Configuring Windows-based Authentication and UrlAuthorization

Discussion in 'ASP .Net Security' started by MCM, Aug 29, 2009.

  1. MCM

    MCM Guest

    I have a web application that is partially public and partially intranet. I
    need help configuring the security.

    All the public urls are located in the root directory. The intranet urls are
    located in a subdirectory called Admin. In IIS, I have 2 bindings configured
    - one with a public DNS name and one with the internal server name so IE will
    recognize the site as part of the intranet. These are the sections in my
    web.config as I have them now:

    <system.web>
    <httpModules>
    <remove name="FormsAuthentication" />
    <remove name="PassportAuthentication" />
    <remove name="AnonymousIdentification" />
    <remove name="FileAuthorization" />
    <remove name="OutputCache" />
    <remove name="RoleManager" />
    <remove name="Profile" />
    <remove name="ServiceModel" />
    <remove name="ErrorHandlerModule" />
    <add name="ScriptModule"
    type="System.Web.Handlers.ScriptModule,
    System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
    PublicKeyToken=31BF3856AD364E35" />
    </httpModules>
    <authentication mode="Windows" />
    </system.web>

    <location path="Admin">
    <system.web>
    <authorization>
    <allow roles="DOMAIN\Administrators" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    The public portion of the application loads fine. The intranet portion is
    giving me access errors. I'm sure I have it configured wrong.
    MCM, Aug 29, 2009
    #1
    1. Advertising

  2. On Aug 29, 8:01 am, MCM <> wrote:
    > I have a web application that is partially public and partially intranet.I
    > need help configuring the security.
    >
    > All the public urls are located in the root directory. The intranet urls are
    > located in a subdirectory called Admin. In IIS, I have 2 bindings configured
    > - one with a public DNS name and one with the internal server name so IE will
    > recognize the site as part of the intranet. These are the sections in my
    > web.config as I have them now:
    >
    >     <system.web>
    >         <httpModules>
    >             <remove name="FormsAuthentication" />
    >             <remove name="PassportAuthentication" />
    >             <remove name="AnonymousIdentification" />
    >             <remove name="FileAuthorization" />
    >             <remove name="OutputCache" />
    >             <remove name="RoleManager" />
    >             <remove name="Profile" />
    >             <remove name="ServiceModel" />
    >             <remove name="ErrorHandlerModule" />
    >             <add name="ScriptModule"
    >                  type="System.Web.Handlers.ScriptModule,
    > System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
    > PublicKeyToken=31BF3856AD364E35" />
    >         </httpModules>
    >         <authentication mode="Windows" />
    >     </system.web>
    >
    >     <location path="Admin">
    >         <system.web>
    >             <authorization>
    >                 <allow roles="DOMAIN\Administrators" />
    >                 <deny users="*" />
    >             </authorization>
    >         </system.web>
    >     </location>
    >
    > The public portion of the application loads fine. The intranet portion is
    > giving me access errors. I'm sure I have it configured wrong.


    1) Try change the location path to "~/admin"
    2) Check if Windows authentication is enabled (if IIS really receives
    your membership)
    Alexey Smirnov, Aug 30, 2009
    #2
    1. Advertising

  3. MCM

    MCM Guest

    > 1) Try change the location path to "~/admin"

    That didn't work. It just let's all users have access if I change it to
    that. When it is set to "Admin", it does respond correctly by requiring
    permission for the appropriate directory. But even authorized users are
    getting prompted for credentials. And even admin credentials are being
    rejected with "401 - Unauthorized: Access is denied due to invalid
    credentials."

    > 2) Check if Windows authentication is enabled (if IIS really receives
    > your membership)


    It is.
    MCM, Aug 30, 2009
    #3
  4. Hi MCM,

    This is Thomas Sun from MSDN managed newsgroup. I will assist you with this
    case.

    From your description, I understand that you use Windows Authentication to
    authenticate your ASP.NET web application which contains two parts: public
    part and private part. For the private part named "Admin" is using
    <location> settings to restrict only Administrators role can be allowed to
    access. If I have misunderstood you, please feel free to let me know.

    Firstly, we need to make sure the identity that requests your website is in
    the Administrators role that you specify in <allow> section of <location>
    settings. For test, we can present the identity name in page by following
    code:
    ===============================
    Response.Write(User.Identity.Name);
    ===============================

    Besides, we also can specify a domain user in <location> settings and then
    request your website with that identity to see whether it works. For
    example:
    ===============================
    <location path="Admin">
    <system.web>
    <authorization>
    <allow users="YourDomain\OneUserName"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>
    ===============================

    I look forward to receiving your test results.


    --
    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
    to the limited number of phone-based technical support incidents. Complex
    issues or server-down situations are not recommended for the newsgroups.
    Issues of this nature are best handled working with a Microsoft Support
    Engineer using one of your phone-based incidents.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------

    >
    >> 1) Try change the location path to "~/admin"

    >
    >That didn't work. It just let's all users have access if I change it to
    >that. When it is set to "Admin", it does respond correctly by requiring
    >permission for the appropriate directory. But even authorized users are
    >getting prompted for credentials. And even admin credentials are being
    >rejected with "401 - Unauthorized: Access is denied due to invalid
    >credentials."
    >
    >> 2) Check if Windows authentication is enabled (if IIS really receives
    >> your membership)

    >
    >It is.
    >
    Thomas Sun [MSFT], Aug 31, 2009
    #4
  5. MCM

    MCM Guest

    Hi Thomas-

    > Firstly, we need to make sure the identity that requests your website is in
    > the Administrators role that you specify in <allow> section of <location>
    > settings. For test, we can present the identity name in page by following
    > code:
    > ===============================
    > Response.Write(User.Identity.Name);
    > ===============================


    No name is displaying at all. This value is blank. Could this be a browser
    setting?


    > Besides, we also can specify a domain user in <location> settings and then
    > request your website with that identity to see whether it works. For
    > example:
    > ===============================
    > <location path="Admin">
    > <system.web>
    > <authorization>
    > <allow users="YourDomain\OneUserName"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > ===============================


    This also does not let me have access. But I presume that until we fix the
    blank username problem, we won't get anywhere.

    -Max
    MCM, Aug 31, 2009
    #5
  6. Hi MCM,

    Thanks for your response.

    Please make sure we only enable Integrated Windows Authentication and
    disable Anonymous access option on IIS. When anonymous access is enabled,
    no authenticated user credentials are required to access the site. For more
    information, see http://support.microsoft.com/kb/324274


    I look forward to receiving your test results.


    --
    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support

    >
    >Hi Thomas-
    >
    >> Firstly, we need to make sure the identity that requests your website is

    in
    >> the Administrators role that you specify in <allow> section of

    <location>
    >> settings. For test, we can present the identity name in page by

    following
    >> code:
    >> ===============================
    >> Response.Write(User.Identity.Name);
    >> ===============================

    >
    >No name is displaying at all. This value is blank. Could this be a browser
    >setting?
    >
    >
    >> Besides, we also can specify a domain user in <location> settings and

    then
    >> request your website with that identity to see whether it works. For
    >> example:
    >> ===============================
    >> <location path="Admin">
    >> <system.web>
    >> <authorization>
    >> <allow users="YourDomain\OneUserName"/>
    >> <deny users="*"/>
    >> </authorization>
    >> </system.web>
    >> </location>
    >> ===============================

    >
    >This also does not let me have access. But I presume that until we fix the
    >blank username problem, we won't get anywhere.
    >
    >-Max
    >
    Thomas Sun [MSFT], Aug 31, 2009
    #6
  7. On Aug 30, 5:12 pm, MCM <> wrote:
    > > 1) Try change the location path to "~/admin"

    >
    > That didn't work. It just let's all users have access if I change it to
    > that. When it is set to "Admin", it does respond correctly by requiring
    > permission for the appropriate directory. But even authorized users are
    > getting prompted for credentials. And even admin credentials are being
    > rejected with "401 - Unauthorized: Access is denied due to invalid
    > credentials."
    >
    > > 2) Check if Windows authentication is enabled (if IIS really receives
    > > your membership)

    >
    > It is.


    hm...

