IIS7 Authorization Rules / Config - Prompting Perpetually

后端 未结 4 1859
北海茫月
北海茫月 2021-02-15 23:40

I am trying to secure an application in IIS7 using .NET Authorization Rules.

By default, the web server allows all users access (which is inherited).

I have adde

4条回答
  •  再見小時候
    2021-02-16 00:07

    First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:

    http://www.iis.net/ConfigReference/system.webServer/security/authorization

    The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"

    Another note worth mentioning, if you put the following config in place:

    
      
        
          
            
            
            
          
        
      
    
    

    This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.

    Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.

提交回复
热议问题