2

We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.

Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."

In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).

Is there any way to secure the new section of the site while at the same time utilize the already existing resources?

Improve this question
2
  • What for of authentication are you using? Forms, Windows? or is this just Basic or Windows Integrated Authentication from IIS? Commented Feb 3, 2009 at 21:28
  • We're using forms authentication. Commented Feb 3, 2009 at 22:32

3 Answers 3

Reset to default
6

In your web.config file in the root of your site, if you add:

<location path="relativePathToDir">
        <system.web>
            <authorization>
                <deny users="?"/>
            </authorization>
        </system.web>
    </location>

This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Even though this wasn't the exact answer we were looking for it gave us some very helpful hints to the fact that the authentication settings shouldn't be included in the location section. Thanks for the help.
What was your final solution?
Basically all we did was move the authentication settings for the secure directory outside of the location section. We had assumed that the authorization and authentication settings were to be applied to the secure directory only.
What would you do if you had a site that used Forms Authentication but you needed a Virtual Directory to only have Anonymous Authentication enabled? Is this possible?
@lhan16 without looking into it I would assume it is possible. If it's just a virtual directory, it should work the same as above I believe. If it's an application it might be different. But again this is just my gut instinct
|
4

I typed up a summary since many were facing the same situation regarding subfolder authentication.

Subfolder Authorization

  1. ASP.NET can only have a single authentication mode for one application.
  2. The different applications CANNOT share resource among them.

Scenario

Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.

The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.

1 In IIS, configure Authentication as follows:

  • Enable Anonymous Authentication,
  • Enable Windows Authentication

2 Add the followings in Web.Config.

<authentication mode="Windows" />
  <authorization>
   <allow users="*" />
</authorization>

<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
  <system.web>
    <authorization>        
        <deny users="?" />
    </authorization>
  </system.web>
</location>
Improve this answer

Comments

1

Remove the application, then add this to the top-level web.config:

<configuration>
    <system.web>
        <!-- applies application wide -->
    </system.web>

    <location path="securedirectory" allowOverride="false">
        <system.web>
            <!-- applies only to the path specified -->
        </system.web>
    </location>

</configuration>

MSDN Reference

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.