    What happens if you delete location path from main web.config file and
    move that configuration in to Admin folder? You should put there

    <?xml version="1.0"?>
    <configuration>
    <system.web>
    <authorization>
    <allow roles="DOMAIN\Administrators" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </configuration>
    Alexey Smirnov, Aug 31, 2009
    #7
  8. On Aug 31, 4:36 pm, MCM <> wrote:
    > Is it possible to disable anonymous access just for the Admin folder? I'd
    > like to allow it for the public section.
    >
    >
    >
    > "Thomas Sun [MSFT]" wrote:
    > > Hi MCM,

    >
    > > Thanks for your response.

    >
    > > Please make sure we only enable Integrated Windows Authentication and
    > > disable Anonymous access option on IIS. When anonymous access is enabled,
    > > no authenticated user credentials are required to access the site. For more
    > > information, seehttp://support.microsoft.com/kb/324274

    >
    > > I look forward to receiving your test results.

    >
    > > --
    > > Best Regards,
    > > Thomas Sun

    >
    > > Microsoft Online Partner Support

    >
    > > >Hi Thomas-

    >
    > > >> Firstly, we need to make sure the identity that requests your website is

    > > in
    > > >> the Administrators role that you specify in <allow> section of

    > > <location>
    > > >> settings. For test, we can present  the identity name in page by

    > > following
    > > >> code:
    > > >> ===============================
    > > >> Response.Write(User.Identity.Name);
    > > >> ===============================

    >
    > > >No name is displaying at all. This value is blank. Could this be a browser
    > > >setting?

    >
    > > >> Besides, we also can specify a domain user in <location> settings and

    > > then
    > > >> request your website with that identity to see whether it works. For
    > > >> example:
    > > >> ===============================
    > > >>   <location path="Admin">
    > > >>           <system.web>
    > > >>                   <authorization>
    > > >>                           <allow users="YourDomain\OneUserName"/>
    > > >>                           <deny users="*"/>
    > > >>                   </authorization>
    > > >>           </system.web>
    > > >>   </location>
    > > >> ===============================

    >
    > > >This also does not let me have access. But I presume that until we fixthe
    > > >blank username problem, we won't get anywhere.

    >
    > > >-Max- Hide quoted text -

    >
    > - Show quoted text -


    Use <deny users="?"/> to disable anonymous users

    <deny users="*"/> blocks everyone
    Alexey Smirnov, Aug 31, 2009
    #8
  9. MCM

    MCM Guest

    I tried disabling Anonymous access, but there was no change.


    "Thomas Sun [MSFT]" wrote:

    > Hi MCM,
    >
    > Thanks for your response.
    >
    > Please make sure we only enable Integrated Windows Authentication and
    > disable Anonymous access option on IIS. When anonymous access is enabled,
    > no authenticated user credentials are required to access the site. For more
    > information, see http://support.microsoft.com/kb/324274
    >
    >
    > I look forward to receiving your test results.
    >
    >
    > --
    > Best Regards,
    > Thomas Sun
    >
    > Microsoft Online Partner Support
    >
    > >
    > >Hi Thomas-
    > >
    > >> Firstly, we need to make sure the identity that requests your website is

    > in
    > >> the Administrators role that you specify in <allow> section of

    > <location>
    > >> settings. For test, we can present the identity name in page by

    > following
    > >> code:
    > >> ===============================
    > >> Response.Write(User.Identity.Name);
    > >> ===============================

    > >
    > >No name is displaying at all. This value is blank. Could this be a browser
    > >setting?
    > >
    > >
    > >> Besides, we also can specify a domain user in <location> settings and

    > then
    > >> request your website with that identity to see whether it works. For
    > >> example:
    > >> ===============================
    > >> <location path="Admin">
    > >> <system.web>
    > >> <authorization>
    > >> <allow users="YourDomain\OneUserName"/>
    > >> <deny users="*"/>
    > >> </authorization>
    > >> </system.web>
    > >> </location>
    > >> ===============================

    > >
    > >This also does not let me have access. But I presume that until we fix the
    > >blank username problem, we won't get anywhere.
    > >
    > >-Max
    > >

    >
    >
    MCM, Aug 31, 2009
    #9
  10. On Aug 31, 11:29 pm, MCM <> wrote:
    > I tried disabling Anonymous access, but there was no change.
    >
    >
    >
    > "Thomas Sun [MSFT]" wrote:
    > > Hi MCM,

    >
    > > Thanks for your response.

    >
    > > Please make sure we only enable Integrated Windows Authentication and
    > > disable Anonymous access option on IIS. When anonymous access is enabled,
    > > no authenticated user credentials are required to access the site. For more
    > > information, seehttp://support.microsoft.com/kb/324274

    >
    > > I look forward to receiving your test results.

    >
    > > --
    > > Best Regards,
    > > Thomas Sun

    >
    > > Microsoft Online Partner Support

    >
    > > >Hi Thomas-

    >
    > > >> Firstly, we need to make sure the identity that requests your website is

    > > in
    > > >> the Administrators role that you specify in <allow> section of

    > > <location>
    > > >> settings. For test, we can present  the identity name in page by

    > > following
    > > >> code:
    > > >> ===============================
    > > >> Response.Write(User.Identity.Name);
    > > >> ===============================

    >
    > > >No name is displaying at all. This value is blank. Could this be a browser
    > > >setting?

    >
    > > >> Besides, we also can specify a domain user in <location> settings and

    > > then
    > > >> request your website with that identity to see whether it works. For
    > > >> example:
    > > >> ===============================
    > > >>   <location path="Admin">
    > > >>           <system.web>
    > > >>                   <authorization>
    > > >>                           <allow users="YourDomain\OneUserName"/>
    > > >>                           <deny users="*"/>
    > > >>                   </authorization>
    > > >>           </system.web>
    > > >>   </location>
    > > >> ===============================

    >
    > > >This also does not let me have access. But I presume that until we fixthe
    > > >blank username problem, we won't get anywhere.

    >
    > > >-Max- Hide quoted text -

    >
    > - Show quoted text -


    Well, I would try to setup clean web.config, get rid of

    <remove name="FormsAuthentication" />
    <remove name="PassportAuthentication" />
    <remove name="AnonymousIdentification" />
    <remove name="FileAuthorization" />
    <remove name="OutputCache" />
    <remove name="RoleManager" />
    <remove name="Profile" />
    <remove name="ServiceModel" />
    <remove name="ErrorHandlerModule" />

    (let's load all by default)

    enable trace

    and put just

    <deny users="?"/>

    and see what happens
    Alexey Smirnov, Aug 31, 2009
    #10
  11. MCM

    MCM Guest

    I have tried that as well.

    "Alexey Smirnov" wrote:

    > On Aug 31, 11:29 pm, MCM <> wrote:
    > > I tried disabling Anonymous access, but there was no change.
    > >
    > >
    > >
    > > "Thomas Sun [MSFT]" wrote:
    > > > Hi MCM,

    > >
    > > > Thanks for your response.

    > >
    > > > Please make sure we only enable Integrated Windows Authentication and
    > > > disable Anonymous access option on IIS. When anonymous access is enabled,
    > > > no authenticated user credentials are required to access the site. For more
    > > > information, seehttp://support.microsoft.com/kb/324274

    > >
    > > > I look forward to receiving your test results.

    > >
    > > > --
    > > > Best Regards,
    > > > Thomas Sun

    > >
    > > > Microsoft Online Partner Support

    > >
    > > > >Hi Thomas-

    > >
    > > > >> Firstly, we need to make sure the identity that requests your website is
    > > > in
    > > > >> the Administrators role that you specify in <allow> section of
    > > > <location>
    > > > >> settings. For test, we can present the identity name in page by
    > > > following
    > > > >> code:
    > > > >> ===============================
    > > > >> Response.Write(User.Identity.Name);
    > > > >> ===============================

    > >
    > > > >No name is displaying at all. This value is blank. Could this be a browser
    > > > >setting?

