Looking into Windows authentication at Web.config and at IIS

Hello All,

I have seen many confusion around setting authentication mode as windows in web.config and enabling  Windows authentication at IIS.

First thing that there is no relation between setting authentication mode as windows at web.config and enabling/disabling (Integrated)Windows Authentication at IIS.

So lets discuss scenario by scenario.

Let’s say that I have enabled windows authentication of our application at IIS for my application and set the authentication mode as none in my web.config as

<authentication mode="None" />

Would everybody able to access the application?

No!!

Because on every request to the application first it goes to IIS and it tries to authenticate the request if the request gets authenticated then only it allows to access the application. So it does not matter here whether at our config we set the authentication as none the request will be forwarded to ASP.NET only when the request is authenticated.

To authenticate the request, one need to provide the domain credentials if it asks while accessing the application.Only the domain users will be able to access the application.

Now it is upto the ASP.NET whether it authenticates the request or not.

Now lets make it vice versa, enable anonymous authentication at IIS and set the authentication at web.config as

<authentication mode="Windows" />

<authorization>
<deny users="?"/>
</authorization>

then also when request is sent to the IIS, then it forwards the request to ASP.NET without the credentials because anonymous authentication is enabled at IIS. So in this ASP.NET does not receive the credential from the IIS and request will not be authorized and Access denied error will be shown to the user.

So you must have got an idea that here request get authenticated at two level IIS and ASP.NET application level.

In both the cases User will get the Access denied error and but the Access denied page will be different in both cases .

Access Denied error from IIS8 looks like

IISError-New

When we open the URL, then it prompts for a credential and if we don’t provide it then IIS gives the above error which shows the details that it is not authenticated at IIS.

And if we enable anonymous authentication at IIS, then ASP.NET throws error like

ASPnet3

This simply shows that access is denied and shows unauthorized request.

So to use windows authentication for your application, if you want that IIS pass the credential to ASP.NET then you should enable the Windows Authentication at IIS and set authentication mode Windows at web.config.

Hope you have enjoyed this small post. I’ll write more posts on ASP.NET security.

Thanks,
Brij

About these ads

7 thoughts on “Looking into Windows authentication at Web.config and at IIS

  1. Pingback: IIS7 and Higher : system.webServer element ApplicationHost.config vs Web.config | Brij's arena of .NET

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s