IIS7 授权规则/配置 - 永久提示 [英] IIS7 Authorization Rules / Config - Prompting Perpetually

问题描述

我正在尝试使用 .NET 授权规则保护 IIS7 中的应用程序.

I am trying to secure an application in IIS7 using .NET Authorization Rules.

默认情况下，网络服务器允许所有用户访问(这是继承的).

By default, the web server allows all users access (which is inherited).

我已经为这个应用程序目录添加了一个拒绝所有用户的命令，以及一个针对特定用户的允许命令.

I have added, just for this one application directory, a deny all users command, as well as an allow command for specific users.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow users="myusername" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

我启用了 Windows 身份验证，并且我可以在没有我的 REMOTE_USER 是 MYDOMAINmyusername 的行的情况下验证这一点.

I have Windows Authentication enabled, and I can verify that without the line that my REMOTE_USER is MYDOMAINmyusername.

但是，当我尝试拒绝所有用户时，系统会提示我使用典型的 Windows 域用户名/密码框.如果我输入用户名密码，提示会再次出现 3 次，直到最终向我显示失败消息.(我也试过没用)

However, when I try to deny all users, I am prompted with the typical Windows domain username/password box. If I enter the username password, the prompt comes back up again 3 times until finally presenting me with a failure message. (I have also tried to no avail)

查看事件查看器，似乎我使用用户名和密码登录在审核中是成功的......而且更进一步，我的帐户没有被锁定(如果我没有被锁定)一遍又一遍地登录).所以就好像我正在登录，但配置没有看到我输入的内容与我的登录名匹配.

Looking in the event viewer, it appears as if my login using the username and pw is successful in the audit ... and to further that point, my account is not being locked out (which it would if I were failing to login over and over). So it's as if I am logging in, but the configuration is not seeing what I entered as matching my login.

以下是我看到的消息(即使使用 localhost 从服务器连接):

Below is the message I see (even when connecting from the server using localhost):

**访问被拒绝.

描述:访问处理此请求所需的资源时出错.服务器可能未配置为访问请求的 URL.

Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

错误消息 401.2.:未经授权:由于服务器配置，登录失败.根据您提供的凭据和 Web 服务器上启用的身份验证方法，验证您是否有权查看此目录或页面.如需更多帮助，请联系 Web 服务器的管理员.**

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.**

推荐答案

首先，主要问题是 IIS6 授权也包含在 IIS7 中，至少在我的情况下是默认的.首先，确保您已安装 IIS7 授权.完整的路线可以在这里找到:

First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:

http://www.iis.net/ConfigReference/system.webServer/安全/授权

之所以会出现这种混淆，是因为在 IIS7 中，您的应用程序菜单中有一个名为.NET 授权规则"的项目(在 ASP.NET 部分下).这不是您想要的 IIS7 授权.为此，您必须确保已安装它(参见上面的链接)，然后单击应用程序 IIS 部分下的链接，称为授权规则"

The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"

另一个值得一提的注意事项，如果您将以下配置放在适当的位置:

Another note worth mentioning, if you put the following config in place:

<configuration>
  <system.webServer>
    <security>
      <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Deny" users="unknownname" />
        <add accessType="Allow" users="knownname" />
      </authorization>
    </security>
  </system.webServer>
</configuration>

这将导致所有人都被拒绝.看来，如果您拒绝一个不存在的用户名或角色，每个人都会被拒绝.如果被拒绝的用户被识别，那么它工作正常.

This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.

另外，为 * 指定拒绝并允许某些用户将不起作用，它将拒绝所有用户.您只需删除 * 用户(如我上面的示例)，然后只允许您的目标受众.默认情况下，其他所有人都被拒绝.

Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.

这篇关于IIS7 授权规则/配置 - 永久提示的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！