IIS 8.5: Change authentification mode for url sub

2020-07-22 10:35发布

问题:

We have a client intranet web application running as a remote proxy on IIS 8.5 with Windows Authentication enabled. Now, we need to disable Windows Authentication and enable Anonymous Authentication on the URL sub path /api/ to make all data from this path publicly availailbe within the client intranet domain.

Actually, the solution from chensformers (Add authentication to subfolders without creating a web application) sounds quite promising. However didn't get it to run yet as I am missing a section declaration.

How to configure IIS 8.5 to achieve this?

回答1:

After long trying, I found the answer myself. The answer is two-parted:

  1. The answer of @Tim Lewis (Allow anonymous authentication for a single folder in web.config?) led me to the right configuration. In the file applicationHost.config in C:\Windows\System32\inetsrv\config, I changed the following lines from Deny to Allow:

    <section name="access" overrideModeDefault="Allow" />
    <section name="anonymousAuthentication" overrideModeDefault="Allow" />
    <section name="windowsAuthentication" overrideModeDefault="Allow" />
    

    Then inside the web.config from C:\inetpub\wwwroot, I inserted the following lines before the last </configuration> tag:

    <location path="api">
      <system.web>
        <authorization>
          <allow users="*" />
        </authorization>
      </system.web>
      <system.webServer>
        <security>
          <authentication>
            <anonymousAuthentication enabled="true" />
          </authentication>
        </security>
      </system.webServer>
    </location>
    

    After restarting IIS Manager and the server, the windows authentication from the main domain should be overwritten for the sub path (/api in my case) and every URL inside the sub path should be publicly available.

  2. However, if this configuration doesn't work at first, it could be that your editor of choice (in my case Notepad++) does not open the correct content of appplictionHost.config (for whatever reason) and all changes in it don't take effect at all (also see @MeanGreen Applicationhost.config not showing changes).

    I solved it by installing and using Notepad2 x64 (http://www.flos-freeware.ch/notepad2.html). After this, the above changes took effect and worked immediately.

PS: see also http://forums.iis.net/t/1233382.aspx?IIS+8+5+Change+authentification+mode+for+url+sub+path for a longer discussion of this topic.



回答2:

First of all you need to convert api folder into application i.e. right click the folder => convert to application. Once it is converted to application in the central pane double click Authentication => Select Anonymous Authentication and enable it. Disable all other authentication modes.

P.S. - You can try without converting into an app. I haven't tested so not sure if it works just as a folder.



回答3:

For future googlers.

This Question/Answer helped me a ton! I too am working with a virtual path except it is from a python flask application. Except I have an admin site that I wanted behind windowsauthentication the rest of the site is anonymousAuthentication .

For me this worked:

  1. Allow delegation of both windows and anonymous authentication modules following this answer: https://stackoverflow.com/a/12343141/7838574

  2. Updating the web.config

<configuration>
    <!-- ...the beginning of the web.config file as is... -->
    </appSettings>
    <location path="admin">  <!-- relative to where the web.config file is located -->
      <system.web>
        <authorization>
          <allow users="*" />
        </authorization>
      </system.web>
      <system.webServer>
        <security>
          <authentication>
            <windowsAuthentication enabled="true" />
            <anonymousAuthentication enabled="false" />
          </authentication>
        </security>
      </system.webServer>
    </location>
</configuration>

I did not have to restart IIS Manager or the server.