Forms Auth in subdirs but WIndows Auth in Main Site

From: Chris Mohan (chrismo1___--_at_yahoo.com)
Date: 04/29/04 

Date: Wed, 28 Apr 2004 23:46:03 -0700

Hi, I've configured a web app to use windows authentication. Two of the app's subdirectories
are configured as applications in IIS and the mainsite's web.config defines those subdirs to use forms authentication. It appears to work fine but I have never seen a sample that
demonstrates both in the same web.config (all the samples show a
snippet outside the context of the entire web.config) I don't like
assuming i've done this correctly and securely.

Please take a look at the following from my web.config and let me
know what you think. The approach is pretty basic i just use a
location element for each sub-dir and then set the auth mode inside
of it.

The Directory Structure looks like this:

|---\MainSite(Configured as An App in IIS)
| +---Secure1(Configured as An App in IIS)
| +---Secure2(Configured as An App in IIS)
| +---MainSiteChild1
| +---MainSiteChild2
|web.Config(in mainSite's Root)

A stripped down version of the web.config settings:
line1: <?xml version="1.0" encoding="UTF-8" ?>
line2: <configuration>
line3: <system.web>
line4: <authentication mode="Windows" />
line5: <authorization>
line6: <allow users="*" />
line7: </authorization>
line8: </system.web>

line10: <location path="SecureArea1">
line11: <system.web>
line12: <authentication mode="Forms">
line13: <forms loginUrl="login.aspx" />
line14: </authentication>
line15: <authorization>
line16: <deny users="?" />
line17: </authorization>
line18: </system.web>
line19: </location>

line21: <location path="SecureArea2">
line22: <system.web>
line23: <authentication mode="Forms">
line24: <forms loginUrl="login.aspx" />
line25: </authentication>
line26: <authorization>
line27: <deny users="?" />
line28: </authorization>
line29: </system.web>
line30: </location>

What I think that this mix of settings acheives is the same
thing as if the Secure1 & Secure2 subdirectories had their own web.config files.

Here's a good article about this exact topic but it uses
the "maverick" web.configs in sub dirs approach:
http://www.theserverside.net/articles/showarticle.tss?
id=FormAuthentication

Relevant Pages

  • Different behavior for Windows Authentication with same app
    ... I have an asp.net app that uses windows authentication. ... In the browser if I enter: ... (machine.config, web.config or IIS)? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: VS2008 HTTP 403 Help!!
    ... Check in your IIS Manager, and make sure you created a virtual directory ... for your app. ... Seems like the publish took away the projects web app status. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Accessing 32 bit COM components in 64 bit IIS
    ... CGIs, and ASP scripts onto a 64bit machine, and it just works after they ... The most confusing aspect of running 32bit app on a 64bit OS is that you ... System32 access is redirected, etc). ... we will be introducing the ability to configure IIS to run ...
    (microsoft.public.inetserver.iis)
  • Re: 1st hosting of objects, new(), etc.
    ... I'm less interested in either app hosting the object, as I am in having the ... > ASP.Net application dependent on a remote object in a Windows Forms ... >> locally, and if an IIS application on the same machine runs first, I'll ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: ASP.Net 1.1 and 2.0 Coexist?
    ... I ran IIS 6 in IIS 5 isolation mode and, you're right, changing the isolation ... > You will automatically get one aspnet_wp process for the 1.x app and one for the 2.0 ... > ASP application either run in inetinfo, a shared dllhost process ...
    (microsoft.public.dotnet.framework.aspnet)
Quantcast