So here is the scenario, I have an Asp.Net application that is using a custom authentication & membership provider but we need to allow completely anonymous access (i.e.) to a particular folder within the application.
In IIS manager, you can set the authentication mode of a folder, but the settings are saved within C:\Windows\System32\inetsrv\config\applicationHost.config
file as described here
To make installation easier, it would be great if I could set this within my web.config but after a couple of attempts I think this may not be possible.
Does anyone know otherwise?
Many thanks
In the Connections pane, expand the server name, expand Sites, and go to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application. Scroll to the Security section in the Home pane, and then double-click Authentication.
Go to Administrative Tools and open Internet Information Services (IIS). In the Internet Information Services dialog box, expand local computer ► Sites, and click Default Website. Double-click Authentication. Click Anonymous Authentication and make sure it is enabled.
Click to highlight the web application whose permission policy that you want to manage. In the Security group of the ribbon, click Authentication Providers. Click the zone where you want to enable anonymous access. Ensure that the Enable anonymous access check box is selected, and click OK.
The first approach to take is to modify your web.config using the <location>
configuration tag, and <allow users="?"/>
to allow anonymous or <allow users="*"/>
for all:
<configuration> <location path="Path/To/Public/Folder"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> </configuration>
If that approach doesn't work then you can take the following approach which requires making a small modification to the IIS applicationHost.config.
First, change the anonymousAuthentication section's overrideModeDefault from "Deny" to "Allow" in C:\Windows\System32\inetsrv\config\applicationHost.config:
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
overrideMode
is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. If you don't have this level of access on your target system you have to take up that discussion with your hosting provider or system administrator.
Second, after setting overrideModeDefault="Allow"
then you can put the following in your web.config:
<location path="Path/To/Public/Folder"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" /> </authentication> </security> </system.webServer> </location>
Use <location>
configuration tag, and <allow users="?"/>
to allow anonymous only or <allow users="*"/>
for all:
<configuration> <location path="Path/To/Public/Folder"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> </configuration>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With