I am currently preventing anonymous users access to my root application.
/web.config
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
But am allowing anonymous access to public resources (Images, CSS, etc.):
<location path="Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now, I would like to add a virtual directory which should be accessible to anonymous users. I added a configuration based on the Images path, but whenever I try to access that location, I get redirected to the login page with the ReturnURL
set to the virtual directory.
<location path="virtualDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In addition, I tried to specify the global authorization within my virtual directory's web.config but get an error saying I can only have that once
/virtualDirectory/web.config:
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
How can I allow anonymous access to a virtual directory when my root application is preventing anonymous access?
Go to Administrative Tools and open Internet Information Services (IIS). In the Internet Information Services dialog box, expand local computer ► Sites, and click Default Website. Double-click Authentication. Click Anonymous Authentication and make sure it is enabled.
You can enable the Windows Authentication in IIS Express by modifying the applicationhost. config under the “C:\Users[username]\Documents\IISExpress\config” directory. You need to find the windowsAuthentication element under authentication, and change the value of attribute enabled to true. Happy Programming.
Scroll to the Security section in the Home pane, and then double-click Authentication. In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.
Anonymous authentication gives users access to a website without prompting them for a user name or password. When a user attempts to connect to a public website, the web server assigns the user to the Windows user account called IUSR_computername, where computername is the name of the server on which IIS is running.
In your global web.config encapsulate the
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
with
<location path="." inheritInChildApplications="false">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
It means - authorization is enforced only in root app, not for the child apps.
Some notes.
The asterisk mark (*) represents all identity.
The question mark (?) represents the anonymous identity.
So ideally, you don't need to set to allow authentication for the anonymous user for your virtualDirectory in the global web.config.
Go to IIS, under your Virtual Directory > select Authentication > Enable Anonymous Authentication.
Refer
ASP.NET Authorization
How to: Create and Configure Virtual Directories in IIS
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With