Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

web.config in folder allowing all or no user authentication

I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.

Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong? Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.

This is what I've done:

   //Web Config that allows and denies:
   <?xml version="1.0"?>
        <configuration>
        <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
     </system.web>

    <location path="QualityCheckSurvey.aspx">
    <system.web>
      <authorization>
        <allow users="DomainName\User2" />
        <deny users="?" /> 
      </authorization>
    </system.web>
    </location>
    </configuration>

I have set my authentication mode to windows.

EDIT It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....

EDIT This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....

     <?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>

  <location path="QualityCheckSurvey.aspx">
    <system.web>

      <authorization>
        <deny users="?" />
        <allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
        <deny users="*" />
      </authorization>

    </system.web>
  </location> 

In my main web.cofin in the root of the application I have set authentication mode to windows:

     <authentication mode="Windows">

<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
    </authentication>
like image 339
Kerieks Avatar asked Aug 13 '13 11:08

Kerieks


People also ask

How do I enable Windows authentication in web config?

On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.

What is authentication mode in web config?

Windows Authentication mode provides the developer to authenticate a user based on Windows user accounts. This is the default authentication mode provided by ASP.Net. You can easily get the Identity of the user by using User.Identity.Name. This will return the computer name along with the user name.

How do I set anonymous authentication in web config?

In the Connections pane, expand the server name, expand Sites, and go to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application. Scroll to the Security section in the Home pane, and then double-click Authentication.


2 Answers

On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'

<location path="foldername/QualityCheckSurvey.aspx">
    <system.web>
        <authorization>
            <allow users="DomainName\User2"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

EDIT

This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.

 <?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <authentication mode="Windows" />
    </authorization>
  </system.web>

  <location path="survey/QualityCheckSurvey.aspx">
    <system.web>
      <authorization>
        <allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location> 

I am assuming the survey folder is inside the root folder.

like image 191
Cherian M Paul Avatar answered Sep 20 '22 13:09

Cherian M Paul


Fixing this error if windows authentication is added to project after it's been created

That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works:

  1. In Solution Explorer, Click on the project and then push F4. This should open up the Project properties.

  2. In Project Properties and under the Development Server, make the following changes:

    • Anonymous Authentication: Disabled
    • Windows Authentication: Enabled
  3. Include the following in the Web.config under <system.web>:

    <authorization>
      <allow users="DOMAIN\user"/>
      <deny users="*"/>
    </authorization>
    
  4. Still in the Web.config under <appSettings>:

    <add key="owin:AutomaticAppStartup" value="false"/>
    

This is what worked for me. If I'm doing something wrong, please let me know.

Hopefully this will help future individuals who are working with windows authentication after creating the project.

like image 44
Trevor Nestman Avatar answered Sep 16 '22 13:09

Trevor Nestman