How to make IIS authorize requests based on Windows user name or group membership?

Question

I have a legacy web app hosted using PHP by IIS. Access to some of the directories of that app is restricted using the following configuration in web.config of the root directory. That makes the Windows username available as REMOTE_USER, so that the app can map that username into an individual database to check authorization. This works and MUST NOT be changed.

<location path="lsgprog/bibliothek/adm">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication    enabled="false" />
                <windowsAuthentication      enabled="true"  />
            </authentication>
        </security>
    </system.webServer>
</location>

Access to some other directories is restricted as well and as well using credentials provided by Windows. So those other directories have anonymousAuthentication disabled and windowsAuthentication enabled as well. The difference is 1. that those settings are made in the GUI of IIS and 2. that authorization is actually checked against the file system. This means that the directories simply have read access only for some special groups of users, those groups and users are maintained by some Active Directory and because the app uses Windows auth, things simply work. Users authenticate at their Windows, open Internet Explorer, request the restricted parts of the site, IIS gets the username, group membership etc., checks access to the restricted directories in the file system and grants or denies it.

All of that is configured manually using the GUI of IIS and I want to migrate that to web.config. Enabling Windows auth for some directories is already documented above, what I'm missing is how to allow/deny access to users and groups, which is the file system part. I've already found the element authorization, which pretty much looks like what I want, but whatever I try doesn't work.

<location path="lsgprog/vfristen">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication    enabled="false" />
                <windowsAuthentication      enabled="true"  />
            </authentication>
        </security>
    </system.webServer>

    <system.web>
        <authorization>
            <deny   users="*"
                    roles="*"
                    verbs="GET,HEAD,POST" />
        </authorization>
    </system.web>
</location>

My expectation was that the above is enough to DENY access to all users, but that doesn't work and any approach based on ALLOW doesn't as well. I hoped that users and roles could simply be mapped against the username and group names of the currently requesting user. What I don't want is form based authorization or converting directories to "apps" or anything that needs to be done outside of web.config.

So, is what I'm trying to do possible at all and if so, how? Thanks!

Answer 1

You could try to add the below code in your site web.config file:

    <location path="foldername">
        <system.webServer>
            <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" />
                </authentication>
            </security>
        </system.webServer>
    </location>
<location path="foldername/page1.php">
        <system.webServer>
            <security>
                <authorization>
                    <remove users="*" roles="" verbs="" />
                    <add accessType="Allow" roles="DOMAIN\ADGROUP" />
                    <add accessType="Deny" users="*" />
                </authorization>
            </security>
        </system.webServer>
    </location>

Edit: need to install the URL Authorization in iis to make this rule work.

https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization

Answer 2

In this scenario there are multiple options, first - try and add a web.config file to the folder that needs to have its' own permissions e.g. under lsgprog/vfristen, the minimum web.config example which will deny all users access:

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

Why does it work - IIS looks at each folder structure for web.config files, in this case the child will overwrite the parent but only the nodes that are inside the child - meaning it will preserve all other settings from the parent (root) web.config: Make application and directory-specific configuration settings in an ASP.NET application

Although the documentation above is for ASP.NET it applies at the IIS level as well.

Second option to try - since the question mentioned the root of the project is lsgprog then this setting in web.config:

<location path="lsgprog/vfristen">

Should be changed to (remove the root folder of the project from the path):

<location path="vfristen">

Finally third option which could also work is overwriting it at the Machine.config level as mentioned in the above document: Use the location element in the Machine.config file

When the allowOverride attribute is false, the Web.config files in the web application directories can't override the settings that you specified in the element. This is a useful setting in environments where you must restrict application developers in how they configure a web application. The following example shows a part of a Machine.config file that requires authentication to access the MyApp application on the default Web site and that can't be overridden by settings in a Web.config file:

Machine.config

<configuration>
    <location path="Default Web Site/MyApp" allowOverride="false">
        <system.web>
            <authorization>
                <allow users="?" />
            </authorization>
        </system.web>
    </location>
</configuration>