web.config in folder allowing all or no user authentication

I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.

Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong? Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.

This is what I've done:

   //Web Config that allows and denies:
   <?xml version="1.0"?>
        <configuration>
        <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
     </system.web>

    <location path="QualityCheckSurvey.aspx">
    <system.web>
      <authorization>
        <allow users="DomainName\User2" />
        <deny users="?" /> 
      </authorization>
    </system.web>
    </location>
    </configuration>

I have set my authentication mode to windows.

EDIT It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....

EDIT This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....

     <?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>

  <location path="QualityCheckSurvey.aspx">
    <system.web>

      <authorization>
        <deny users="?" />
        <allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
        <deny users="*" />
      </authorization>

    </system.web>
  </location> 

In my main web.cofin in the root of the application I have set authentication mode to windows:

     <authentication mode="Windows">

<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
    </authentication>

On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'

<location path="foldername/QualityCheckSurvey.aspx">
    <system.web>
        <authorization>
            <allow users="DomainName\User2"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

EDIT

This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.

 <?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <authentication mode="Windows" />
    </authorization>
  </system.web>

  <location path="survey/QualityCheckSurvey.aspx">
    <system.web>
      <authorization>
        <allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location> 

I am assuming the survey folder is inside the root folder.

Setting authorization rules for a particular page or folder in web.config, Till now we saw either allow users or to authenticated users only. Say you have all your images and CSS in a seperate folder called images and //This web. config will not allow access to users even they are in Admin Role. Unauthenticated users are automatically redirected to the page specified by the loginUrl attribute of the Web.config file where they can submit their credentials. In some cases, you may want to permit users to access certain pages in an application without requiring authentication. Configure access to a specific file and folder. Set up forms

<deny users="?" /> 
<allow users="DomainName\User2" />
<deny users="*" /> 

User-Based Authorization (C#), Summary; Configure access to a specific file and folder; References NET applications, only authenticated users are granted access to pages in In the Web.config file, type or paste the following code. This section denies access to all files in this application except for those that you have not explicitly� Even they have allowed access to their role that user cannot access particular page/folder. The common reason for that is placing <deny../> before <allow ../>. Say the web.config from AdminFolder as we have seen before is something like this: //This web.config will not allow access to users even they are in Admin Role <configuration> <system.web>

Fixing this error if windows authentication is added to project after it's been created

That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works: 1. In Solution Explorer, Click on the project and then push F4. This should open up the Project properties. 2. In Project Properties and under the Development Server, make the following changes: - Anonymous Authentication: Disabled - Windows Authentication: Enabled 3. Include the following in the Web.config under <system.web>:

<authorization>
  <allow users="DOMAIN\user"/>
  <deny users="*"/>
</authorization>

4. Still in the Web.config under <appSettings>:

<add key="owin:AutomaticAppStartup" value="false"/>

This is what worked for me. If I'm doing something wrong, please let me know. Hopefully this will help future individuals who are working with windows authentication after creating the project.

Control authorization permissions in ASP.NET, How to deny or allow users access to resources in the Sitecore web root folder. This example configuration denies access to the /sitecore path for all on How to implement Windows authentication and authorization in ASP. Allow anonymous authentication for a single folder in web.config? (4) I added web.config to the specific folder say "Users" (VS 2015, C#) and the added following code

Allow or deny users access to web resources, Manually enable the xConnect Collection Search service � Configure the Solr search provider Anonymous users access to folders is not disabled by default. Double-click the website of the role you want to configure. If you disable Forms authentication, Sitecore will not handle any requests for� use root web.config instead of sub-folders web.config. You cannot combine <location> and <authorization> tags in a web.config file. You need to have config files for your sub-directories as well, or there is a workaround for a single config file that adds code to your aspx and code-behind files. Web.config allow location access for specific user

Restrict access to the client, In IIS7, you should use system.webServer instead. This will block all types of files, not just ASP.NET files. If you enabled Windows Authentication then you'll be prompted to enter your place this web.config in directory that contain target directory : You can also use the ? wildcard to specify that you should (allow/ deny)� We have a table in our SQL database for adminusers so either fetching user-login from there or having the login embedded in the config file is fine. All I need is the folder to be password-protected. This is what I have right now in my web.config file that is located in the folder that is supposed to be password-protected.

IIS7: How to block access with a web.config file?, web.config in folder allowing all or no user authentication. I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. 3.The following example allows all users to perform an HTTP GET for a resource, but allows only the Kim identity to perform a POST operation: <authorization> <allow verbs="GET" users="*"/>

Comments
  • Which version of IIS are you using?
  • Is Windows Authentication enabled for the project?
  • @CodeCaster, Yes I have checked that it is enabled....
  • Is your request actually coming from "DomainName\User2"? You may want to debug your project, and make sure Page.User is that ID (or Page.User.Identity.Name).
  • Yes, the domainname\User2 is working... I have edited the applicationhost.config file of IIS, it's giving me a popup to log in with my credentials, but it's still not allowing me to access it. the popup didn't appear until now....
  • Then it's not picking up the path of the aspx page. The error I get adding the folder name is: The requested page cannot be accessed because the related configuration data for the page is invalid. Config Error Location path contains invalid characters Config File \\?\C:\Users\PCName\Documents\Visual Studio 2012\WebSites\NCTonerPublic\NCTonerPublic\Surveys\web.config
  • What is the path you gave? Just display the actual code here.. You should only give a relative path not full path. Are web.config and QualityCheckSurvey.aspx on the same folder?
  • it's still denying access to everyone... just keeps popping up the windows authentication screen... This is the error I get after 3 Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL. Error message 401.2.:Unauthorized:Logon failed due to server configuration.Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.Contact the Web server's administrator for additional assistance
  • On the web server did you disable all authentication and enable windows authentication?
  • On the top you have said "the domainname\User2 is working." and here you have said, "it's still denying access to everyone". Which statement is true? If it is denying access to everyone then the issue might be the server is not joined to domain.
  • It just keep popping up the windows authentication, but denies all users, nobody gets access....