Reputation: 245
Allow anonymous access to a directory in a IIS site that uses Windows Authentication
I have an IIS8 site which runs ASP.NET 4.0 using Windows Authentication.
In my IIS Authentication Settings, all are disabled except Windows Authentication. Users are able to authenticate properly and use the site as intended.
However, I now have an Uploads folder which contains images which I want to expose to non-authenticated users from other applications.
In my web.config files I have the following lines that relate to Authentication/Authorization:
<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Uploads">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
How do I allow anonymous access to the uploads folder, while keeping Windows Authentication for everything else? Currently they have to login to the other application, and then when accessing images from the site in question, they have to authenticate in order to gain access to them.
Also, the location path is relative to the web.config file correct?
Edit: Not sure if this matters, but our site is both internally and externally available. If access from computers on our domain, it logs in automatically, if it's a computer that is not on the domain, they are redirected to a login page.
Upvotes: 3
Views: 5153
Answers (2)
Reputation: 245
I found the answer on another question: Allow anonymous authentication for a single folder in web.config?
- First, I had to go into C:\Windows\System32\inetsrv\config\applicationHost.config
- Search for this line , and change to "Allow" instead of "Deny"
- Then put the code below into web.config file
Code:
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Upvotes: 2
Reputation: 13581
What you need to do is remove the "Deny" rule for anonymous since it gets inherited it will still block users, something like:
<system.webServer>
<security>
<authorization>
<remove users="?" roles="" verbs="" />
<allow users="*" />
</authorization>
</security>
</system.webServer>
Indeed the location path is relative to the folder where the web.config is located.
I also just noticed that you are using system.web instead of system.webServer which is the one you should be using.
Upvotes: 0
Related Questions
- Allow anonymous authentication for a single folder in web.config?
- IIS Mixed Anonymous and Windows Authentication
- How to allow anonymous user access to virtual directory
- allow anonymous access to .well-known directory
- Authorize a directory for anonymous users IIS 7.5?
- IIS 7.5/ASP.NET - Anonymous access to everything except one directory - how?
- How do I allow anonymous access to my mvc3 app using Windows Authentication
- Anonymous access IIS
- Mixing Anonymous Authentication with Windows Authentication in IIS 7
- IIS: Anonymous and WIndows Authentication