I am trying to protect an application in IIS7 using .NET authorization rules.
By default, the web server allows all users access (which is inherited).
I added, for this single application directory only, the deny all users command, as well as the allow command for specific users.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.web> <authorization> <allow users="myusername" /> <deny users="*" /> </authorization> </system.web> </configuration>
I have Windows authentication turned on and I can verify that without the string my REMOTE_USER is MYDOMAIN \ myusername.
However, when I try to refuse all users, I am offered a typical username / password window for a Windows domain. If I enter the user password, the invitation is returned again 3 times until finally it gives me an error message. (I also tried to no avail)
If you look in the event viewer, it seems to me that my login using the username and pw passed the audit successfully ... and, in the future, my account is not blocked (what would happen if I were not able to login again and again). So itβs as if Iβm logging in, but the configuration does not display what I entered as a match for my registration.
Below is the message that I see (even when connecting from the server using localhost):
** Access is denied.
Description. An error occurred while accessing the resources needed to service this request. The server may not be configured to access the requested URL.
Error message 401.2 .: Unauthorized. Login failed due to server configuration. Make sure that you have permission to view this directory or page based on the credentials you provided and the authentication methods included on the web server. Contact your web server administrator for further assistance. **
enforge
source share