Enable Windows Auth and disable Forms auth on Admin folder

StackOverflow https://stackoverflow.com//questions/25084471

Question

Just moved a site from Windows Server 2003 to Windows Server 2012 and having difficulty restricting access to the Admin directory. In the older version of IIS, all I needed to do was disable anon access to that folder. In IIS8, I have:

  • Anonymous Authentication: Disabled
  • ASP.NET Impersonation: Disabled
  • Basic Authentication: Disabled
  • Forms Authentication: Enabled
  • Windows Authentication: Enabled

This gives me an Alert that says:

Challenge-based and login redirect-based authentication cannot be used simultaneously.

Which I find completely reasonable. However, I am trying to disable "Forms Authentication" and the next Alert says:

This feature has been locked and is read-only

How can I force an ASP.NET site's admin directory (only that directory) to require Windows Authentication?

Was it helpful?

Solution

If your folder is under the same IIS web app (which apparently is) you can't use 2 different kinds of authentication. You need to have 2 separate IIS apps or to have sub-applications (which I think also implies virtual directories).

In other words, you can't have both Win Auth and Forms Auth enabled at the same time for the same IIS app, with managed pipeline mode set to Integrated, in IIS 7+

Update After searching through my bookmarks:

I tried the ideas from this article, but I could not get it to work: http://mvolo.com/iis-70-twolevel-authentication-with-forms-authentication-and-windows-authentication/ However it might give you more insight or ideas.

My scenario was simpler, I needed Windows and Forms auth for the entire app.

I also had an admin section and I eventually ended up putting the admin in a totally separate web app, that runs under a subdomain. Both apps were running in IIS 7.5 with integrated mode (admin windows auth enabled and the rest of the app was Forms Auth enabled).

OTHER TIPS

I believe you just need to make your admin folder it's own application root, then you can do what you want.

  • From IIS Manager > Sites > {Your Website} > admin folder, right click and choose 'Convert to Application'
  • Accept the default settings for the application (you can change if you wish)
  • Click on the IIS Manager > Sites > {Your Website} > admin folder, drill down into Authentication, and choose Disable from the right menu.

An image where admin is not it's own app:

enter image description here

Make it's own app:

enter image description here

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top