    > >
    > > > >> Besides, we also can specify a domain user in <location> settings and
    > > > then
    > > > >> request your website with that identity to see whether it works. For
    > > > >> example:
    > > > >> ===============================
    > > > >> <location path="Admin">
    > > > >> <system.web>
    > > > >> <authorization>
    > > > >> <allow users="YourDomain\OneUserName"/>
    > > > >> <deny users="*"/>
    > > > >> </authorization>
    > > > >> </system.web>
    > > > >> </location>
    > > > >> ===============================

    > >
    > > > >This also does not let me have access. But I presume that until we fix the
    > > > >blank username problem, we won't get anywhere.

    > >
    > > > >-Max- Hide quoted text -

    > >
    > > - Show quoted text -

    >
    > Well, I would try to setup clean web.config, get rid of
    >
    > <remove name="FormsAuthentication" />
    > <remove name="PassportAuthentication" />
    > <remove name="AnonymousIdentification" />
    > <remove name="FileAuthorization" />
    > <remove name="OutputCache" />
    > <remove name="RoleManager" />
    > <remove name="Profile" />
    > <remove name="ServiceModel" />
    > <remove name="ErrorHandlerModule" />
    >
    > (let's load all by default)
    >
    > enable trace
    >
    > and put just
    >
    > <deny users="?"/>
    >
    > and see what happens
    >
    MCM, Sep 1, 2009
    #11
  12. Hi MCM,

    Could you please tell me how you configure your website on IIS? Do you
    create Virtual Directory for the Admin folder? As I mentioned above, when
    we use Anonymous access, user credentials won't be sent. And one
    application just can have one authentication mode.

    If you want to enable Anonymous access for public part and use Integrated
    Windows Authentication for Admin part, I suggest you treat them as separate
    website. By doing so, we can configure them separately on IIS.

    For example, you can add web.config file with Windows Authentication and
    <authorization> section in Admin folder. On IIS, we can add new Application
    under your Public section and point its Physical path to the Admin folder.
    If we do so, the Admin is the child application of Public application. And
    then you can configure Admin application using Integrated Windows
    Authentication and configure Public application using Anonymous access on
    IIS.

    I look forward to receiving your test results.


    --
    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support



    --------------------
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Is it possible to disable anonymous access just for the Admin folder? I'd
    >like to allow it for the public section.
    >
    >
    >"Thomas Sun [MSFT]" wrote:
    >
    >> Hi MCM,
    >>
    >> Thanks for your response.
    >>
    >> Please make sure we only enable Integrated Windows Authentication and
    >> disable Anonymous access option on IIS. When anonymous access is

    enabled,
    >> no authenticated user credentials are required to access the site. For

    more
    >> information, see http://support.microsoft.com/kb/324274
    >>
    >>
    >> I look forward to receiving your test results.
    >>
    >>
    >> --
    >> Best Regards,
    >> Thomas Sun
    >>
    >> Microsoft Online Partner Support
    >>
    >> >
    >> >Hi Thomas-
    >> >
    >> >> Firstly, we need to make sure the identity that requests your website

    is
    >> in
    >> >> the Administrators role that you specify in <allow> section of

    >> <location>
    >> >> settings. For test, we can present the identity name in page by

    >> following
    >> >> code:
    >> >> ===============================
    >> >> Response.Write(User.Identity.Name);
    >> >> ===============================
    >> >
    >> >No name is displaying at all. This value is blank. Could this be a

    browser
    >> >setting?
    >> >
    >> >
    >> >> Besides, we also can specify a domain user in <location> settings and

    >> then
    >> >> request your website with that identity to see whether it works. For
    >> >> example:
    >> >> ===============================
    >> >> <location path="Admin">
    >> >> <system.web>
    >> >> <authorization>
    >> >> <allow users="YourDomain\OneUserName"/>
    >> >> <deny users="*"/>
    >> >> </authorization>
    >> >> </system.web>
    >> >> </location>
    >> >> ===============================
    >> >
    >> >This also does not let me have access. But I presume that until we fix

    the
    >> >blank username problem, we won't get anywhere.
    >> >
    >> >-Max
    >> >

    >>
    >>

    >
    Thomas Sun [MSFT], Sep 1, 2009
    #12
  13. MCM

    MCM Guest

    I'm happy to work with Virtual Directories as needed. But just to get this
    working at all, I tried to switch the whole site to Windows Authentication. I
    used the following in my web.config:

    <authentication mode="Windows"/>
    <authorization>
    <deny users="?" />
    </authorization>

    It is STILL giving me 401 access denied errors. Not sure what to try next.


    "Thomas Sun [MSFT]" wrote:

    > Hi MCM,
    >
    > Could you please tell me how you configure your website on IIS? Do you
    > create Virtual Directory for the Admin folder? As I mentioned above, when
    > we use Anonymous access, user credentials won't be sent. And one
    > application just can have one authentication mode.
    >
    > If you want to enable Anonymous access for public part and use Integrated
    > Windows Authentication for Admin part, I suggest you treat them as separate
    > website. By doing so, we can configure them separately on IIS.
    >
    > For example, you can add web.config file with Windows Authentication and
    > <authorization> section in Admin folder. On IIS, we can add new Application
    > under your Public section and point its Physical path to the Admin folder.
    > If we do so, the Admin is the child application of Public application. And
    > then you can configure Admin application using Integrated Windows
    > Authentication and configure Public application using Anonymous access on
    > IIS.
    >
    > I look forward to receiving your test results.
    >
    >
    > --
    > Best Regards,
    > Thomas Sun
    >
    > Microsoft Online Partner Support
    >
    >
    >
    > --------------------
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >Is it possible to disable anonymous access just for the Admin folder? I'd
    > >like to allow it for the public section.
    > >
    > >
    > >"Thomas Sun [MSFT]" wrote:
    > >
    > >> Hi MCM,
    > >>
    > >> Thanks for your response.
    > >>
    > >> Please make sure we only enable Integrated Windows Authentication and
    > >> disable Anonymous access option on IIS. When anonymous access is

    > enabled,
    > >> no authenticated user credentials are required to access the site. For

    > more
    > >> information, see http://support.microsoft.com/kb/324274
    > >>
    > >>
    > >> I look forward to receiving your test results.
    > >>
    > >>
    > >> --
    > >> Best Regards,
    > >> Thomas Sun
    > >>
    > >> Microsoft Online Partner Support
    > >>
    > >> >
    > >> >Hi Thomas-
    > >> >
    > >> >> Firstly, we need to make sure the identity that requests your website

    > is
    > >> in
    > >> >> the Administrators role that you specify in <allow> section of
    > >> <location>
    > >> >> settings. For test, we can present the identity name in page by
    > >> following
    > >> >> code:
    > >> >> ===============================
    > >> >> Response.Write(User.Identity.Name);
    > >> >> ===============================
    > >> >
    > >> >No name is displaying at all. This value is blank. Could this be a

    > browser
    > >> >setting?
    > >> >
    > >> >
    > >> >> Besides, we also can specify a domain user in <location> settings and
    > >> then
    > >> >> request your website with that identity to see whether it works. For
    > >> >> example:
    > >> >> ===============================
    > >> >> <location path="Admin">
    > >> >> <system.web>
    > >> >> <authorization>
    > >> >> <allow users="YourDomain\OneUserName"/>
    > >> >> <deny users="*"/>
    > >> >> </authorization>
    > >> >> </system.web>
    > >> >> </location>
    > >> >> ===============================
    > >> >
    > >> >This also does not let me have access. But I presume that until we fix

    > the
    > >> >blank username problem, we won't get anywhere.
    > >> >
    > >> >-Max
    > >> >
    > >>
    > >>

    > >

    >
    >
    MCM, Sep 2, 2009
    #13
  14. MCM

    MCM Guest

    Here's a weird twist... I tried it in FireFox and it works. Still no change
    with IE8 though.


