IIS7 Authorization Rules / Config - Prompting Perpetually

7
votes

I am trying to secure an application in IIS7 using .NET Authorization Rules.

By default, the web server allows all users access (which is inherited).

I have added, just for this one application directory, a deny all users command, as well as an allow command for specific users.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow users="myusername" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

I have Windows Authentication enabled, and I can verify that without the line that my REMOTE_USER is MYDOMAIN\myusername.

However, when I try to deny all users, I am prompted with the typical Windows domain username/password box. If I enter the username password, the prompt comes back up again 3 times until finally presenting me with a failure message. (I have also tried to no avail)

Looking in the event viewer, it appears as if my login using the username and pw is successful in the audit ... and to further that point, my account is not being locked out (which it would if I were failing to login over and over). So it's as if I am logging in, but the configuration is not seeing what I entered as matching my login.

Below is the message I see (even when connecting from the server using localhost):

**Access is denied.

Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.**

4
asp.netiisiis-7
Also, it appears that this approach is an IIS6 approach for ASP.NET. IIS7 Authorization is a little bit different. For that one I have <system.webServer><security><authorization><add ... /> based rules, but these seem to do nothing. I added one of <add accessType="Deny" users="*" /> and it doesn't seem to deny anything. This is IIS 7.5 by the way. Strangely, the .NET Authorization Rules icon is under ASP.NET and seems to follow the IIS6 approach. Maybe IIS7 Authorization is not configured or installed?enforge
It appears that IIS7 URL Authorization is not installed on my system. Instead, there is something else with the same name that is installed, which is the IIS 6 version that works differently. Bad, Naughty Microsoft! I will update with a full answer if this leads to a resolution.enforge

4 Answers

10
votes

First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:

http://www.iis.net/ConfigReference/system.webServer/security/authorization

The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"

Another note worth mentioning, if you put the following config in place:

<configuration>
  <system.webServer>
    <security>
      <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Deny" users="unknownname" />
        <add accessType="Allow" users="knownname" />
      </authorization>
    </security>
  </system.webServer>
</configuration>

This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.

Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.

0
votes

Could you change your code as below

<deny users="*" />
<allow users="myusername" />
0
votes

I spent 4 hours trying to set this up (to use domain role) :). Final solution was to use domain name in the role too: 

`<system.web> 
   <authorization>
     <allow roles="DOMAINNAME\rolename" /> 
     <deny users="*" /> 
   </authorization>
</system.web>`