Web.Config and Virtual Directory

[Wm. Scott Miller]

We have a intranet site that allows one of our departments to search a set
of pdfs and then look at them. Only problem is that only they and us geeks
should be allowed to see the pdfs. We have it locked down except for when a
person directly types in the url to a pdf. Currently, the PDFs are in a
virtual directory off the root of the server. Putting it under the search
site also doesn't work. My understanding is that IIS looks as the virtual
directory as a separate site and will not carry web.config settings down to
it. Putting a web.config in the virtual directory directly doesn't work
either. How do I secure this virtual directory so only certain users can
get to the pdfs?

Scott

 

[Jeffrey Palermo]

This is not an ASP.NET issue, but an IIS one.

Use IIS security to authenticate users for this virtual directory. That
means you have to disable anonymous access.

Jeffrey Palermo

 

[Wm. Scott Miller]

IIS is set to Windows Authentication with all other methods disabled.

Scott

 

[Jeffrey Palermo]

In this case, I'm assuming you are using AD, and these people's windows
accounts have access to these files. Use NTFS security on the folder and
take out "Everyone" if it's there. Fix the NTFS permissions on the folder
with the restricted files so that only appropriate users have access. This
may be a job for your server administrator depending on how your
organization is set up.

Jeffrey Palermo

 

[Wm. Scott Miller]

The actual folder is a network share on another server (IIS box has very
limited HD space). This appears to cause issues because when setting up the
virtual directory, IIS demands a username/password to access the share. How
can we make IIS use the credentials of the user to access the files instead
of a supplied username/password?

Scott

 

[Scott Allen]

Hi Scott:

The web.config authorization settings only protect resources mapped to
ASP.NET. There are two approaches. One is to map PDF files to the
ASPNET runtime by going to the virtual directory properties, click the
application configuration button, and add a mapping for .pdf just like
you see for .aspx. Another approach would be to place the PDF files
outside of the web directories and have the user hit an ASPX page
which will read the contents of the PDF and stream it out.

Let me know if you need more info,

 

[Jeffrey Palermo]

Honestly, that is out of my area of expertise (programming). If it were an
ASP.NET issue, I'd be all over it. I'd be googling this one and talking
with my server admins.

Jeffrey Palermo

 

[Wm. Scott Miller]

Scott:

OK, looks like that might work. Only issue is that by adding the PDF files
identical to the aspx definition results in not being able to access them at
all. Do you have any examples of either method that I can look at?

Thanks,
Scott

 

[Raterus]

I'm actually doing something very very similar to what you are doing, a document management system. I didn't go for the virtual directory option though, I believe that may cause you some grief down the road.

What I did do is set up delegation on my webserver, and access the pdf documents off a network share using the current context of the user who is currently using the system. My asp.net pages just show the documents in the directory.

Here is an article on delegation if you are interested.
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

--Michael

 

[Scott Allen]

Scott:

OK, looks like that might work. Only issue is that by adding the PDF files
identical to the aspx definition results in not being able to access them at
all. Do you have any examples of either method that I can look at?

Thanks,
Scott

Hmm. I just tried this specifically with .PDF (I had tried it with
other file types previously) and it appears to be working on my
machine. I know this doesn't help you at all, but let me think of some
options.

In testing it appears IE was aggresively caching PDF content and not
prompting for a login when i launched a new instance and browsed to
the pdf url for a second time, so you might try cleaning out temp
files just to make sure it isn't causing some wierdness.

Are you getting a 403, or a blank browser page? I can send some screen
shots and other information to your email if that would help.

--s

 

[Wm. Scott Miller]

If I type in the url in pieces, it comes up with the invalid credentials
screens, but as soon as I get to the complete url to the PDF, it shows it.
Even if I actually have not viewed that PDF before. Maybe I'm not
configured right. Could you send some screen shots?

Looks like we have similar techs for preventing spam, you should be able to
figure it out.

Thanks,
Scott