I am trying to secure an application in IIS7 using .NET Authorization Rules.
By default, the web server allows all users access (which is inherited).
I have adde
First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:
http://www.iis.net/ConfigReference/system.webServer/security/authorization
The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"
Another note worth mentioning, if you put the following config in place:
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="unknownname" />
<add accessType="Allow" users="knownname" />
</authorization>
</security>
</system.webServer>
</configuration>
This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.
Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.
Configure Basic Authentication in IIS 8 on Windows Server 2012
01-Authentication-Add Features
02-Authentication-Server Roles
03-Authentication-Server Management
04-Authentication-Set Password for user
05-Authentication-Authentication in IIS setup
I spent 4 hours trying to set this up (to use domain role) :). Final solution was to use domain name in the role too:
`<system.web>
<authorization>
<allow roles="DOMAINNAME\rolename" />
<deny users="*" />
</authorization>
</system.web>`
Could you change your code as below
<deny users="*" />
<allow users="myusername" />