Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable Forms Authentication on subfolder or Virtual Directory

Here is my scenario:

I've got a website set up in IIS (7.5) that uses Forms Authentication. I've got a subfolder within that website that I'm using as a WebDAV share. I've got a custom HTTP Module monitoring my WebDAV requests and also acts as a level of custom authentication. This custom authentication will first send a HTTP 401 Challenge to get the user's credentials when they try to map a drive to my WebDAV share, and then the credentials are parsed out of the Basic-Auth header server-side. The problem is that a Basic-Auth header is only sent if Forms Authentication is turned off.

What's more is that normally when my HTTP Module doesn't find an Auth Header, a 401 Challenge is sent (which prompts the user for credentials when Forms Auth is turned off). However, with Forms Auth turned on, my HTTP Module still executes and sends a 401 Challenge, but it appears that the Forms Auth is taking priority so in Fiddler I can clearly see a redirect to:

/Account/Login.aspx?ReturnURL=MySubFolder

The point of the custom authentication is so that I can allow the user to log-in to my site when mapping a drive to my WebDAV share. I want to capture their website credentials, authenticate them, and then show them the contents of the directory.

So my question is:

Is there a way to get Forms Authentication disabled on a subfolder or Virtual Directory within a website which has Forms Authentication enabled?

I've verified that I can get around this by creating a new Application in my website and put the subfolder in there, and then disable Forms Auth on the Application itself, but I'd really prefer not to do that if possible.

Everything I've tried (listed below) has resulted with my request to map a drive to Http://localhost/MySubFolder getting taken over by Forms Authentication (at least that's what I think is happening) and redirected to /login.aspx?ReturnUrl=MySubFolder (as shown in Fiddler).

Here's what I've tried:

1) Added a separate Web.config in MySubFolder:

   <configuration>
     <system.web>
       <authorization>
         <allow users="*"/>
       </authorization>
     </system.web>
   </configuration>

2) Added a <location> tag in the root-level Web.config for MySubFolder like this:

   <location path="MySubFolder">
     <system.web>
       <authorization>
         <allow users="*"/>
       </authorization>
     </system.web>
   </location>

3) Looked at updating the Feature Delegation in IIS.

Personally, I had some doubt with the above solutions because from what I've read, they are meant to simply allow all access while still leaving Forms Authentication enabled. I need a way to actually get Forms Authentication disabled on my subfolder. Is this possible?

I should also note that my subfolder could be a Virtual Directory, but it's not required one way or the other. I just need a way for Forms Auth to be disabled on that folder.

As per request, my Web.config file (site-level):

<?xml version="1.0"?>
<configuration>
  <connectionStrings>
    <add name="MyConnString" connectionString="Persist Security Info=True;Initial Catalog=MyDB;Data Source=MyServer;User ID=UserName;Password=xxxxxxxxxx;MultipleActiveResultSets=True;"/>
  </connectionStrings>
  <system.web>
    <compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login.aspx" timeout="2880" />
    </authentication>
  </system.web>
  <system.webServer>
    <modules runManagedModulesForWebDavRequests="true" runAllManagedModulesForAllRequests="true">
      <add name="CustomWebDAVModule" type="CustomWebDAVModule"/>
    </modules>
  </system.webServer>
</configuration>
like image 929
lhan Avatar asked Dec 12 '12 14:12

lhan


People also ask

How do I turn off Windows authentication in web config?

Expand the computer name, then Sites, then Default Web Site, then click on the name of the desired site. Select Authentication. Set Windows Authentication to Disabled and set Basic Authentication to Enabled.

What is the difference between Windows and Forms authentication?

Introduction. ASP.NET provides two main ways to secure your web applications. They are - Windows authentication and Forms authentication. Windows authentication uses windows users names and passwords to authenticate them where as Forms authentication typically uses user ids and passwords stored in some database.

What is Windows form authentication?

Forms authentication enables user and password validation for Web applications that do not require Windows authentication. With forms authentication, user information is stored in an external data source, such as a Membership database, or in the configuration file for an application.


1 Answers

This question has already been answered: Multiple/Different authentication settings in web.config

You can't override the root authentication mode="Forms" tag within location tags. Making the folder it's own application is the easiest way out.

Another option is to implement your own custom Forms authentication and have it ignore the redirect for your webdav folder.

<authentication mode="None">
like image 190
Louis Ricci Avatar answered Nov 13 '22 13:11

Louis Ricci