IIS Windows Authentication - Unable to Deny Specific Users

Question

Recently I have developed a very simple .net core API and then deployed the same on IIS and want to enable Windows Authentication for some users. To be able to implement it, my web.config looks like

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
     <authentication mode="Windows" />
    <authorization>
      <allow users="Tow\USER1"/>
      <deny users="*"/>
    </authorization>
    </system.web>
    <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\Oculus.WebApi.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess" />
    </system.webServer>

  </location>

</configuration>

As it can be seen only User1 should be allowed access but everyone is able to access. My IIS authentication looks like this:

Can some one help please?

Answer 1

From this thread, ASP.NET Core does not support nor use web.config. The published web.config is there only for IIS hosting, since IIS requires this.

A wrokaround is that you could try to place inside system.webServer, which is directly for configuration of IIS.

<configuration>
  <system.webServer>
    <security>
      <authorization>
          <remove users = "*" roles="" verbs="" />
          <add accessType = "Allow" users="Tow\USER1"/>
      </authorization>
    </security>
  </system.webServer>
</configuration>

But the recommend way is that you'd better write you own custom authorization policy in asp.net core

https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.2