    "MCM" wrote:

    > I'm happy to work with Virtual Directories as needed. But just to get this
    > working at all, I tried to switch the whole site to Windows Authentication. I
    > used the following in my web.config:
    >
    > <authentication mode="Windows"/>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    >
    > It is STILL giving me 401 access denied errors. Not sure what to try next.
    >
    >
    > "Thomas Sun [MSFT]" wrote:
    >
    > > Hi MCM,
    > >
    > > Could you please tell me how you configure your website on IIS? Do you
    > > create Virtual Directory for the Admin folder? As I mentioned above, when
    > > we use Anonymous access, user credentials won't be sent. And one
    > > application just can have one authentication mode.
    > >
    > > If you want to enable Anonymous access for public part and use Integrated
    > > Windows Authentication for Admin part, I suggest you treat them as separate
    > > website. By doing so, we can configure them separately on IIS.
    > >
    > > For example, you can add web.config file with Windows Authentication and
    > > <authorization> section in Admin folder. On IIS, we can add new Application
    > > under your Public section and point its Physical path to the Admin folder.
    > > If we do so, the Admin is the child application of Public application. And
    > > then you can configure Admin application using Integrated Windows
    > > Authentication and configure Public application using Anonymous access on
    > > IIS.
    > >
    > > I look forward to receiving your test results.
    > >
    > >
    > > --
    > > Best Regards,
    > > Thomas Sun
    > >
    > > Microsoft Online Partner Support
    > >
    > >
    > >
    > > --------------------
    > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > > >
    > > >Is it possible to disable anonymous access just for the Admin folder? I'd
    > > >like to allow it for the public section.
    > > >
    > > >
    > > >"Thomas Sun [MSFT]" wrote:
    > > >
    > > >> Hi MCM,
    > > >>
    > > >> Thanks for your response.
    > > >>
    > > >> Please make sure we only enable Integrated Windows Authentication and
    > > >> disable Anonymous access option on IIS. When anonymous access is

    > > enabled,
    > > >> no authenticated user credentials are required to access the site. For

    > > more
    > > >> information, see http://support.microsoft.com/kb/324274
    > > >>
    > > >>
    > > >> I look forward to receiving your test results.
    > > >>
    > > >>
    > > >> --
    > > >> Best Regards,
    > > >> Thomas Sun
    > > >>
    > > >> Microsoft Online Partner Support
    > > >>
    > > >> >
    > > >> >Hi Thomas-
    > > >> >
    > > >> >> Firstly, we need to make sure the identity that requests your website

    > > is
    > > >> in
    > > >> >> the Administrators role that you specify in <allow> section of
    > > >> <location>
    > > >> >> settings. For test, we can present the identity name in page by
    > > >> following
    > > >> >> code:
    > > >> >> ===============================
    > > >> >> Response.Write(User.Identity.Name);
    > > >> >> ===============================
    > > >> >
    > > >> >No name is displaying at all. This value is blank. Could this be a

    > > browser
    > > >> >setting?
    > > >> >
    > > >> >
    > > >> >> Besides, we also can specify a domain user in <location> settings and
    > > >> then
    > > >> >> request your website with that identity to see whether it works. For
    > > >> >> example:
    > > >> >> ===============================
    > > >> >> <location path="Admin">
    > > >> >> <system.web>
    > > >> >> <authorization>
    > > >> >> <allow users="YourDomain\OneUserName"/>
    > > >> >> <deny users="*"/>
    > > >> >> </authorization>
    > > >> >> </system.web>
    > > >> >> </location>
    > > >> >> ===============================
    > > >> >
    > > >> >This also does not let me have access. But I presume that until we fix

    > > the
    > > >> >blank username problem, we won't get anywhere.
    > > >> >
    > > >> >-Max
    > > >> >
    > > >>
    > > >>
    > > >

    > >
    > >
    MCM, Sep 2, 2009
    #14
  15. MCM

    MCM Guest

    So I have all the security working as planned in FireFox, but still not
    functional in IE8. A quick search for "windows authentication ie8" will show
    you there are a lot of people out there with this problem. I assume there
    must be a fix for it by now. Probably a security setting within IE? Any ideas?


    "MCM" wrote:

    > Here's a weird twist... I tried it in FireFox and it works. Still no change
    > with IE8 though.
    >
    >
    > "MCM" wrote:
    >
    > > I'm happy to work with Virtual Directories as needed. But just to get this
    > > working at all, I tried to switch the whole site to Windows Authentication. I
    > > used the following in my web.config:
    > >
    > > <authentication mode="Windows"/>
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > >
    > > It is STILL giving me 401 access denied errors. Not sure what to try next.
    > >
    > >
    > > "Thomas Sun [MSFT]" wrote:
    > >
    > > > Hi MCM,
    > > >
    > > > Could you please tell me how you configure your website on IIS? Do you
    > > > create Virtual Directory for the Admin folder? As I mentioned above, when
    > > > we use Anonymous access, user credentials won't be sent. And one
    > > > application just can have one authentication mode.
    > > >
    > > > If you want to enable Anonymous access for public part and use Integrated
    > > > Windows Authentication for Admin part, I suggest you treat them as separate
    > > > website. By doing so, we can configure them separately on IIS.
    > > >
    > > > For example, you can add web.config file with Windows Authentication and
    > > > <authorization> section in Admin folder. On IIS, we can add new Application
    > > > under your Public section and point its Physical path to the Admin folder.
    > > > If we do so, the Admin is the child application of Public application. And
    > > > then you can configure Admin application using Integrated Windows
    > > > Authentication and configure Public application using Anonymous access on
    > > > IIS.
    > > >
    > > > I look forward to receiving your test results.
    > > >
    > > >
    > > > --
    > > > Best Regards,
    > > > Thomas Sun
    > > >
    > > > Microsoft Online Partner Support
    > > >
    > > >
    > > >
    > > > --------------------
    > > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > > > >
    > > > >Is it possible to disable anonymous access just for the Admin folder? I'd
    > > > >like to allow it for the public section.
    > > > >
    > > > >
    > > > >"Thomas Sun [MSFT]" wrote:
    > > > >
    > > > >> Hi MCM,
    > > > >>
    > > > >> Thanks for your response.
    > > > >>
    > > > >> Please make sure we only enable Integrated Windows Authentication and
    > > > >> disable Anonymous access option on IIS. When anonymous access is
    > > > enabled,
    > > > >> no authenticated user credentials are required to access the site. For
    > > > more
    > > > >> information, see http://support.microsoft.com/kb/324274
    > > > >>
    > > > >>
    > > > >> I look forward to receiving your test results.
    > > > >>
    > > > >>
    > > > >> --
    > > > >> Best Regards,
    > > > >> Thomas Sun
    > > > >>
    > > > >> Microsoft Online Partner Support
    > > > >>
    > > > >> >
    > > > >> >Hi Thomas-
    > > > >> >
    > > > >> >> Firstly, we need to make sure the identity that requests your website
    > > > is
    > > > >> in
    > > > >> >> the Administrators role that you specify in <allow> section of
    > > > >> <location>
    > > > >> >> settings. For test, we can present the identity name in page by
    > > > >> following
    > > > >> >> code:
    > > > >> >> ===============================
    > > > >> >> Response.Write(User.Identity.Name);
    > > > >> >> ===============================
    > > > >> >
    > > > >> >No name is displaying at all. This value is blank. Could this be a
    > > > browser
    > > > >> >setting?
    > > > >> >
    > > > >> >
    > > > >> >> Besides, we also can specify a domain user in <location> settings and
    > > > >> then
    > > > >> >> request your website with that identity to see whether it works. For
    > > > >> >> example:
    > > > >> >> ===============================
    > > > >> >> <location path="Admin">
    > > > >> >> <system.web>
    > > > >> >> <authorization>
    > > > >> >> <allow users="YourDomain\OneUserName"/>
    > > > >> >> <deny users="*"/>
    > > > >> >> </authorization>
    > > > >> >> </system.web>
    > > > >> >> </location>
    > > > >> >> ===============================
    > > > >> >
    > > > >> >This also does not let me have access. But I presume that until we fix
    > > > the
    > > > >> >blank username problem, we won't get anywhere.
    > > > >> >
    > > > >> >-Max
    > > > >> >
    > > > >>
    > > > >>
    > > > >
    > > >
    > > >
    MCM, Sep 2, 2009
    #15
  16. Hi MCM,

    If we create a simple ASP.NET website with Window Authentication and deploy
    it on IIS, does it have the same issue? What URL you were using to request
    your website? Please try to add the URL into local Web Site
    (IE->Tools->Internet Options->Security tab->Select "Local intranet"-> Click
    "Sites"->Click "Advanced" button->Add the URL), and enable "Automatic Logon
    with current username and password" (Internet Explorer --> Tools-->Internet
    Options --> Security-->Local Intranet Zone-->Custom Level-->User
    Authentication-->Logon -->Automatic Logon with current username and
    password).

