I am trying to install an ASP.Net app on an IIS6 webserver. The site requires the user to authenticate with windows, and this works on several other apps on the same server.
In IIS I have enabled anonymous access and windows authentication.
In web.config, authentication is set to:
<authentication mode="Windows"/>
and authorization...:
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
Ie. allow all users in role "Users" and deny everybody else. This is the approach that is working with several other apps on the same server.
If I run the site, I am prompted for username and password.
If I remove the line:
<deny users="*"/>
I can access the site and everything works - but the user credentials are not passed to the site (Page.User.Identity.Name returns a blank string in ASP.Net).
The site has identical (inherited) file permissions as other working sites on the server.
The only difference in authentication/authorization between this site and the other working sites is, that this runs Asp.Net 4 (but there are other working asp.net 4 sites on the server as well).
What am I missing here?
Where should I look?
If the site requires the user to authenticate, then you should remove the anonymous access and allowing only windows integrated. Page.User.Identity.Name returns a blank because anonymous authentication is used over windows integrated.
If this is a domain then allow roles should be in the form domain\security group. "?" in deny users usually is enough to block anonymous access.
<identity impersonate="true" />
might be useful if your code needs to access a resource which needs to authenticate as the user that's using your application.Try to use "?" instead of "*" in the "deny users" rule.
Or try the following.
<deny users="*,?"/>