19 January 2011

URL Authorization role service required for IIS7 system.webServer/security/authorization

Why isn’t IIS7 authorization working in my asp.net website?  I was trying to secure a folder in my asp.net application using the IIS7 system.webServer/security/authorization configuration settings.  In the past you could do this through the ASP.NET configuration by adding an authorization section to the system.web section in your web.config.   But now with IIS7, you can use the new system.webServer/security/authorization section to specify authorization rules.  The benefit of system.webServer authorization over system.web authorization is that the former applies for all requests to that particular location, the latter only protects asp.net requests (requests that come through the asp.net pipeline).
So, since I am developing this application on IIS7, I wanted to use the new IIS7 system.webServer authorization section to protect a particular folder.  To do this, I added the following section to my web.config file:
<location path="admin">
  <system.webServer>
    <security>
      <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Allow" users="" roles="administrators" />
      </authorization>
    </security>
  </system.webServer>
</location>
and tested the url http://localhost/admin and… it didn’t work.  What should have happened is I should have been redirected to the forms authentication login page, but instead I was served the content under the /admin folder.  Not what I wanted; the /admin folder should now require an authenticated user and the forms authentication identity to be part of the administrators role.
What is going on?!?!?  Everything looked correct.  I confirmed that IIS authentication was set correctly: anonymous and forms authentication only.  I confirmed that the system.web/authorization section was working.  I tried in multiple browsers to make sure it wasn’t a cookie or a caching issue.  Still I was left scratching my head… why were settings in the IIS7 system.webServer/security/authorization not getting picked up?
Finally, with the help of Scott Forsyth, I checked the Server Manager IIS Roles that were enabled.  Server Manager > Roles > Web Server (IIS) > Add Role Services
image
image
Notice that the URL Authorization role service is not installed. 
image

That was it.  IIS7 did not have the role service installed so it was not understanding that section of the web.config file.
After installing the IIS URL Authorization role service, a request to http://localhost/admin redirected to the forms authentication login page and required a user that was in the administrators role.

No comments:

Post a Comment