IIS Authentication in web.config

Question

In our project, a user can upload documents to a directory. The problem is that a user cannot access those files via the URL.

After playing around with permissions in IIS, I was able to download a file by changing the permissions on the file (or folder) to allow "Read" by IIS_IUSRS. My issue is that the folders are also dynamically generated and I do not want to manually have to go through and change the permissions on each.

I'm attempting to get the web.config file to allow reading of these files, but I cannot get the proper configuration.

In the site's web.config file I have:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <location path="path/to/upload/directory">
        <system.webServer>
            <security>
                <authentication>
                    <windowsAuthentication enabled="false" />
                    <anonymousAuthentication enabled="true" />
                </authentication>
            </security>
        </system.webServer>
    </location>
</configuration>

However upon accessing the file again, I get a 500.19 error:

AnonymousAuthenticationModule
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Following this answer, I set AnonymousAuthenticationModule to lockItem="false", anonymousAuthentication to Allow in applicationHost.config, and restarted the server. After all of that, I still get the same 500.19 error.

score 0 · Accepted Answer · answered Apr 04 '13 at 21:04

0

When you say the folders are generated dynamically, do you mean generated through code? If so, you could make sure the parent directory has the required permissions and then set the permissions on its subdirectories to "inherit". For a file, it would be

Dim perms = File.GetAccessControl(targetFile)
perms.SetAccessRuleProtection(False, False)
File.SetAccessControl(targetFile, perms)

I expect that you can find the equivalent for a directory.

answered Apr 04 '13 at 21:04

Andrew Morton

24,203
9
60
84

Not using ASP, but I'll give that idea a try in PHP. – Jason Kaczmarsky Apr 05 '13 at 13:18
No way to do it via PHP without some 3rd party software to allow ACL changes. Also, I'd rather not set permissions when I create a directory through code, but just have a config file that says "all files within this directory and subdirectories can be read by everyone". – Jason Kaczmarsky Apr 05 '13 at 14:48
@JasonKaczmarsky Does this work for your server: http://www.howyoudo.info/index.php/how-to-fix-windows-server-upload-file-inherit-permissions-error/ ? (Found by searching for `php iis set directory permissions`.) – Andrew Morton Apr 05 '13 at 16:52
Yup, that did it. I wish there was a better solution because not all file uploads have the same permissions, so it's only a partial fix =/ – Jason Kaczmarsky Apr 08 '13 at 19:50

IIS Authentication in web.config

1 Answers1