Disable authentication on subfolder(s) of an ASP.NET app using windows authentication

Question

Hi,

Is it possible to disable windows authentication on one or more subfolders of an ASP.net application using windows authentication?

For example:

A website contains several other folders that contain parts of the overall application: /frontend, /backend, /login

The bin folder is on the same level as these subfolder, i.e. the root of the website.

All of these subfolders contain pages that use binaries that reside in the bin folder of the root of the website.

The user must input windows credentials when visiting a page in the backend folder, but not when visiting a page in the login or frontend folder.

I'm using IIS7

Any ideas?

Answer 1

NTLM authentication is usually configured in IIS so you could switch back to anonymous authentication for those folders.

Answer 2

Found a solution:

• Adjusted the applicationHost.config file and changed the "overrideModeDefault" to "Allow" for the anonymousAuthentication en windowsAuthentication section entries

     <section name="anonymousAuthentication" overrideModeDefault="Allow" />
     <section name="windowsAuthentication" overrideModeDefault="Allow" />
  

• Added location tags in the web.config for every folder / file that needed to be excluded from windows authentication

     <location path="pathToDirOrFile">
       <system.webServer>
         <security>
          <authentication>
           <anonymousAuthentication enabled="true" />
           <windowsAuthentication enabled="false" />
          </authentication>
         </security>
        </system.webServer>
     </location>
  

• Made sure each one of those folders contained a separate web.config file that disables identity impersonation

     <configuration>
      <system.web>
       <identity impersonate="false" />
      </system.web>
     </configuration>