    If the issue still exists, could you please post detailed steps here that
    can repro the issue? You also can send me a simplified package that can
    repro the error on your machine. My email is .


    I look forward to hearing from you.


    --
    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support



    --------------------

    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >So I have all the security working as planned in FireFox, but still not
    >functional in IE8. A quick search for "windows authentication ie8" will

    show
    >you there are a lot of people out there with this problem. I assume there
    >must be a fix for it by now. Probably a security setting within IE? Any

    ideas?
    >
    >
    >"MCM" wrote:
    >
    >> Here's a weird twist... I tried it in FireFox and it works. Still no

    change
    >> with IE8 though.
    >>
    >>
    >> "MCM" wrote:
    >>
    >> > I'm happy to work with Virtual Directories as needed. But just to get

    this
    >> > working at all, I tried to switch the whole site to Windows

    Authentication. I
    >> > used the following in my web.config:
    >> >
    >> > <authentication mode="Windows"/>
    >> > <authorization>
    >> > <deny users="?" />
    >> > </authorization>
    >> >
    >> > It is STILL giving me 401 access denied errors. Not sure what to try

    next.
    >> >
    >> >
    >> > "Thomas Sun [MSFT]" wrote:
    >> >
    >> > > Hi MCM,
    >> > >
    >> > > Could you please tell me how you configure your website on IIS? Do

    you
    >> > > create Virtual Directory for the Admin folder? As I mentioned above,

    when
    >> > > we use Anonymous access, user credentials won't be sent. And one
    >> > > application just can have one authentication mode.
    >> > >
    >> > > If you want to enable Anonymous access for public part and use

    Integrated
    >> > > Windows Authentication for Admin part, I suggest you treat them as

    separate
    >> > > website. By doing so, we can configure them separately on IIS.
    >> > >
    >> > > For example, you can add web.config file with Windows Authentication

    and
    >> > > <authorization> section in Admin folder. On IIS, we can add new

    Application
    >> > > under your Public section and point its Physical path to the Admin

    folder.
    >> > > If we do so, the Admin is the child application of Public

    application. And
    >> > > then you can configure Admin application using Integrated Windows
    >> > > Authentication and configure Public application using Anonymous

    access on
    >> > > IIS.
    >> > >
    >> > > I look forward to receiving your test results.
    >> > >
    >> > >
    >> > > --
    >> > > Best Regards,
    >> > > Thomas Sun
    >> > >
    >> > > Microsoft Online Partner Support
    >> > >
    >> > >
    >> > >
    >> > > --------------------
    >> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> > > >
    >> > > >Is it possible to disable anonymous access just for the Admin

    folder? I'd
    >> > > >like to allow it for the public section.
    >> > > >
    >> > > >
    >> > > >"Thomas Sun [MSFT]" wrote:
    >> > > >
    >> > > >> Hi MCM,
    >> > > >>
    >> > > >> Thanks for your response.
    >> > > >>
    >> > > >> Please make sure we only enable Integrated Windows Authentication

    and
    >> > > >> disable Anonymous access option on IIS. When anonymous access is
    >> > > enabled,
    >> > > >> no authenticated user credentials are required to access the

    site. For
    >> > > more
    >> > > >> information, see http://support.microsoft.com/kb/324274
    >> > > >>
    >> > > >>
    >> > > >> I look forward to receiving your test results.
    >> > > >>
    >> > > >>
    >> > > >> --
    >> > > >> Best Regards,
    >> > > >> Thomas Sun
    >> > > >>
    >> > > >> Microsoft Online Partner Support
    >> > > >>
    >> > > >> >
    >> > > >> >Hi Thomas-
    >> > > >> >
    >> > > >> >> Firstly, we need to make sure the identity that requests your

    website
    >> > > is
    >> > > >> in
    >> > > >> >> the Administrators role that you specify in <allow> section of
    >> > > >> <location>
    >> > > >> >> settings. For test, we can present the identity name in page

    by
    >> > > >> following
    >> > > >> >> code:
    >> > > >> >> ===============================
    >> > > >> >> Response.Write(User.Identity.Name);
    >> > > >> >> ===============================
    >> > > >> >
    >> > > >> >No name is displaying at all. This value is blank. Could this be

    a
    >> > > browser
    >> > > >> >setting?
    >> > > >> >
    >> > > >> >
    >> > > >> >> Besides, we also can specify a domain user in <location>

    settings and
    >> > > >> then
    >> > > >> >> request your website with that identity to see whether it

    works. For
    >> > > >> >> example:
    >> > > >> >> ===============================
    >> > > >> >> <location path="Admin">
    >> > > >> >> <system.web>
    >> > > >> >> <authorization>
    >> > > >> >> <allow users="YourDomain\OneUserName"/>
    >> > > >> >> <deny users="*"/>
    >> > > >> >> </authorization>
    >> > > >> >> </system.web>
    >> > > >> >> </location>
    >> > > >> >> ===============================
    >> > > >> >
    >> > > >> >This also does not let me have access. But I presume that until

    we fix
    >> > > the
    >> > > >> >blank username problem, we won't get anywhere.
    >> > > >> >
    >> > > >> >-Max
    >> > > >> >
    >> > > >>
    >> > > >>
    >> > > >
    >> > >
    >> > >

    >
    Thomas Sun [MSFT], Sep 3, 2009
    #16
  17. MCM

    MCM Guest

    I was in the process of creating a package for you to test when I solved the
    problem. In IIS, I had set the bindings for the site to http://SERVER. When I
    changed the binding to http://test.domain.local and added that to the IE
    Intranet zone, it works.

    I still believe this is a pretty annoying bug in IE8 - especially since it
    was working fine in FireFox. But in the end, I am able to work around it.

    Thank you for your help.

    "Thomas Sun [MSFT]" wrote:

    > Hi MCM,
    >
    > If we create a simple ASP.NET website with Window Authentication and deploy
    > it on IIS, does it have the same issue? What URL you were using to request
    > your website? Please try to add the URL into local Web Site
    > (IE->Tools->Internet Options->Security tab->Select "Local intranet"-> Click
    > "Sites"->Click "Advanced" button->Add the URL), and enable "Automatic Logon
    > with current username and password" (Internet Explorer --> Tools-->Internet
    > Options --> Security-->Local Intranet Zone-->Custom Level-->User
    > Authentication-->Logon -->Automatic Logon with current username and
    > password).
    >
    > If the issue still exists, could you please post detailed steps here that
    > can repro the issue? You also can send me a simplified package that can
    > repro the error on your machine. My email is .
    >
    >
    > I look forward to hearing from you.
    >
    >
    > --
    > Best Regards,
    > Thomas Sun
    >
    > Microsoft Online Partner Support
    >
    >
    >
    > --------------------
    >
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >So I have all the security working as planned in FireFox, but still not
    > >functional in IE8. A quick search for "windows authentication ie8" will

