In IIS you can set folder-level settings using the Features view (see screenshot). I want to disable Anonymous authentication for several subfolders of my website and save those settings to source control. I want to know where does IIS save these settings. They are not in the website web.config or the web.config inside subfolders. Is there anyway I can save the IIS settings with the source code or do I have to perform these tasks with each fresh deployement?
Add the following to your root
web.config for each folder you want to secure:
<location path="secure_folder"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> <basicAuthentication enabled="true" /> </authentication> </security> </system.webServer> </location>
The above assumes that you're using Basic Authentication.
Alternatively create a
web.config in each sub folder to be secured with pretty much the same (except without the
<system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> <basicAuthentication enabled="true" /> </authentication> </security> </system.webServer>
If receive an error such as:
There was an error while performing this operation.
Line number: 15
Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Then it means that the configuration settings for
<basicAuthentication> haven't been delegated Read/Write permissions.
You can adjust this by launching IIS Manager and opening the Feature Delegation manager:
When you do this you'll see a list of features that can be controlled and their delegation state:
Right click on
Authentication - Anonymous and select
Read/Write. Do the same for
Authentication - Basic.
This feature delegation setting will be applied globally across all sites on the server, however it is possible to fine tune this to specific sites using Custom Site Delegation.
You can read more about IIS 7.x/8.0 Feature Delegation here: