In the former IIS versions, it was pretty difficult to carry out authorization. Due to the reason that IIS worked with only the identities of Windows. You would have to go and set up Access Control Lists on directories and files in the file system.
It was a very tedious task due to the complexity of ACL UI and then, the rules for authorization are not properly copied from one machine to another. URL Authorization is used by IIS 7.0 and other higher versions. Instead of putting rules for authorization of the underlying resource for the file system, it lets you put the rules on the exact URL.
It is in the web.config files that the configurations for authorizing the IIS URL is stored and you share the rules for authorization together with the content of the application.
Below is how to authorize the IIS URL on the 2008 Beta 3 Windows Server and the Service Pack 1 of the Windows Vista platform.
In order to carry out the setup, make sure you have installed the above listed IIS features over the defaults below:
"URL Authorization" under "Internet Information Services" -" World Wide Web Services" - "Security" "ASP.NET" under "Internet Information Services" - "World Wide Web Services" - "Application Development Features"
Let us create a scene where in your possession is a directory which is secure that only Alice, Bob and those in the Admin group can have access to. In the directory is a file we call bob's Secret.aspx that is to be accessed by Bob alone.
We need three different users to set this scene up Alice, Bob, and Fred. Also, we will require a fresh group we will call Bob And Friends that Jane and Ryan are in it as members. Use the Windows User Manager to set the three different accounts and also, the group. The commands below can be used also in this manner.
net user Alice<password_of_your_choice> /add net user Bob<password_of_your_choice> /add net user Fred<password_of_your_choice> /add net localgroup Bob And Friends /add net localgroup Bob AndFriends Alice /add net localgroup BobAndFriends Bob /add
The steps below will guide you in doing that.
Step 1: Navigate To The Directory
Open the explorer first and navigate to the directory tagged “%systemdrive%inetpubwwwroot”
Step 2: Create Directory
After that, create a new directory which you will name “secure”
Step 3: Create Fill
Then, enter into that new directory you just created and make a file which you would call “default.aspx”. This can be done with the use of notepad or another text editor.
Step 4: Paste Code
When that is done, the code below should be pasted into the page of the default.aspx file.
<%@Language="C#"%> <% string current User = Request.ServerVariables["LOGON_USER"]; if (currentUser == "") currentUser = "anonymous"; Response.Write("<b>Current User:</b> " + currentUser); %>
Step 5: Create 2nd File
You then make a new file again which you namebobsSecret.aspx and paste the code below into the newly created file.
<%@Language="C#"%> <% stringcurrentUser = Request.ServerVariables["LOGON_USER"]; if (currentUser == "") currentUser = "anonymous"; Response.Write("<b>Current User:</b> " + currentUser); Response.Write(" <b>My secret:</b> I used Apache before I discovered IIS7.</b> "); %>
Hence, in order to see whether the pages are working, access the two directories through these links “http://localhost/secure/” and the “http://localhost/secure/ryansSecret.aspx”
How To Configure Authentication
The word authentication literally means "who" wishes to gain access and authorization provides answer to "if" authorized "who" who is it was authorized to have such privilege. Hence, before you can carry out experiments on the authorization of the URL, you must be sure that authentication has been enabled because there will be no answer to the “if” part of the question if the person that wishes to gain access isn’t known.
To carry out the authentication, be sure to follow the steps below cautiously.
Step 1: Launch The INETMGR
You can launch the INETMGR by keying the code“INETMGR” into the menu referred to as "Start Search".
Step 2: Select Directory
You will see a machine node in the tree view at the left.. Select the node tagged "Default Web Site" and when it opens, choose the directory you had named “secure”.
Step 3: Navigate to The Authentication Tab
Click twice on the "Authentication."
Step 4: Disable And Enable Authentication
Move ahead and enable the option tagged "Basic Authentication” after you have disabled "Anonymous Authentication".As soon as you are done with this, request once more the “http:/localhost/secure” and also the “http:/localhost/secure/bobsSecret.aspx”. This will bring forth a list you are to fill “Alice” in the username space and password thus authenticating you as Alice.
Note that if you make use of Internet Explorer, then you can as well tap Ctrl+F5 to make the Internet Explorer refresh the ASP.NET page cached version.
How To Configure URL Authorization
Hence, you would now make the both pages secure to allow it to be accessed by only Alice and Bob with the following steps below:
Step 1: Select Rule Type
Click twice again on the web directory tagged “secure” and choose the "Authorization Rules".
Step 2: Remove Rule
Then, you remove the rule tagged "Allow All Users"
Step 3: Incorporate Allow Permission
When removed, select the "Add Allow Rule…" action and choose the radio button tagged "Specified roles or user groups". After that, include “BobAndFriends” and when you have done that select the button that says “OK”.
Step 5: Close Windows
After that, make sure you exit every other Internet Explorer window due to the fact that those credentials you keyed in the last step would be cached by Internet Explorer.
Step 6: Try To Access Page
Open the Internet Explorer and use Fred's credentials to try to gain access to the page, the result is you being denied access. But if you make use of the credential for Alice or Bob, you will gain access immediately.
How TO Configure URL Authorization For A One Web Page
But when you get to this point, there is still a problem as BobsSecret.aspx can be accessed by Alice. Therefore, we go through another set of steps in order to manage the issue and fix it. .To do this follow the steps below:
Step 1: Open Content View
Click twice again on the web directory tagged “Secure” and choose "Content View" located at the page’s bottom.
Step 2: Select File
This opens and inside the secure folder, it displays a file list where you will see the "bobsSecret.aspx" and the "default.aspx" files.
Step 3: View Feature
Then, you right click on the bobsSecret.aspx file and choose the "Feature View" option.
The changes you are making are for only the page for bobsSecret.aspx as shown on the status bar.
Step 4: Open The Authorization Rules
After that, open once more the "Authorization Rules" and you will see the settings which have been inherited, i.e. the bobsSecret.aspx can be accessed by the BobsAndFriends group.
Step 5: Remove Rule
Ensure that the rule for "BobsAndFriends” is removed.
Step 6: Add Rule
You then choose the "Add Allow Rule…" option
Step 7: Specify The Users
Then you choose the radio button for the "Specified users:" and insert the name “Bob” and click on the “OK” button.
Step 8: Shut down Internet Explorer Windows
Then shut down every other window of the Internet Explorer and hit the “http://localhost/secure/bobs.Secret.aspx”.
Step 9: Gaining Access
Hence set, it is only when the credentials for Bob is entered that you can gain access.
Configuring Advanced URL Authorization
In order to specify the settings of the URL Authorization, you don’t need to make use of the User Interface. The rules of the URL Authorization can be specified directly in the file of your web.config. To do this, make use of the below codes.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <authorization> <removeusers="*"roles=""verbs="" /> <addaccessType="Allow"roles="BobAndFriends" /> </authorization> </security> </system.webServer> <locationpath="bobsSecret.aspx"> <system.webServer> <security> <authorization> <removeusers=""roles="BobAndFriends"verbs="" /> <addaccessType="Allow"users="Bob" /> </authorization> </security> </system.webServer> </location> </configuration>
There you have it all the information you require to configure Authentication and the authorization of the IIS 7.0. You shouldn’t encounter any problem if you follow these steps carefully.