我们有一个在集成管道下运行的 IIS7 Intranet 站点,该管道主要是 ASP.Net,带有一些遗留的经典 ASP 页面。该站点允许匿名访问大多数区域,但使用 Windows 身份验证来保护某些文件夹。对受保护文件夹中的 ASP.Net 页面的请求按预期运行(授权用户可以看到它们,其他用户则被拒绝),但任何用户都可以看到受保护文件夹中的任何经典 ASP 页面,无论权限如何。
我怀疑 Windows 身份验证模块没有被调用来请求经典 ASP 页面。我们正在集成管道模式下运行,我找到了这篇文章(http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/) 这表明您需要如果您想利用非 ASP.Net 请求的集成管道,可以显式删除并重新添加模块。我尝试复制本文的示例,仅将 FormsAuthenticationModule 替换为 WindowsAuthenticationModule,方法是将以下内容添加到应用程序根目录的 web.config 中:
<system.webServer>
<modules>
<remove name="WindowsAuthentication" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
但是,无论权限如何,仍会提供经典 ASP 页面。
We have an IIS7 intranet site running under integrated pipeline that is mostly ASP.Net with a few legacy classic ASP pages. The site allows anonymous access to most areas, but uses Windows Authentication to protect certain folders. Requests to ASP.Net pages in the protected folders behave as expected (authorized users can see them, others are denied), but any user can see any classic ASP page in the protected folders, regardless of permissions.
I suspect the windows authentication module is not being invoked for requests to classic ASP pages. We're running in integrated pipeline mode, and I found this article (http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/) which indicates that you need to explicitly remove and re-add modules if you want to take advantage of the integrated pipeline for non-ASP.Net requests. I tried to copy the article's example only replacing FormsAuthenticationModule with WindowsAuthenticationModule by adding the following to the web.config at the application root:
<system.webServer>
<modules>
<remove name="WindowsAuthentication" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
However, classic ASP pages are still being served regardless of permission.
发布评论
评论(1)
经典 ASP 页面实际上完全忽略
web.config或任何.config。对于经典 ASP 处理此问题的唯一方法是通过 IIS,您必须将经典 ASP 页面移动到单独的虚拟网站下,然后为该虚拟网站设置 Windows 身份验证并禁用匿名访问。
这也可能对您有帮助:
IIS7:像 IIS6 一样设置集成 Windows 身份验证
Classic ASP pages totally ignore
web.configor any.configactually.The only way to handle this for classic ASP is through IIS, you will have to move the classic ASP pages to be under separate virtual website then for that virtual website set Windows Authentication and disable Anonymous Access.
This might help you as well:
IIS7: Setup Integrated Windows Authentication like in IIS6