Can't get stupid Authentication to work!!

[Amil]

I must be missing something very simple. I've had a web site running for a
long time (anonymous access).
Web.config authentication is original (anyone gets in):

<authentication mode="Windows" />
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

Now I added a html subdirectory that I want to only allow certain windows
users into, call it Foo.
I created a Web.config in subdirectory Foo and added:

<authentication mode="Windows" />
<authorization>
<allow users="SpecialUser" /> <!-- Allow all users -->
<deny users="?" />
</authorization>

Still, anyone can access html files in Foo? How do I restrict access to
content in Foo??


Amil

 

[Jim Cheshire [MSFT]]

Amil,

Unless the Foo directory is also an application root, you should be getting
an error message when doing this because you are trying to set the
authentication mode below the application root. The <authentication>
section has an allowDefinition attribute of MachineToApplication which
means that you can only set it at the machine level or at the application
root level.

If I were you, I would use a location tag instead. In other words, I would
change your web.config in the root directory as shown below. Bear in mind
that there are many other entries I didn't put here. I'm just trying to
give you the idea of what you need to do:

<system.web>

<authentication mode="Windows" />

<authorization>
<allow users="*" />
</authorization>

</system.web>

<location path="Foo">
<system.web>
<authorization>
<deny users="*" />
<allow users="SpecialUser" />
</authorization>
</system.web>
</location>

Note that I have added a <deny> tag that denies all users to the Foo
directory and then I've explicitly given the SpecialUser access. In the
code you posted, users who are not authenticated will not be let in, but
all other users will be, SpecialUser or not.

Hope that helps.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

 

[Amil]

I tried this exactly using location. When I put the deny="*" (either before
or after the
allow tag) I can't log in even using a good username and password.

Amil

Amil,

Unless the Foo directory is also an application root, you should be getting
an error message when doing this because you are trying to set the
authentication mode below the application root. The <authentication>
section has an allowDefinition attribute of MachineToApplication which
means that you can only set it at the machine level or at the application
root level.

If I were you, I would use a location tag instead. In other words, I would
change your web.config in the root directory as shown below. Bear in mind
that there are many other entries I didn't put here. I'm just trying to
give you the idea of what you need to do:

<system.web>

<authentication mode="Windows" />

<authorization>
<allow users="*" />
</authorization>

</system.web>

<location path="Foo">
<system.web>
<authorization>
<deny users="*" />
<allow users="SpecialUser" />
</authorization>
</system.web>
</location>

Note that I have added a <deny> tag that denies all users to the Foo
directory and then I've explicitly given the SpecialUser access. In the
code you posted, users who are not authenticated will not be let in, but
all other users will be, SpecialUser or not.

Hope that helps.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Amil" <[email protected]>
Subject: Can't get stupid Authentication to work!!
Date: Tue, 9 Dec 2003 22:08:28 -0700
Lines: 26
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 65.121.130.118
Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.

phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:195453
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

I must be missing something very simple. I've had a web site running for a
long time (anonymous access).
Web.config authentication is original (anyone gets in):

<authentication mode="Windows" />
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

Now I added a html subdirectory that I want to only allow certain windows
users into, call it Foo.
I created a Web.config in subdirectory Foo and added:

<authentication mode="Windows" />
<authorization>
<allow users="SpecialUser" /> <!-- Allow all users -->
<deny users="?" />
</authorization>

Still, anyone can access html files in Foo? How do I restrict access to
content in Foo??


Amil

 

[Jim Cheshire [MSFT]]

Amil,

In the example you gave, you should be specifying the user with a
domain/username, or if a local account, machine/username. For example:

<allow users="DOMAIN\SpecialUser" />

Make the domain name or machine name all upper-case. The username case
doesn't matter.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Amil" <[email protected]>
References: <#[email protected]>

Subject: Re: Can't get stupid Authentication to work!!
Date: Wed, 10 Dec 2003 10:50:44 -0700
Lines: 108
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 12.46.90.2
Path: cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:195592
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

I tried this exactly using location. When I put the deny="*" (either before
or after the
allow tag) I can't log in even using a good username and password.

Amil

Amil,

Unless the Foo directory is also an application root, you should be getting
an error message when doing this because you are trying to set the
authentication mode below the application root. The <authentication>
section has an allowDefinition attribute of MachineToApplication which
means that you can only set it at the machine level or at the application
root level.

If I were you, I would use a location tag instead. In other words, I would
change your web.config in the root directory as shown below. Bear in mind
that there are many other entries I didn't put here. I'm just trying to
give you the idea of what you need to do:

<system.web>

<authentication mode="Windows" />

<authorization>
<allow users="*" />
</authorization>

</system.web>

<location path="Foo">
<system.web>
<authorization>
<deny users="*" />
<allow users="SpecialUser" />
</authorization>
</system.web>
</location>

Note that I have added a <deny> tag that denies all users to the Foo
directory and then I've explicitly given the SpecialUser access. In the
code you posted, users who are not authenticated will not be let in, but
all other users will be, SpecialUser or not.

Hope that helps.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Amil" <[email protected]>
Subject: Can't get stupid Authentication to work!!
Date: Tue, 9 Dec 2003 22:08:28 -0700
Lines: 26
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 65.121.130.118
Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11