In IIS7, how can I require Authentication on specific directories? - authentication

I have a website on Win 2008 and IIS7. Some directories have admin specific pages and I don't want regular site users to be able to access them.
What I would like is, if the user tries to load a page from a specific directory, for the site to popup a windows authentication window if the user has not not already authenticated.
Can this be done? Preferably just by setting web.config keys?

Yes, use <location></location> tags to override the current IIS settings at that level and set new ones.
Reference: http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx

Related

Best way to password-protect folders on IIS

What is the best way to password-protect a folder on IIS with a single set of credentials to be shared by a group of users?
Our hosting service offers Plesk, which in turn offers a "password-protected directory" function, but some of our clients have HTTP authorization disabled, so they get an automatic 401.4 error with no prompt for credentials.
I've looked into Forms authentication but this seems cumbersome to set up for the numerous separate domains at issue.
The protected content is not super sensitive, we just don't want it easily accessible to the public. Many of our users do not use the site frequently and we don't want to implement individual credentialing for everyone (we do have that in place for more sensitive sections) just so they can view current project reports or meeting minutes.
On sites I don't control, but am just a user, that do the same things as mine, it is a big pain to have to look up a username and password twice per year just to view a meeting agenda (yes, browser could remember but they also have a 4-month expiration and lots of us are on different devices all the time).
Is Forms authentication the way to go? Took a several hours for me to get it set up and working, with all sorts of settings not well documented in a single place.
(I had previously asked about how to disable Basic Auth on the client side, was told more than once it's not possible - but it is, via client/browser registry keys)
Thanks.
It's perfectly fine to use forms authentication. All you need to do is navigate to the folder or file you want to protect, then go to Authorization Rules. Add a deny rule for anonymous users, when users who are not logged in try to click on any file in that folder, they will be redirected to your login page. You can find a lot of guides on forms authentication in Google, you can refer to the following:
https://learn.microsoft.com/zh-CN/troubleshoot/developer/webapps/aspnet/development/forms-based-authentication
https://learn.microsoft.com/en-us/iis/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline

Anonymous access to web site default doc

We have a web site in IIS 7, that has a default document (index.asp) set. The entire site uses basic authentication except the index.asp page. This is working correctly if I enter the domain with the actual page name (www.mysite.com/index.asp). However, without the page name (www.mysite.com) I am prompted for credentials, even though it is the same page.
I've tried various web config changes and tried it with anonymous user set to the app pool and the IUSR account and it doesn't work either way. I'm thinking maybe I need to enable and then configure URL rewriting for this site but I'm not positive.
If you need any other info let me know.
thanks!

Subdomain cookie maintenance for Forms authentication website

I have a Server on Azure where an MVC4 web application is hosted. On the server I have added bindings for:
company1.mysite.com
company2.mysite.com
Within mysite an Admin user has the option to define custom styles for each of the subdomains. So to check the changes have been applied successfully. If the admin changes the URL from company1.mysite.com to company2.mysite.com they are redirected back to a login page. When I then attempt to log in with the same details it seems that there is some conflict in the cookies and I am unable to find the user details.
Is there anyway that I could preserve the login details for one subdomain and allow the user to simply change the URL to see if the changes had been supplied effectively. If not is there any way I can prevent this conflict on signing on to the other subdomain?
I think cookie domain must be specified in a proper way. Please, see this link

error "List does not exist"

I had error when access SharePoint sites out of the server , as when I
try to add new document or did any action this error displayed although
it worked well in SharePoint server
I think Yevgeniy made a good suggestion.
I assume you mean by 'outside' the server, users are trying to view the page on a different URL? If so, it might be the URLs to access the site 'outside SharePoint' are not configured correctly.
I would suggest a few things to start with:
When you say it works 'in SharePoint server' does this mean that the whole site is accessible, with no problems? But using a different URL (i.e. host header?), fails - for just this one page with the list or the whole site?
Check you have Alternate Access Mappings configured correctly as suggested above - check that the URL is setup correctly in any AAM zones defined, and that the authentication (e.g. Anonymous, Forms whatever required) is also setup too. This is all done in Central Administration.
If AAM setup correctly, check if you have any firewall or other network security that may block access to the site (again, assuming users are routed externally?)
Does the problem page or list (or the subsite it is within) have any unique security permissions?
You can check for the site via Site Actions | Site Permissions - if it does not have unique permissions, you will see a 'This Web site inherits permissions from its parent.' message.
If the List has unique permissions, you can check by going to the list page, and clicking 'Library Permissions' on the Library grouping on the Library Tools section of the ribbon.

How to decouple trac from, or align trac with, apache authorization

I've had a trac server running for about a year now - chugging along just as expected. Today, I implemented basic authorization on the apache server that trac runs under.
Trac now picks up the user as authenticated by Apache, and doesn't allow either logout or a login.
I tried to create an apache user with the same name and password as a trac user, but the behavior remained - I can't access trac.
How do I align trac with Apache authorization?
One of the drawbacks of HttpAuth is the inability to log out (short of closing your browser, or clearing browser auth). You probably want to grab AccountManagerPlugin from trac-hacks.org and set it up with the form-based login. That gives you the ability to log out.
You will need to point trac to the htpasswd file for Apache users and then set permissions to access the login page through Apache. You can find more information here.