如何允许匿名访问IIS 7.5上的网站? [英] How to allow anonymous access to web-site on IIS 7.5?
问题描述
tl; dr :为什么
<allow users="?">
可以在IIS Express上工作,但不能在IIS上工作?
work on IIS Express, but not on IIS?
我有一个新的asp.net网络表单项目.在Windows 7 IIS Express上本地运行时,我可以通过向Web添加拒绝 * 规则来阻止所有用户" 访问该站点.配置:
I have a new asp.net web-forms project. When running locally on Windows 7 IIS Express, i can block "all users" from accessing the site by adding a deny * rule to web.config:
web.config
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
这使我被拒绝访问:
所以这很有意义.
在web.config中,我可以使用?标记而不是 all (<代码> * )标记:
I the web.config, i can block access to anonymous users, by using the ? marker, rather than the all (*) marker:
<authorization>
<deny users="?" />
</authorization>
由于我未通过身份验证,因此我将再次被 401 未经授权:
And because i am not authenticated, i will again be 401 Unauthorized:
那是有道理的.
我可以通过将web.config中的 deny 更改为 allow :
I can allow anonymous access, by changing the deny in web.config to allow:
<authorization>
<allow users="?" />
</authorization>
现在我被带到了主页:
这很有意义.
以上内容适用于IIS Express.但是,当我发布到Windows Server 2012 R2 IIS 7.5时,尝试 allow 匿名(?)用户不起作用:
The above works on IIS Express. But when i publish to Windows Server 2012 R2 IIS 7.5, trying to allow anonymous (?) users does not work:
那没有道理:
- 在IIS Express上运行
- 在IIS 7.5上失败
而不是:
- 只允许匿名用户(
?) - 我可以尝试允许所有用户(
*)
我再次更改web.config以允许所有人( * ):
i change web.config again to allow everyone (*):
<authorization>
<allow users="*" />
</authorization>
在本地,我可以仍然访问该站点:
And locally i can still access the site:
但是一旦我发布到IIS 7.5,它仍然会失败:
but once i publish to IIS 7.5 it still fails:
我没有做错任何事情.那我需要改变什么?
I'm not doing anything wrong. So what do i need to change?
最初,我创建了一个空网站,并开始向其中添加内容.后来,我需要创建一个真正的网站(显示信息的页面以及要单击的按钮),因此我从 Empty Web Forms网站重新开始.
Initially i created an empty web-site, and started adding things to it. Later, i need to create real web-site (with pages that displayed information, and buttons to click), so i started over with an Empty Web Forms web-site.
我的感觉是Owin破坏了一切.
My feeling is that Owin broke everything.
尽管如此,这是怎么回事?
Nevertheless, what is going on?
我找到了.网站上有一些与网站不兼容的设置.也就是说,存在无法通过 web.config 进行配置的网站配置选项,或网站文件夹中的任何其他文件.特别是:
I found it. There are some settings about a web-site that do not go with the web-site. That is, there are configuration options about a web-site that you cannot configure through web.config, or any other file in the web-site's folder. In particular:
我不知道IIS将匿名身份验证的使用存储在哪里.但是,如果没有匿名身份验证,IIS将无法意识到匿名用户是匿名用户.
I don't know where IIS stores the use of anonymous authentication. But without anonymous authentication, IIS is unable to realize that an anonymous user is anonymous.
启用匿名身份验证:
使IIS认识到匿名用户是匿名的.
causes IIS to realize that anonymous users are anonymous.
这说明:
- 为什么可以在IIS Expres上使用
- 为什么它在IIS 7.5上不起作用
- 当两个网站具有完全相同的配置文件集时,为什么它仍然不起作用
它没有解释为什么在未启用匿名身份验证的情况下IIS为什么不将匿名用户视为匿名用户;但这又是另一天的问题.如果您已经读到这里,则可以复制粘贴我刚才所说的所有内容,并获得接受.否则,我将不得不等待两天才能自己回答.更好的代表.
