ravinsp ravinsp - 3 months ago 24
ASP.NET (C#) Question

IIS 7 how to preserve website subfolder Authentication settings

In IIS you can set folder-level settings using the Features view (see screenshot). I want to disable Anonymous authentication for several subfolders of my website and save those settings to source control. I want to know where does IIS save these settings. They are not in the website web.config or the web.config inside subfolders. Is there anyway I can save the IIS settings with the source code or do I have to perform these tasks with each fresh deployement?

Setting folder authentication

Kev Kev
Answer

Add the following to your root web.config for each folder you want to secure:

<location path="secure_folder">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <basicAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>

The above assumes that you're using Basic Authentication.

Alternatively create a web.config in each sub folder to be secured with pretty much the same (except without the <location> tag:

<system.webServer>
    <security>
        <authentication>
            <anonymousAuthentication enabled="false" />
            <basicAuthentication enabled="true" />
        </authentication>
    </security>
</system.webServer>

If receive an error such as:

There was an error while performing this operation.

Details:

Filename: \?\d:\sites\play1\www\web.config

Line number: 15

Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Then it means that the configuration settings for <anonymousAuthentication> and <basicAuthentication> haven't been delegated Read/Write permissions.

You can adjust this by launching IIS Manager and opening the Feature Delegation manager:

enter image description here

When you do this you'll see a list of features that can be controlled and their delegation state:

enter image description here

Right click on Authentication - Anonymous and select Read/Write. Do the same for Authentication - Basic.

This feature delegation setting will be applied globally across all sites on the server, however it is possible to fine tune this to specific sites using Custom Site Delegation.

You can read more about IIS 7.x/8.0 Feature Delegation here:

http://www.iis.net/learn/manage/managing-your-configuration-settings/an-overview-of-feature-delegation-in-iis