    > show
    > >you there are a lot of people out there with this problem. I assume there
    > >must be a fix for it by now. Probably a security setting within IE? Any

    > ideas?
    > >
    > >
    > >"MCM" wrote:
    > >
    > >> Here's a weird twist... I tried it in FireFox and it works. Still no

    > change
    > >> with IE8 though.
    > >>
    > >>
    > >> "MCM" wrote:
    > >>
    > >> > I'm happy to work with Virtual Directories as needed. But just to get

    > this
    > >> > working at all, I tried to switch the whole site to Windows

    > Authentication. I
    > >> > used the following in my web.config:
    > >> >
    > >> > <authentication mode="Windows"/>
    > >> > <authorization>
    > >> > <deny users="?" />
    > >> > </authorization>
    > >> >
    > >> > It is STILL giving me 401 access denied errors. Not sure what to try

    > next.
    > >> >
    > >> >
    > >> > "Thomas Sun [MSFT]" wrote:
    > >> >
    > >> > > Hi MCM,
    > >> > >
    > >> > > Could you please tell me how you configure your website on IIS? Do

    > you
    > >> > > create Virtual Directory for the Admin folder? As I mentioned above,

    > when
    > >> > > we use Anonymous access, user credentials won't be sent. And one
    > >> > > application just can have one authentication mode.
    > >> > >
    > >> > > If you want to enable Anonymous access for public part and use

    > Integrated
    > >> > > Windows Authentication for Admin part, I suggest you treat them as

    > separate
    > >> > > website. By doing so, we can configure them separately on IIS.
    > >> > >
    > >> > > For example, you can add web.config file with Windows Authentication

    > and
    > >> > > <authorization> section in Admin folder. On IIS, we can add new

    > Application
    > >> > > under your Public section and point its Physical path to the Admin

    > folder.
    > >> > > If we do so, the Admin is the child application of Public

    > application. And
    > >> > > then you can configure Admin application using Integrated Windows
    > >> > > Authentication and configure Public application using Anonymous

    > access on
    > >> > > IIS.
    > >> > >
    > >> > > I look forward to receiving your test results.
    > >> > >
    > >> > >
    > >> > > --
    > >> > > Best Regards,
    > >> > > Thomas Sun
    > >> > >
    > >> > > Microsoft Online Partner Support
    > >> > >
    > >> > >
    > >> > >
    > >> > > --------------------
    > >> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >> > > >
    > >> > > >Is it possible to disable anonymous access just for the Admin

    > folder? I'd
    > >> > > >like to allow it for the public section.
    > >> > > >
    > >> > > >
    > >> > > >"Thomas Sun [MSFT]" wrote:
    > >> > > >
    > >> > > >> Hi MCM,
    > >> > > >>
    > >> > > >> Thanks for your response.
    > >> > > >>
    > >> > > >> Please make sure we only enable Integrated Windows Authentication

    > and
    > >> > > >> disable Anonymous access option on IIS. When anonymous access is
    > >> > > enabled,
    > >> > > >> no authenticated user credentials are required to access the

    > site. For
    > >> > > more
    > >> > > >> information, see http://support.microsoft.com/kb/324274
    > >> > > >>
    > >> > > >>
    > >> > > >> I look forward to receiving your test results.
    > >> > > >>
    > >> > > >>
    > >> > > >> --
    > >> > > >> Best Regards,
    > >> > > >> Thomas Sun
    > >> > > >>
    > >> > > >> Microsoft Online Partner Support
    > >> > > >>
    > >> > > >> >
    > >> > > >> >Hi Thomas-
    > >> > > >> >
    > >> > > >> >> Firstly, we need to make sure the identity that requests your

    > website
    > >> > > is
    > >> > > >> in
    > >> > > >> >> the Administrators role that you specify in <allow> section of
    > >> > > >> <location>
    > >> > > >> >> settings. For test, we can present the identity name in page

    > by
    > >> > > >> following
    > >> > > >> >> code:
    > >> > > >> >> ===============================
    > >> > > >> >> Response.Write(User.Identity.Name);
    > >> > > >> >> ===============================
    > >> > > >> >
    > >> > > >> >No name is displaying at all. This value is blank. Could this be

    > a
    > >> > > browser
    > >> > > >> >setting?
    > >> > > >> >
    > >> > > >> >
    > >> > > >> >> Besides, we also can specify a domain user in <location>

    > settings and
    > >> > > >> then
    > >> > > >> >> request your website with that identity to see whether it

    > works. For
    > >> > > >> >> example:
    > >> > > >> >> ===============================
    > >> > > >> >> <location path="Admin">
    > >> > > >> >> <system.web>
    > >> > > >> >> <authorization>
    > >> > > >> >> <allow users="YourDomain\OneUserName"/>
    > >> > > >> >> <deny users="*"/>
    > >> > > >> >> </authorization>
    > >> > > >> >> </system.web>
    > >> > > >> >> </location>
    > >> > > >> >> ===============================
    > >> > > >> >
    > >> > > >> >This also does not let me have access. But I presume that until

    > we fix
    > >> > > the
    > >> > > >> >blank username problem, we won't get anywhere.
    > >> > > >> >
    > >> > > >> >-Max
    > >> > > >> >
    > >> > > >>
    > >> > > >>
    > >> > > >
    > >> > >
    > >> > >

    > >

    >
    >
    MCM, Sep 3, 2009
    #17
  18. Hi MCM,

    Thanks for your update and I am glad that you resolved it.

    For security, IE doesn't send sensitive information to website that is not
    in Local intranet list automatically by default.

    You also can post the feedback on the Connect Website
    (https://connect.microsoft.com/IE/Feedback). Our developer will evaluate
    them seriously and take them into consideration when designing future
    release of the product.


    --
    Best Regards,
    Thomas Sun

    Microsoft Online Partner Support


    --------------------
    >Xref: TK2MSFTNGHUB02.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:3125
    >NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >I was in the process of creating a package for you to test when I solved

    the
    >problem. In IIS, I had set the bindings for the site to http://SERVER.

    When I
    >changed the binding to http://test.domain.local and added that to the IE
    >Intranet zone, it works.
    >
    >I still believe this is a pretty annoying bug in IE8 - especially since it
    >was working fine in FireFox. But in the end, I am able to work around it.
    >
    >Thank you for your help.
    >
    >"Thomas Sun [MSFT]" wrote:
    >
    >> Hi MCM,
    >>
    >> If we create a simple ASP.NET website with Window Authentication and

    deploy
    >> it on IIS, does it have the same issue? What URL you were using to

    request
    >> your website? Please try to add the URL into local Web Site
    >> (IE->Tools->Internet Options->Security tab->Select "Local intranet"->

    Click
    >> "Sites"->Click "Advanced" button->Add the URL), and enable "Automatic

    Logon
    >> with current username and password" (Internet Explorer -->

    Tools-->Internet
    >> Options --> Security-->Local Intranet Zone-->Custom Level-->User
    >> Authentication-->Logon -->Automatic Logon with current username and
    >> password).
    >>
    >> If the issue still exists, could you please post detailed steps here

    that
    >> can repro the issue? You also can send me a simplified package that

    can
    >> repro the error on your machine. My email is .
    >>
    >>
    >> I look forward to hearing from you.
    >>
    >>
    >> --
    >> Best Regards,
    >> Thomas Sun
    >>
    >> Microsoft Online Partner Support
    >>
    >>
    >>
    >> --------------------
    >>
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> >
    >> >So I have all the security working as planned in FireFox, but still not
    >> >functional in IE8. A quick search for "windows authentication ie8" will

    >> show
    >> >you there are a lot of people out there with this problem. I assume

    there
    >> >must be a fix for it by now. Probably a security setting within IE? Any

    >> ideas?
    >> >
    >> >
    >> >"MCM" wrote:
    >> >
    >> >> Here's a weird twist... I tried it in FireFox and it works. Still no

    >> change
    >> >> with IE8 though.
    >> >>
    >> >>
    >> >> "MCM" wrote:
    >> >>
    >> >> > I'm happy to work with Virtual Directories as needed. But just to

    get
    >> this
    >> >> > working at all, I tried to switch the whole site to Windows

    >> Authentication. I
    >> >> > used the following in my web.config:
    >> >> >
    >> >> > <authentication mode="Windows"/>
    >> >> > <authorization>
    >> >> > <deny users="?" />
    >> >> > </authorization>
    >> >> >
    >> >> > It is STILL giving me 401 access denied errors. Not sure what to

    try
    >> next.
    >> >> >
    >> >> >
    >> >> > "Thomas Sun [MSFT]" wrote:
    >> >> >
    >> >> > > Hi MCM,
    >> >> > >
    >> >> > > Could you please tell me how you configure your website on IIS?

