Windows Authentication for a single file

Question

Environment: IIS 6.0, ASP.NET 3.5

I have the need to secure just one file with windows authentication and just want to ensure that I understand my options correctly.

1. Through IIS turn off anonymous access for the file I want to secure, and make sure Integrated Windows Security is checked
2. Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication

Is there a way to setup the web config to control access to a single file? Will any of the security attributes help me here to lock down the single file?

Thanks in advance Kevin

Answer 1

If you want the web.config to apply then you need to ensure that the directory in which it is placed is an IIS virtual directory. That ought to do the trick as the web.config's security restrictions will govern all files in that directory.

Answer 2

This should be possible using the <location> tag.

http://support.microsoft.com/kb/316871

I know in the past I have done the opposite and used it to enable access to a single resource and denied all others to unauthenticated users. Should work the same in reverse.

Answer 3

Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication

You can't mix authentication providers for a single app. So, eg., you can't have Forms Authentication for ~/ and Windows Authentication for ~/Secure. You may be able to get around it by making ~/Secure another app in IIS - but that greatly complicates deployment and testing IMO.

I've run into this problem while trying to secure ASMX services with basic authentication from a domain, but being in the same app as Forms Authenticated pages. I ended up hacking in a basic auth challenge in the ASMX service itself to prompt for credentials.