentication in IIS and disable windows authentication. Here is the document:https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/ – Theobald Du May 03 '21 at 07:14

2 Answers2

0

Your close, but your location block and applicationhosts are missing a couple of bits - see post IIS 8.5: Change authentification mode for url sub path. Also if you get weird behavior pay attention to the comments about 32/64bit "bitness" of your text editor - if you use a 32bit editor Windows will give you the 32bit applicationHost file, with a 64bit editor windows returns the 64bit applicationHost file (if in doubt regular builtin notepad.exe is always a 64bit app on 64 bit Windows).

MisterSmith
  • 2,884
  • 1
  • 10
  • 13
  • hey, thanks but i can't get it to work, i've updated my question with further informations – bob Apr 30 '21 at 21:00
  • Try adding `` before `` in your location block – MisterSmith May 01 '21 at 09:24
  • still don't work..i'm getting the feeling the error is somewhere else and not in the web.config or the applicationHost.config :/ – bob May 01 '21 at 10:20
  • Have you tried explicitly disabling windows auth as well as enabling anonymous auth inside your `api` location block? Windows auth might be before anonymous in the list of handlers/ Failing that you might need to isolate your `/api` application with either a virtual directory or by using ARR module as a reverse proxy. Can you you expand how your main app/api are setup? – MisterSmith May 02 '21 at 14:38
0

Found it with the help of MisterSmith The 'error' was that i had a wrong location. Because my route in general do not exist physically, but are only handled in the php script i have the rewrite rule in the web.config This result in <server>/test beeing rewritten to <server>/index.php/test.

Having this in mind, the path in the location block needed to be changed from <location path="api"> to <location path="index.php/api"> which solves the problem!

bob
  • 595
  • 2
  • 18