We Keep Coding

Access denied (401.2) when loading default documents using Owin with Identity 2.0

We recently converted a Framework 4.8 WebForms project that was using Forms Authentication to use Identity 2.0 Authentication and now we can't access default documents or images without allowing anonymous access.
Once authenticated with Identity, if you browse to a folder such as http://mysite/dashboard/default.aspx it works fine. However, if the default page is not in the path as in http://mysite/dashboard/ it returns 401.2 as though IIS needs permissions to server the page :
*Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.*
We have <authentication mode="None"> which I understand is correct for this situation. IIS is configured to use default documents just as it was when we were using Forms Authentication.
We also deny unauthenticated users with the System.Web.Security.UrlAuthorizationModule:
<authorization>
<deny users="?" />
</authorization>
If we allow anonymous on the folder it does work but we don't what anonymous access on these locations.
<location path="Dashboard">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
So, how do you configure IIS to access default documents without 'allow anonymous' so it works like it did under Forms Authentication.
Thanks!!!

Try to add this to the System.Webserver section
<modules>
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
The key seems to be to remove the managedHandler Precondition from the FormsAuthentication module. As I understand it this is only supposed to optimize serving of static content.

Found that adding <modules runAllManagedModulesForAllRequests="true"> to the web.config resolved the issues. Not really sure why at this point. I did notice that the request for a static file did not include the user identity which was working before removing Forms Authentication. After adding this, the user identity started showing up in the request.

In IIS 8.5, is there a setting in the Manager GUI that adds the Location and Authentication tags to the applicationHost.config file?

I've inherited a IIS 8.5 installation with a lengthy applicationHost.config file; I'm not familiar with all the options and am trying not to mess with it as it is working.
When I set up a new web application, to get it work, I'm having to go into C:\Windows\System32\inetsrv\config\applicationHost.config
and manually add the following for each application:
<location path="Default Web Site/MyNewAppPath">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Or I get an error - "Access is denied Error message 401.2.: Unauthorized: Logon failed due to server configuration..."
Lots of posts/comments saying to fix it this way by manually adding the location and other tags, but this seems hacky.
Isn't there an option/function inside IIS Manager somewhere that handles these tags?
FYI IIS Manager is adding below tags to the config file (on its own) for each app. Hoping somehow it can do similar for the location etc tags.
<application path="/MyNewAppPath" applicationPool=".NET 4.5">
<virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\MyNewAppPath" />
</application>
Thanks for any help!

Sub-application's authentication are only allowed in applicationhost.config by default. If you go to config manager, you will see this
If you try to set it in other place like root web.config or <location path='webapp'>, IIS will report the application has already been locked and everything grayed out.
You can set authentication via IIS manager or command line and it will add these configuration to applicationhost.config automatically. I think this is just common operation instead of hacky.

IIS Authentication in web.config

In our project, a user can upload documents to a directory. The problem is that a user cannot access those files via the URL.
After playing around with permissions in IIS, I was able to download a file by changing the permissions on the file (or folder) to allow "Read" by IIS_IUSRS. My issue is that the folders are also dynamically generated and I do not want to manually have to go through and change the permissions on each.
I'm attempting to get the web.config file to allow reading of these files, but I cannot get the proper configuration.
In the site's web.config file I have:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="path/to/upload/directory">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
However upon accessing the file again, I get a 500.19 error:
AnonymousAuthenticationModule
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default
(overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Following this answer, I set AnonymousAuthenticationModule to lockItem="false", anonymousAuthentication to Allow in applicationHost.config, and restarted the server. After all of that, I still get the same 500.19 error.

When you say the folders are generated dynamically, do you mean generated through code? If so, you could make sure the parent directory has the required permissions and then set the permissions on its subdirectories to "inherit". For a file, it would be
Dim perms = File.GetAccessControl(targetFile)
perms.SetAccessRuleProtection(False, False)
File.SetAccessControl(targetFile, perms)
I expect that you can find the equivalent for a directory.

How to prevent another login dialog with downloading Word,Excel document over Apache server with Basic Auth?

I have a front-end apache server running in a windows server.
The system is setup with NTLM or BASIC Auth (same problem with both).
A download from a MS Word or Excel documents works fine in all browsers.
If I use the Internet-Explorer and download a office document the download the document request another url.
Watchging the apache access logs I saw that there are requests with OPTIONS and PROPFIND inside.
So I modified the config using this:
<Location /latest>
<Limit OPTIONS PROPFIND>
deny from all
</Limit>
</Location>
This worked so far, but with Office 2010 I encountered the problem again.
Searching the web I found this article: http://support.microsoft.com/kb/2019105
Therefor I don't have to send 403 (deny from all sends 403 I guess?), so I have to send 405.
So may I just do this? Is this correct?
<Location /latest>
<Limit OPTIONS PROPFIND>
redirect 405
</Limit>
</Location>

Finally debugging more the issue I found out that this is the correct configuration.
To mention I have to make also clear that I sometimes setup the authentication in the background webserver (IIS 7) and sometimes inside the Apache (depends on customer situation).
1.
As Apache is my frontend proxy and the backend server is the IIS7, when IIS7 authenticate this worked:
Disable support of the OPTIONS and PROPFIND verbs – If the web application is not intended to be used for WebDAV, the Web Service Extension that provides the WebDAV functionality can be set to Prohibited on a default server that is running IIS. (This might be WebDAV or FrontPage Server Extensions.) If the site provides WebDAV functionality through another extension, the provider of that extension should be involved. For example, to do this with Windows SharePoint Services (WSS), the site should be configured to disable Client Integration, or the OPTIONS and PROPFIND verb should be inhibited. (On IIS 6, remove the verbs from the registration line in the web.config file. On IIS 7.0, use the HTTP Verbs tab of the Request Filtering feature to deny the verbs.) Be aware that this approach will open the content in read-only mode because this approach disables direct-edit functionality.
from: http://support.microsoft.com/kb/2019105/en-us
So I set the content filter for the verbs and then it worked fine for me finally.
2.
Then I tested using the NTLM Auth in Apache.
My original config worked fine when Apache authenticate itself.
So I ran only into the problem mixing the behaviours :)
** EDIT **
For IIS web.config this should work:
<system.webServer>
<security>
<requestFiltering>
<verbs applyToWebDAV="false">
<add verb="OPTIONS" allowed="false"/>
<add verb="PROPFIND" allowed="false"/>
</verbs>
</requestFiltering>
</security>
</system.webServer>

Setting aspNetCompatibility Enabled in wcf screwing anonymous access

I have given anonymous access to my service. And I m able to access with out establishing credentials.
I wanted to make use session in wcf service, for this I m trying to use aspNetCompatibility Enabled to true in system.serviceModel. When I included this line, it is redirecting me to login page whenever I m requesting service.svc file. Any guess as to why it aspNetCompatibility Enabled overriding access policy? What should I do to overcome this?

Once the aspNetCompatibilityEnabled is true, the ASP.NET pipeline comes into the play and its authentication and authorization is dome. Check the system.web/authorization section in the web.config. Do you have deny users? If so, remove it. you may also try to add
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>