4

I really hope this isn't a duplicate, but I wasn't able to find anything like this on here.

My issue is: I have a subdirectory on a Windows (not sure if 2008 R2 or 2012) server with IIS 8.5 that I want to protect with basic authentication. I've talked to the server admin and he activated basic auth for me and added a Windows user for me. The protection works, but only for directories, not individual files.

This leads to bizarre situations like "sub.domain.com/subsubdir/" is only accessible with the correct user/password combination, but "sub.domain.com/subsubdir/index.php" is open for all to visit, and I can't figure out why. The way I've implemented this in the web.config is this:

<location path="dir/subdir">  
    <system.web>
        <authorization>
            <allow users="authorizedUser"/>
            <deny users ="?" />    
        </authorization>
    </system.web>
</location>

Where the subdomain points to "dir/subdir", thus "sub.domain.com/subsubdir/" to reach the subdirectory.

I tried dir/subdir/ and dir/subdir/*, but both lead to errors. Either I'm using the wrong keywords, or Google doesn't know about my problem.

I'm not even sure if that's something I have to fix on my side (only access via FTP) or if it's some Windows setting that the admin has to change. Does anyone know what's happening here?

Edit: I got confused with my own subdirectories and forgot a level. Not sure if that's relevant, but I edited it anyway.

Christian
  • 209
  • 1
  • 3
  • 9

1 Answers1

4

You should disable anonymous authentication for the directory if there is no need to have anonymous users. This will take care of the problem

MichelZ
  • 11,068
  • 4
  • 32
  • 59
  • Thanks for the help. I'll try that and come back here as soon as I have results. – Christian May 21 '14 at 14:57
  • Seems like I won't be able to test this anytime soon because of unrelated things, but I trust your answer enough to accept it anyway. Thanks for the help! – Christian Jun 10 '14 at 09:00