IIS7 Authorization Rules / Config - Prompting Perpetually

Question

I am trying to secure an application in IIS7 using .NET Authorization Rules.

By default, the web server allows all users access (which is inherited).

I have adde

Answer 1

First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:

http://www.iis.net/ConfigReference/system.webServer/security/authorization

The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"

Another note worth mentioning, if you put the following config in place:

This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.

Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.