tags:

views:

59

answers:

1
Q: 

IIS ignores authorization in web.config

I have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.

Why will it not work in IIS? And how to solve it?

    <system.web>
           <identity impersonate="true" />
           <authentication mode="Windows" />
           <authorization>
                <deny users="*"/>
           </authorization>       
    </system.web>
+1  A: 

Without seeing the web.config it sounds like you haven't configured IIS. When you use Windows authentication what ASP.NET is expecting is for the web server to do the authentication - so you must configure it to do so, simply putting it in web.config is not enough.

For IIS6:

  1. In IIS Manager, double-click the local computer; right-click the Web Sites folder, an individual Web site folder, a virtual directory, or a file; and then click Properties.
  2. Click the Directory Security or File Security tab, and then, in the Authentication and access control section, click Edit.
  3. In the Authenticated access section, select the Windows Integrated Authentication check box.
  4. Click OK twice.

For IIS7:

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
  2. In Features View, double-click Authentication.
  3. On the Authentication page, select Windows Authentication.
  4. In the Actions pane, click Enable to use Windows authentication.
blowdart  2010-09-02 05:54:31
I have enable Windows Authentication in IIS.
Daniel  2010-09-02 06:00:56
You also need to disable anonymous authentication (in same place in IIS6, presume it's similar in IIS7), otherwise IIS will still not authenticate you.
Damien_The_Unbeliever  2010-09-02 06:08:46
I have done that to.
Daniel  2010-09-02 06:11:48

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps