1

I'm using IIS Express to host my website, and I would like to do something similar to Directory Security in IIS 6. In IIS 6, I was able to go to the Directory Security tab and allow the anonymous user to be a local windows account.

Is there something equivalent in IIS Express for that? What changes do I need to make in applicationhost.config?

Thanks

Kris van der Mast
  • 16,343
  • 8
  • 39
  • 61
MVCQuestioner
  • 29
  • 1
  • 1
  • 3

1 Answers1

3

IIS Express process runs under the logged on user. With default settings, anonymous requests will execute under the identity of the process. There is a way to configure explicit user for anonymous authentication, by editing applicationhost.config (in "%userprofile%\documents\iisExpress\config\") and setting your anonymous user and password in anonymousAuthentication section <anonymousAuthentication enabled="true" userName="foo" password="bar" >

Notes:

  • the crypto context is not setup for the IIS Express (unless IIS happens to be also installed on the machine), so encrypted settings will not work
  • you cannot make the above setting programatically because programmatic setting will try to set password encrypted and will fail.
  • configured user will not have access to the "%userprofile%\documents\My web sites" directory. You will get a confusing authentication/authorization error.
  • If you want to use explicitly configured anonymous account, it may be the best to copy your IIS Express site directory outside the "%userprofile%\documents" since sharing the files inside your user profile with other users is not a good idea from the security standpoint.
Jaro Dunajsky
  • 2,003
  • 14
  • 8