It doesn't explain why IIS doesn't treat anonymous users as anonymous when anonymous authentication is not enabled; but that's another issue for another day. If you've read down to here, you can copy-paste everything i just said, and get the accept. Otherwise i'll have to wait two days to answer it myself. Better you get the rep.
推荐答案
您可以通过找到解决方案来学习一些知识.恭喜你!
You learn something by finding the solution. Congratulation.
授权在 后进行.因此,在IIS上,您在处理授权规则之前看到了401.2错误页面.只有在将适当的身份验证方法设置为启用后,事情才能开始解决.
Authorization happens after authentication. So on IIS you saw the 401.2 error page before the authorization rule was ever processed. Only after a proper authentication method is set to enabled, then things start to work out.
IIS Express应该会为您提供相同的401.2错误页面.只是一个笔记.
IIS Express should give you the same 401.2 error page if you disable all its authentication methods. Just a note.
A Microsoft模式和实践文章详细说明了为什么您需要启用匿名身份验证才能允许匿名用户:
A Microsoft Patterns and Practices article explains more about why you need anonymous authentication enabled in order to allow anonymous users:
ASP.NET身份验证是一个两步过程.首先,
ASP.NET authentication is a two-step process. First,
- Internet信息服务(IIS)对用户进行身份验证,并创建一个Windows令牌来代表用户.
- 如果将IIS配置为使用匿名身份验证,则会生成IUSR_MACHINE帐户的令牌,并用于代表匿名用户.
IIS,然后将令牌传递给ASP.NET.
IIS-then passes the token to ASP.NET.
注意,因为表单身份验证不依赖IIS身份验证,因此,如果您打算在ASP.NET应用程序中使用表单身份验证,则应在IIS中为应用程序配置匿名访问
Note Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application
在IIS中,为所有使用表单身份验证的应用程序启用了匿名访问.
In IIS, anonymous access is enabled for all applications that use forms authentication.
IIS允许该请求,因为在IIS配置数据库中启用了匿名访问.ASP.NET确认授权元素包含标签.
IIS allows the request because anonymous access is enabled in the IIS metabase. ASP.NET confirms that the authorization element includes a tag.
向IIS发出请求时,有两种方法可以对用户进行身份验证:
There are two ways for a user to be authenticated when issuing a request to IIS:
- IIS本身对身份进行身份验证(使用基本身份验证,摘要身份验证或Windows身份验证)
- 将IIS配置为允许匿名" 身份验证,该网站将自行处理身份验证
- IIS authenticates your identity itself (using Basic, Digest, or Windows authentication)
- IIS is configured to allow "anonymous" authentication, and the web-site will handle authentication itself
这里令人困惑的部分是,两者之间存在差异:
The confusing part here is that there is a difference between:
- 就IIS而言
- 匿名 就ASP.net Forms身份验证而言,
- 匿名
- anonymous as far as IIS is concerned
- anonymous as far is ASP.net Forms authentication is concerned
从IIS的角度来看,将使用 Forms (或Owin或任何其他自定义身份验证模块)进行身份验证的任何请求仍然是匿名请求:
From IIS's point of view any request that will be authenticated using Forms (or Owin, or any other custom authentication module) is still an anonymous request:
| IIS Authentication | Application Authentication |
|--------------------|----------------------------|
| Basic | |
| Digest | |
| Windows | |
| Anonymous | Forms |
| Anonymous | Owin |
| Anonymous | BasicAuthModule |
当我尝试允许匿名用户访问时:
When i was attempting to allow anonymous users access:
<allow users="?" />
这是 Forms 身份验证指令.但是,为了甚至到达表单身份验证,您必须在IIS级别上允许匿名身份验证.
That is a Forms authentication directive. But in order to even reach forms authentication, you must allow anonymous authentication at the IIS level.
这篇关于如何允许匿名访问IIS 7.5上的网站?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