    Do
    >> you
    >> >> > > create Virtual Directory for the Admin folder? As I mentioned

    above,
    >> when
    >> >> > > we use Anonymous access, user credentials won't be sent. And one
    >> >> > > application just can have one authentication mode.
    >> >> > >
    >> >> > > If you want to enable Anonymous access for public part and use

    >> Integrated
    >> >> > > Windows Authentication for Admin part, I suggest you treat them

    as
    >> separate
    >> >> > > website. By doing so, we can configure them separately on IIS.
    >> >> > >
    >> >> > > For example, you can add web.config file with Windows

    Authentication
    >> and
    >> >> > > <authorization> section in Admin folder. On IIS, we can add new

    >> Application
    >> >> > > under your Public section and point its Physical path to the

    Admin
    >> folder.
    >> >> > > If we do so, the Admin is the child application of Public

    >> application. And
    >> >> > > then you can configure Admin application using Integrated Windows
    >> >> > > Authentication and configure Public application using Anonymous

    >> access on
    >> >> > > IIS.
    >> >> > >
    >> >> > > I look forward to receiving your test results.
    >> >> > >
    >> >> > >
    >> >> > > --
    >> >> > > Best Regards,
    >> >> > > Thomas Sun
    >> >> > >
    >> >> > > Microsoft Online Partner Support
    >> >> > >
    >> >> > >
    >> >> > >
    >> >> > > --------------------
    >> >> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> >> > > >
    >> >> > > >Is it possible to disable anonymous access just for the Admin

    >> folder? I'd
    >> >> > > >like to allow it for the public section.
    >> >> > > >
    >> >> > > >
    >> >> > > >"Thomas Sun [MSFT]" wrote:
    >> >> > > >
    >> >> > > >> Hi MCM,
    >> >> > > >>
    >> >> > > >> Thanks for your response.
    >> >> > > >>
    >> >> > > >> Please make sure we only enable Integrated Windows

    Authentication
    >> and
    >> >> > > >> disable Anonymous access option on IIS. When anonymous access

    is
    >> >> > > enabled,
    >> >> > > >> no authenticated user credentials are required to access the

    >> site. For
    >> >> > > more
    >> >> > > >> information, see http://support.microsoft.com/kb/324274
    >> >> > > >>
    >> >> > > >>
    >> >> > > >> I look forward to receiving your test results.
    >> >> > > >>
    >> >> > > >>
    >> >> > > >> --
    >> >> > > >> Best Regards,
    >> >> > > >> Thomas Sun
    >> >> > > >>
    >> >> > > >> Microsoft Online Partner Support
    >> >> > > >>
    >> >> > > >> >
    >> >> > > >> >Hi Thomas-
    >> >> > > >> >
    >> >> > > >> >> Firstly, we need to make sure the identity that requests

    your
    >> website
    >> >> > > is
    >> >> > > >> in
    >> >> > > >> >> the Administrators role that you specify in <allow> section

    of
    >> >> > > >> <location>
    >> >> > > >> >> settings. For test, we can present the identity name in

    page
    >> by
    >> >> > > >> following
    >> >> > > >> >> code:
    >> >> > > >> >> ===============================
    >> >> > > >> >> Response.Write(User.Identity.Name);
    >> >> > > >> >> ===============================
    >> >> > > >> >
    >> >> > > >> >No name is displaying at all. This value is blank. Could this

    be
    >> a
    >> >> > > browser
    >> >> > > >> >setting?
    >> >> > > >> >
    >> >> > > >> >
    >> >> > > >> >> Besides, we also can specify a domain user in <location>

    >> settings and
    >> >> > > >> then
    >> >> > > >> >> request your website with that identity to see whether it

    >> works. For
    >> >> > > >> >> example:
    >> >> > > >> >> ===============================
    >> >> > > >> >> <location path="Admin">
    >> >> > > >> >> <system.web>
    >> >> > > >> >> <authorization>
    >> >> > > >> >> <allow users="YourDomain\OneUserName"/>
    >> >> > > >> >> <deny users="*"/>
    >> >> > > >> >> </authorization>
    >> >> > > >> >> </system.web>
    >> >> > > >> >> </location>
    >> >> > > >> >> ===============================
    >> >> > > >> >
    >> >> > > >> >This also does not let me have access. But I presume that

    until
    >> we fix
    >> >> > > the
    >> >> > > >> >blank username problem, we won't get anywhere.
    >> >> > > >> >
    >> >> > > >> >-Max
    >> >> > > >> >
    >> >> > > >>
    >> >> > > >>
    >> >> > > >
    >> >> > >
    >> >> > >
    >> >

    >>
    >>

    >
    Thomas Sun [MSFT], Sep 4, 2009
    #18
  19. MCM

    MCM Guest

    Yes. I understand that the site had to be in the Intranet Zone - and it was.
    I was just using the abbreviated server name instead of a FQDN. So even
    though it was listed in Intranet and even though it worked in FireFox, it
    didn't work in IE. I'll write a note to the IE Feedback site like you
    suggested. Thanks.


    "Thomas Sun [MSFT]" wrote:

    > Hi MCM,
    >
    > Thanks for your update and I am glad that you resolved it.
    >
    > For security, IE doesn't send sensitive information to website that is not
    > in Local intranet list automatically by default.
    >
    > You also can post the feedback on the Connect Website
    > (https://connect.microsoft.com/IE/Feedback). Our developer will evaluate
    > them seriously and take them into consideration when designing future
    > release of the product.
    >
    >
    > --
    > Best Regards,
    > Thomas Sun
    >
    > Microsoft Online Partner Support
    >
    >
    > --------------------
    > >Xref: TK2MSFTNGHUB02.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.security:3125
    > >NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >I was in the process of creating a package for you to test when I solved

    > the
    > >problem. In IIS, I had set the bindings for the site to http://SERVER.

    > When I
    > >changed the binding to http://test.domain.local and added that to the IE
    > >Intranet zone, it works.
    > >
    > >I still believe this is a pretty annoying bug in IE8 - especially since it
    > >was working fine in FireFox. But in the end, I am able to work around it.
    > >
    > >Thank you for your help.
    > >
    > >"Thomas Sun [MSFT]" wrote:
    > >
    > >> Hi MCM,
    > >>
    > >> If we create a simple ASP.NET website with Window Authentication and

    > deploy
    > >> it on IIS, does it have the same issue? What URL you were using to

    > request
    > >> your website? Please try to add the URL into local Web Site
    > >> (IE->Tools->Internet Options->Security tab->Select "Local intranet"->

    > Click
    > >> "Sites"->Click "Advanced" button->Add the URL), and enable "Automatic

    > Logon
    > >> with current username and password" (Internet Explorer -->

    > Tools-->Internet
    > >> Options --> Security-->Local Intranet Zone-->Custom Level-->User
    > >> Authentication-->Logon -->Automatic Logon with current username and
    > >> password).
    > >>
    > >> If the issue still exists, could you please post detailed steps here

    > that
    > >> can repro the issue? You also can send me a simplified package that

