Web.Config and subdirectory *location* security

Discussion in 'ASP .Net Security' started by Grant Harmeyer, Jul 20, 2004.

  1. I've read similar posts to this issue, and I am fairly certain this
    configuration should work. However, when I try to request any of the pages
    in the Admin subdirectory of my application root, I am given the following
    error:

    It is an error to use a section registered as
    allowDefinition='MachineToApplication' beyond application level. This error
    can be caused by a virtual directory not being configured as an application
    in IIS.

    It then has the line "<authentication mode="Forms">" highlighted as the line
    the error occurs at.

    Is this an IIS config issue, or do I need to create a configSections node in
    my web.config to facilitate this? If I need the configSections node added,
    an example would be very helpful. Thanks.


    <!-- Web.Config -->


    <configuration>
    <system.web>
    <authorization>
    <allow users="?" />
    </authorization>
    <compilation defaultLanguage="C#">
    <assemblies>
    <add assembly="MyAssembly" />
    </assemblies>
    </compilation>
    <customErrors mode="Off" />
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    </system.web>

    <location path="Admin">
    <system.web>
    <authentication mode="Forms">
    <forms name=".MYAPPAUTH" loginUrl="login.aspx"
    protection="Encryption" timeout="20" />
    </authentication>
    <authorization>
    <deny users="?" />
    </authorization>
    <httpRuntime executionTimeout="90" maxRequestLength="512"
    useFullyQualifiedRedirectUrl="false" minFreeThreads="8"
    minLocalRequestFreeThreads="4" appRequestQueueLimit="100" />
    </system.web>
    </location>

    </configuration>
    Grant Harmeyer, Jul 20, 2004
    #1
    1. Advertising

  2. Grant Harmeyer

    Chris Mohan Guest


    > Is this an IIS config issue, or do I need to create a configSections node in
    > my web.config to facilitate this? If I need the configSections node added,
    > an example would be very helpful. Thanks.


    The way to address this is to configure the admin sub dir as an application in IIS.

    The problem is that the authentication element can only be declared at the machine(for all apps hosted on a server), site, or application level. The documentation states: "Any attempt to declare it in a configuration file at the subdirectory or page level will result in a parser error message."
    See: http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp

    Here's a good article for more info on setting up an app that uses windows and forms auth:
    http://www.theserverside.net/articles/showarticle.tss?id=FormAuthentication

    "Grant Harmeyer" wrote:

    > I've read similar posts to this issue, and I am fairly certain this
    > configuration should work. However, when I try to request any of the pages
    > in the Admin subdirectory of my application root, I am given the following
    > error:
    >
    > It is an error to use a section registered as
    > allowDefinition='MachineToApplication' beyond application level. This error
    > can be caused by a virtual directory not being configured as an application
    > in IIS.
    >
    > It then has the line "<authentication mode="Forms">" highlighted as the line
    > the error occurs at.
    >


    >
    > <!-- Web.Config -->
    >
    >
    > <configuration>
    > <system.web>
    > <authorization>
    > <allow users="?" />
    > </authorization>
    > <compilation defaultLanguage="C#">
    > <assemblies>
    > <add assembly="MyAssembly" />
    > </assemblies>
    > </compilation>
    > <customErrors mode="Off" />
    > <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    > </system.web>
    >
    > <location path="Admin">
    > <system.web>
    > <authentication mode="Forms">
    > <forms name=".MYAPPAUTH" loginUrl="login.aspx"
    > protection="Encryption" timeout="20" />
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > <httpRuntime executionTimeout="90" maxRequestLength="512"
    > useFullyQualifiedRedirectUrl="false" minFreeThreads="8"
    > minLocalRequestFreeThreads="4" appRequestQueueLimit="100" />
    > </system.web>
    > </location>
    >
    > </configuration>
    >
    >
    >
    Chris Mohan, Jul 21, 2004
    #2
    1. Advertising

  3. Thanks, I see that very clearly now and it makes sense. I went to
    http://www.gotdotnet.com and downloaded the source code for the .Text blog
    application to analyze some of the tactics used in that application for
    authentication and also for some performance techniques.

    Thanks for the reply


    Grant



    "Chris Mohan" <> wrote in message
    news:...
    >
    > > Is this an IIS config issue, or do I need to create a configSections

    node in
    > > my web.config to facilitate this? If I need the configSections node

    added,
    > > an example would be very helpful. Thanks.

    >
    > The way to address this is to configure the admin sub dir as an

    application in IIS.
    >
    > The problem is that the authentication element can only be declared at the

    machine(for all apps hosted on a server), site, or application level. The
    documentation states: "Any attempt to declare it in a configuration file at
    the subdirectory or page level will result in a parser error message."
    > See:

    http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp
    >
    > Here's a good article for more info on setting up an app that uses windows

    and forms auth:
    >

    http://www.theserverside.net/articles/showarticle.tss?id=FormAuthentication
    >
    > "Grant Harmeyer" wrote:
    >
    > > I've read similar posts to this issue, and I am fairly certain this
    > > configuration should work. However, when I try to request any of the

    pages
    > > in the Admin subdirectory of my application root, I am given the

    following
    > > error:
    > >
    > > It is an error to use a section registered as
    > > allowDefinition='MachineToApplication' beyond application level. This

    error
    > > can be caused by a virtual directory not being configured as an

    application
    > > in IIS.
    > >
    > > It then has the line "<authentication mode="Forms">" highlighted as the

    line
    > > the error occurs at.
    > >

    >
    > >
    > > <!-- Web.Config -->
    > >
    > >
    > > <configuration>
    > > <system.web>
    > > <authorization>
    > > <allow users="?" />
    > > </authorization>
    > > <compilation defaultLanguage="C#">
    > > <assemblies>
    > > <add assembly="MyAssembly" />
    > > </assemblies>
    > > </compilation>
    > > <customErrors mode="Off" />
    > > <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    > > </system.web>
    > >
    > > <location path="Admin">
    > > <system.web>
    > > <authentication mode="Forms">
    > > <forms name=".MYAPPAUTH" loginUrl="login.aspx"
    > > protection="Encryption" timeout="20" />
    > > </authentication>
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > <httpRuntime executionTimeout="90" maxRequestLength="512"
    > > useFullyQualifiedRedirectUrl="false" minFreeThreads="8"
    > > minLocalRequestFreeThreads="4" appRequestQueueLimit="100" />
    > > </system.web>
    > > </location>
    > >
    > > </configuration>
    > >
    > >
    > >
    Grant Harmeyer, Jul 21, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CSharpner
    Replies:
    0
    Views:
    1,000
    CSharpner
    Apr 9, 2007
  2. luqman
    Replies:
    2
    Views:
    786
    luqman
    Jul 11, 2007
  3. =?Utf-8?B?Znc=?=
    Replies:
    4
    Views:
    661
    Juan T. Llibre
    Oct 3, 2007
  4. VSK

    web.config in subdirectory related query

    VSK, Sep 25, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    96
    Johan Normén NSQAURED2
    Sep 26, 2003
  5. David Pyper

    Problem with web.config access-restricted subdirectory

    David Pyper, Jan 21, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    293
    David Pyper
    Jan 27, 2004
Loading...

Share This Page