IIS7授权规则/配置 - 永远激励 [英] IIS7 Authorization Rules / Config - Prompting Perpetually

问题描述

我想，以确保使用.NET授权规则在IIS7的应用程序。

I am trying to secure an application in IIS7 using .NET Authorization Rules.

在默认情况下，Web服务器允许所有用户访问（包括继承）。

By default, the web server allows all users access (which is inherited).

我加入，只为这一个应用程序目录，拒绝所有的用户命令，以及为特定用户的允许的命令。

I have added, just for this one application directory, a deny all users command, as well as an allow command for specific users.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow users="myusername" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

我启用了Windows身份验证，我可以确认，如果没有我的REMOTE_USER是MYDOMAIN \\ MyUserName输入线。

I have Windows Authentication enabled, and I can verify that without the line that my REMOTE_USER is MYDOMAIN\myusername.

然而，当我试图否认所有的用户，我提示典型的Windows域用户名/密码框。如果我输入用户名密码，及时恢复后会3次，直到最后presenting我一个失败的消息。 （我也试图无济于事）

However, when I try to deny all users, I am prompted with the typical Windows domain username/password box. If I enter the username password, the prompt comes back up again 3 times until finally presenting me with a failure message. (I have also tried to no avail)

看在事件查看器，它就像使用自己的登录用户名和PW成功审计......并推动该点出现，我的帐户没有被锁定（它会如果我不能登录一遍又一遍）。所以，就好像我登录，但配置是不是看到我输入的是匹配了登录信息。

Looking in the event viewer, it appears as if my login using the username and pw is successful in the audit ... and to further that point, my account is not being locked out (which it would if I were failing to login over and over). So it's as if I am logging in, but the configuration is not seeing what I entered as matching my login.

下面是我看到的（即使使用本地主机与服务器连接时）消息：

Below is the message I see (even when connecting from the server using localhost):

**访问被拒绝。

说明：访问服务此请求所需的资源时出错。服务器可能不被配置为访问所请求的URL。

Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

错误消息：401.2未经授权：登录失败，服务器配置。验证您是否有权查看根据您提供的凭据和Web服务器上启用的身份验证方法该目录或页面。联系Web服务器的额外援助管理员。**

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.**

推荐答案

首先，主要的问题是IIS6授权也包括在IIS7，并且至少在我的情况是默认的。首先，确保你已经安装IIS7授权。完整的路线可以在这里找到：

First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:

http://www.iis.net/ConfigReference/system.webServer/安全/授权

时，会出现混乱，因为IIS7中，有一个在您的应用程序菜单中所谓的.NET授权规则（下ASP.NET部分）的项目。这是不是你想要的IIS7授权。对于这一点，你必须确保它被安装（见上面的链接），然后单击链接下称授权规则应用程序的IIS部分

The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"

另注值得一提的，如果你把下面的配置到位：

Another note worth mentioning, if you put the following config in place:

<configuration>
  <system.webServer>
    <security>
      <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Deny" users="unknownname" />
        <add accessType="Allow" users="knownname" />
      </authorization>
    </security>
  </system.webServer>
</configuration>

这会使每个人都被拒绝。看来，如果拒绝一个用户名或角色不存在，每个人都被拒绝。如果拒绝用户的认可，那么它工作正常。

This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.

此外，指定拒绝对*，并允许某些用户将无法正常工作，它会拒绝所有。您需要简单地删除*用户（如上面的示例所示），然后只允许你的目标受众。其他人都被默认拒绝。

Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.

这篇关于IIS7授权规则/配置 - 永远激励的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！