IIS7 Authorization Rules / Config - Prompting Perpetually

后端 未结 4 1839
北海茫月
北海茫月 2021-02-15 23:40

I am trying to secure an application in IIS7 using .NET Authorization Rules.

By default, the web server allows all users access (which is inherited).

I have adde

相关标签:
4条回答
  • 2021-02-16 00:07

    First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:

    http://www.iis.net/ConfigReference/system.webServer/security/authorization

    The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"

    Another note worth mentioning, if you put the following config in place:

    <configuration>
      <system.webServer>
        <security>
          <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Deny" users="unknownname" />
            <add accessType="Allow" users="knownname" />
          </authorization>
        </security>
      </system.webServer>
    </configuration>
    

    This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.

    Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.

    0 讨论(0)
  • 2021-02-16 00:07

    Configure Basic Authentication in IIS 8 on Windows Server 2012

    01-Authentication-Add Features

    02-Authentication-Server Roles

    03-Authentication-Server Management

    04-Authentication-Set Password for user

    05-Authentication-Authentication in IIS setup

    0 讨论(0)
  • 2021-02-16 00:19

    I spent 4 hours trying to set this up (to use domain role) :). Final solution was to use domain name in the role too:

    `<system.web> 
       <authorization>
         <allow roles="DOMAINNAME\rolename" /> 
         <deny users="*" /> 
       </authorization>
    </system.web>`
    
    0 讨论(0)
  • 2021-02-16 00:20

    Could you change your code as below

    <deny users="*" />
    <allow users="myusername" />
    
    0 讨论(0)
提交回复
热议问题