IIS7授权规则/配置-永久提示
我正在尝试使用 .NET 授权规则保护 IIS7 中的应用程序。
默认情况下,Web 服务器允许所有用户访问(这是继承的)。
我仅针对这一应用程序目录添加了拒绝所有用户命令以及针对特定用户的允许命令。
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="myusername" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
我启用了 Windows 身份验证,无需使用该行即可验证我的 REMOTE_USER 是 MYDOMAIN\myusername。
但是,当我尝试拒绝所有用户时,系统会提示我输入典型的 Windows 域用户名/密码框。如果我输入用户名密码,提示会再次出现 3 次,直到最后显示失败消息。 (我也尝试过,但无济于事)
在事件查看器中,看起来好像我使用用户名和密码登录在审核中成功了......更进一步说,我的帐户没有被锁定(它如果我一遍又一遍地登录失败的话)。因此,就好像我正在登录,但配置没有看到我输入的内容与我的登录信息相匹配。
下面是我看到的消息(即使使用本地主机从服务器连接):
**访问被拒绝。
描述:访问服务此请求所需的资源时发生错误。服务器可能未配置为访问所请求的 URL。
错误消息 401.2.:未经授权:由于服务器配置导致登录失败。根据您提供的凭据和 Web 服务器上启用的身份验证方法,验证您是否有权查看此目录或页面。请联系 Web 服务器的管理员以获得更多帮助。**
I am trying to secure an application in IIS7 using .NET Authorization Rules.
By default, the web server allows all users access (which is inherited).
I have added, just for this one application directory, a deny all users command, as well as an allow command for specific users.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="myusername" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
I have Windows Authentication enabled, and I can verify that without the line that my REMOTE_USER is MYDOMAIN\myusername.
However, when I try to deny all users, I am prompted with the typical Windows domain username/password box. If I enter the username password, the prompt comes back up again 3 times until finally presenting me with a failure message. (I have also tried to no avail)
Looking in the event viewer, it appears as if my login using the username and pw is successful in the audit ... and to further that point, my account is not being locked out (which it would if I were failing to login over and over). So it's as if I am logging in, but the configuration is not seeing what I entered as matching my login.
Below is the message I see (even when connecting from the server using localhost):
**Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.**
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
首先,主要问题是 IIS6 授权也包含在 IIS7 中,并且至少在我的情况下是默认的。首先,确保您已安装 IIS7 授权。完整说明可在此处找到:
http://www.iis.net/ConfigReference/ system.webServer/security/authorization
出现这种混乱是因为在 IIS7 中,应用程序菜单中有一个名为“.NET 授权规则”的项目(在 ASP.NET 部分下)。这不是您想要的 IIS7 授权。为此,您必须确保已安装它(请参阅上面的链接),然后单击应用程序 IIS 部分下名为“授权规则”的链接。
如果您将以下配置放在适当的位置,则另一个值得一提的注意事项
:会导致所有人都被否定。看来,如果您拒绝不存在的用户名或角色,那么所有人都会被拒绝。如果被拒绝的用户被识别,那么它就可以正常工作。
此外,指定拒绝 * 并允许某些用户将不起作用,它将拒绝所有用户。您只需删除 * 用户(如上面的示例所示),然后仅允许您的目标受众。默认情况下,其他人都被拒绝。
First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:
http://www.iis.net/ConfigReference/system.webServer/security/authorization
The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"
Another note worth mentioning, if you put the following config in place:
This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.
Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.
在 Windows Server 2012 上的 IIS 8 中配置基本身份验证
01-身份验证-添加功能
02-身份验证-服务器角色
03-身份验证-服务器管理
04-身份验证-设置用户密码
05-身份验证- IIS 设置中的身份验证
Configure Basic Authentication in IIS 8 on Windows Server 2012
01-Authentication-Add Features
02-Authentication-Server Roles
03-Authentication-Server Management
04-Authentication-Set Password for user
05-Authentication-Authentication in IIS setup
您可以按如下方式更改您的代码吗
Could you change your code as below
我花了 4 个小时尝试设置它(使用域角色):)。最终的解决方案是在角色中也使用域名:
I spent 4 hours trying to set this up (to use domain role) :). Final solution was to use domain name in the role too: