IIS 7.5/ASP.NET - Anonymous access to everything except one directory - how?
We're in the process of upgrading from IIS 6 and .NET 3.5 to IIS 7.5 (Windows Server 2008 R2 Enterprise) with the same application. I'm having trouble getting our previous IIS 6 setup to work correctly.
Under IIS 6, I could set the website itself to use a specific domain user (e.g. ourdomain\webuser) for IIS itself. This controlled initial access to all files, including HTML,开发者_StackOverflow images, etc. and formed the initial request that went to an ASP.NET page wherein then the .NET engine took over and the user running .NET was another domain user (e.g. ourdomain\dotnetuser). We would then yank all NTFS permissions from one folder (e.g. /lockdown/) for the IIS user, ourdomain\webuser. Anytime someone tried to access a file in that directory, IIS said "No access, kick into Windows authentication access" and prompt them for credentials. This still caused any underlying .NET code to run as ourdomain\dotnetuser.
I'm having trouble getting this same setup to work under IIS 7.5 and am sure that it's just some dumb oversight thing. It...wants to work but doesn't completely. Here's what I've done:
The application pool for the site is set to .NET Framework v2.0.50727 with "Integrated" selected as the managed pipeline mode option. Then the identity is set to ourdomain\dotnetuser so that the pool runs as that specific user.
The website is setup to IIS > Authentication to connect as "ourdomain\webuser" and all seems to be well. The trouble is when I go to this special /lockdown/ directory. I tried to set it up exactly the same way as IIS 6 (by simply removing access to that folder from ourdomain\webuser). When I do this, I do get the standard prompt for access, but after providing my credentials, I still get:
Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\ourwebsite\lockdown\default.aspx'.
My account is in the local administrators group on this machine (plus I'm a domain admin here) and the Administrators group has been given full access to this folder. I see the following as an "Information" event in the Application Event Viewer:
Event code: 4008 Event message: File authorization failed for the request. Event time: 8/1/2010 8:45:18 AM Event time (UTC): 8/1/2010 12:45:18 PM Event ID: 0f8a5de692e74e67bb4e3c65a867586c Event sequence: 32 Event occurrence: 1 Event detail code: 0 Application information: Application domain: /LM/W3SVC/1/ROOT-1-129251371048714102 Trust level: Full Application Virtual Path: / Application Path: C:\ourwebsite\ Machine name: TESTWEB3 Process information: Process ID: 3008 Process name: w3wp.exe Account name: ourdomain\dotnetuser Request information: Request URL: http://localhost/lockdown/default.aspx Request path: /lockdown/default.aspx User host address: ::1 User: ourdomain\myuser Is authenticated: True Authentication Type: Negotiate Thread account name: ourdomain\dotnetuser
Any suggestions or ideas here?
You could use Authorization rules for that, just create a web.config inside the directory you want to protect with the following contents:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</configuration>
This will prevent the access to anonymous users and only allow users from the Admnistrators group. you can use Roles or users for this.
On Windows Server 2008 R2 with IIS 7.5 you need to execute Windows Explorer run as Administrator by right clicking it to get admin privileges to modify anything in that folder. Add the application pool identity to the ACL of the c:\inetpub\wwwroot... folder with read and execute permissions.
精彩评论