    > can
    > >> repro the error on your machine. My email is .
    > >>
    > >>
    > >> I look forward to hearing from you.
    > >>
    > >>
    > >> --
    > >> Best Regards,
    > >> Thomas Sun
    > >>
    > >> Microsoft Online Partner Support
    > >>
    > >>
    > >>
    > >> --------------------
    > >>
    > >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >> >
    > >> >So I have all the security working as planned in FireFox, but still not
    > >> >functional in IE8. A quick search for "windows authentication ie8" will
    > >> show
    > >> >you there are a lot of people out there with this problem. I assume

    > there
    > >> >must be a fix for it by now. Probably a security setting within IE? Any
    > >> ideas?
    > >> >
    > >> >
    > >> >"MCM" wrote:
    > >> >
    > >> >> Here's a weird twist... I tried it in FireFox and it works. Still no
    > >> change
    > >> >> with IE8 though.
    > >> >>
    > >> >>
    > >> >> "MCM" wrote:
    > >> >>
    > >> >> > I'm happy to work with Virtual Directories as needed. But just to

    > get
    > >> this
    > >> >> > working at all, I tried to switch the whole site to Windows
    > >> Authentication. I
    > >> >> > used the following in my web.config:
    > >> >> >
    > >> >> > <authentication mode="Windows"/>
    > >> >> > <authorization>
    > >> >> > <deny users="?" />
    > >> >> > </authorization>
    > >> >> >
    > >> >> > It is STILL giving me 401 access denied errors. Not sure what to

    > try
    > >> next.
    > >> >> >
    > >> >> >
    > >> >> > "Thomas Sun [MSFT]" wrote:
    > >> >> >
    > >> >> > > Hi MCM,
    > >> >> > >
    > >> >> > > Could you please tell me how you configure your website on IIS?

    > Do
    > >> you
    > >> >> > > create Virtual Directory for the Admin folder? As I mentioned

    > above,
    > >> when
    > >> >> > > we use Anonymous access, user credentials won't be sent. And one
    > >> >> > > application just can have one authentication mode.
    > >> >> > >
    > >> >> > > If you want to enable Anonymous access for public part and use
    > >> Integrated
    > >> >> > > Windows Authentication for Admin part, I suggest you treat them

    > as
    > >> separate
    > >> >> > > website. By doing so, we can configure them separately on IIS.
    > >> >> > >
    > >> >> > > For example, you can add web.config file with Windows

    > Authentication
    > >> and
    > >> >> > > <authorization> section in Admin folder. On IIS, we can add new
    > >> Application
    > >> >> > > under your Public section and point its Physical path to the

    > Admin
    > >> folder.
    > >> >> > > If we do so, the Admin is the child application of Public
    > >> application. And
    > >> >> > > then you can configure Admin application using Integrated Windows
    > >> >> > > Authentication and configure Public application using Anonymous
    > >> access on
    > >> >> > > IIS.
    > >> >> > >
    > >> >> > > I look forward to receiving your test results.
    > >> >> > >
    > >> >> > >
    > >> >> > > --
    > >> >> > > Best Regards,
    > >> >> > > Thomas Sun
    > >> >> > >
    > >> >> > > Microsoft Online Partner Support
    > >> >> > >
    > >> >> > >
    > >> >> > >
    > >> >> > > --------------------
    > >> >> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >> >> > > >
    > >> >> > > >Is it possible to disable anonymous access just for the Admin
    > >> folder? I'd
    > >> >> > > >like to allow it for the public section.
    > >> >> > > >
    > >> >> > > >
    > >> >> > > >"Thomas Sun [MSFT]" wrote:
    > >> >> > > >
    > >> >> > > >> Hi MCM,
    > >> >> > > >>
    > >> >> > > >> Thanks for your response.
    > >> >> > > >>
    > >> >> > > >> Please make sure we only enable Integrated Windows

    > Authentication
    > >> and
    > >> >> > > >> disable Anonymous access option on IIS. When anonymous access

    > is
    > >> >> > > enabled,
    > >> >> > > >> no authenticated user credentials are required to access the
    > >> site. For
    > >> >> > > more
    > >> >> > > >> information, see http://support.microsoft.com/kb/324274
    > >> >> > > >>
    > >> >> > > >>
    > >> >> > > >> I look forward to receiving your test results.
    > >> >> > > >>
    > >> >> > > >>
    > >> >> > > >> --
    > >> >> > > >> Best Regards,
    > >> >> > > >> Thomas Sun
    > >> >> > > >>
    > >> >> > > >> Microsoft Online Partner Support
    > >> >> > > >>
    > >> >> > > >> >
    > >> >> > > >> >Hi Thomas-
    > >> >> > > >> >
    > >> >> > > >> >> Firstly, we need to make sure the identity that requests

    > your
    > >> website
    > >> >> > > is
    > >> >> > > >> in
    > >> >> > > >> >> the Administrators role that you specify in <allow> section

    > of
    > >> >> > > >> <location>
    > >> >> > > >> >> settings. For test, we can present the identity name in

    > page
    > >> by
    > >> >> > > >> following
    > >> >> > > >> >> code:
    > >> >> > > >> >> ===============================
    > >> >> > > >> >> Response.Write(User.Identity.Name);
    > >> >> > > >> >> ===============================
    > >> >> > > >> >
    > >> >> > > >> >No name is displaying at all. This value is blank. Could this

    > be
    > >> a
    > >> >> > > browser
    > >> >> > > >> >setting?
    > >> >> > > >> >
    > >> >> > > >> >
    > >> >> > > >> >> Besides, we also can specify a domain user in <location>
    > >> settings and
    > >> >> > > >> then
    > >> >> > > >> >> request your website with that identity to see whether it
    > >> works. For
    > >> >> > > >> >> example:
    > >> >> > > >> >> ===============================
    > >> >> > > >> >> <location path="Admin">
    > >> >> > > >> >> <system.web>
    > >> >> > > >> >> <authorization>
    > >> >> > > >> >> <allow users="YourDomain\OneUserName"/>
    > >> >> > > >> >> <deny users="*"/>
    > >> >> > > >> >> </authorization>
    > >> >> > > >> >> </system.web>
    > >> >> > > >> >> </location>
    > >> >> > > >> >> ===============================
    > >> >> > > >> >
    > >> >> > > >> >This also does not let me have access. But I presume that

    > until
    > >> we fix
    > >> >> > > the
    > >> >> > > >> >blank username problem, we won't get anywhere.
    > >> >> > > >> >
    > >> >> > > >> >-Max
    > >> >> > > >> >
    > >> >> > > >>
    > >> >> > > >>
    > >> >> > > >
    > >> >> > >
    > >> >> > >
    > >> >
    > >>
    > >>

    > >

    >
    >
    MCM, Sep 4, 2009
    #19
  20. On Sep 4, 6:30 am, MCM <> wrote:
    > Yes. I understand that the site had to be in the Intranet Zone - and it was.
    > I was just using the abbreviated server name instead of a FQDN. So even
    > though it was listed in Intranet and even though it worked in FireFox, it
    > didn't work in IE. I'll write a note to the IE Feedback site like you
    > suggested. Thanks.
    >


    Ensure that the Include all network paths (UNC) check box has been
    checked. (Internet Options - Security - Sites). If it was checked, it
    could be interesting to see the difference in Fiddler between IE with
    the abbreviated server name and with FQDN

    Fiddler can be found here www.fiddlertool.com

    You might also try to add *.domain.local or 10.*.*.* to sites list to
    see if it works or not
    Alexey Smirnov, Sep 4, 2009
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    687
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?UG9ueSBUc3Vp?=

    a urlauthorization question

    =?Utf-8?B?UG9ueSBUc3Vp?=, Apr 3, 2006, in forum: ASP .Net
    Replies:
    9
    Views:
    814
    Steven Cheng[MSFT]
    Apr 7, 2006
  3. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    410
    Chris Mohan
    Apr 29, 2004
  4. Igor Dombrovan
    Replies:
    2
    Views:
    460
    Igor Dombrovan
    Mar 1, 2005
  5. Replies:
    3
    Views:
    110
    M. Edward (Ed) Borasky
    Sep 27, 2007
Loading...

Share This Page