Configuring subdirectory authentication mode in applications hosted under root site

18
votes

On my local machine, I work on multiple web sites and run them under IIS under a "Default" web site. That way I can access the sites through this type of URL: http://localhost/App1/. Here's the structure:

LocalDev (site)
    App1 (application)
    App2 (application)
    App3 (application)

The problem I'm encountering is that in App1, I'm trying to enable Windows authentication on a subdirectory of App1, like this:

<configuration>
  <location path="internal">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

Unfortunately, when I then try to access http://localhost/App1/internal/url.aspx, I get this error:

It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

App1 is set up as an application, not a virtual directory. I've tried changing my machine.config to allow changing the authentication section anywhere:

<configuration>
  <configSections>
    <sectionGroup name="system.web" type="System.Web.Configuration.SystemWebSectionGroup, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
      <section name="authentication" type="System.Web.Configuration.AuthenticationSection, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowDefinition="Everywhere"/>
    </sectionGroup>
  </configSections>
</configuration>

What do I have to do to allow my sites to set their own authentication modes?

5
asp.netiisweb-config

5 Answers

19
votes

You need to enable Windows authentication at the application level in the Web.config, then further define authorization at the folder level, allowing all users at the root and denying all unauthenticated for the internal folder.

In IIS, make sure both Anonymous Authentication and Windows Authentication are enabled for the application. Then, modify your Web.config as follows:

<configuration>
  <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <allow users="*"/>
      </authorization>
  </system.web>
  <location path="internal" allowOverride="true">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>
</configuration>
2
votes

You can't change the Authentication mode within a subdirectory. Only WebApplications can define this setting which applies to the entire application. A location element is only used in subdirectories to change authorization, not authentication settings.

You need to create the subdirectories as Web applications in IIS.

If you are saying the child subdirectory is in fact already a web application in IIS (the error suggests this is not the case), then you need to disable inheritance. This has nothing to do with whether you have a web.config in the root. If not it just means it's using the default machine config settings.

You can disable inheritance by adding a web.config in the root, with the following element wrapping your system.web.

<location path="." inheritInChildApplications="false">
   <system.Web>
       ...
   </system.Web>
</location>
0
votes

I've encountered this error in one of two scenarios, both of which were due to the applications being sub-directories of the overall "Default" application:

Sub-Directories also need to be a working Application

You've already noted that the directory is flagged as an application, however for completeness you can double check that the application is also working, is able to execute scripts and has permission to the files in it's directories.

Nested web.config files

This is the problem that I think you're actually experiencing:

Ensure that your hierarchy of web.config files, including any in the "Default" application above your development applications, are not interfering with each other. Remember that as a sub-directory of "Default" your application may still be affected by settings in the "Default" application above it.

0
votes

I see this problem once in a while and it's always been that the server isn't recognizing it as a configured web. What you could try if possible is remove the application and then convert each sub-directory back to it's own application.

This has always fixed it for me. Double and triple check that the sub directories are set as applications.

Also to avoid other problems, since you're setting Windows authentication check the NTLM vs Kerberos settings. Usually this is a different error message or just won't authenticate properly, but if this is an internet environment instead of an intranet environment you'll most likely need to disable Kerberos.

Also make sure you've checked that Windows Authentication is enabled. http://technet.microsoft.com/en-us/library/cc754628(WS.10).aspx

You can enable and disable Kerberos under the Advanced Settings within Windows Authentication.

0
votes

You can solve this by running the apps as Virtual Directories, they will then get separated processes in the application pool or you can have one for each app, still you directories etc will still be accessed the same way.

Read more here: http://learn.iis.net/page.aspx/150/understanding-sites-applications-and-virtual-directories-on-iis-7/

I think you will need a web.config file in the root directory even if its more or less empty and set the allowSubDirConfig to true.