Web.Config and subdirectory *location* security

[Grant Harmeyer]

I've read similar posts to this issue, and I am fairly certain this
configuration should work. However, when I try to request any of the pages
in the Admin subdirectory of my application root, I am given the following
error:

It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This error
can be caused by a virtual directory not being configured as an application
in IIS.

It then has the line "<authentication mode="Forms">" highlighted as the line
the error occurs at.

Is this an IIS config issue, or do I need to create a configSections node in
my web.config to facilitate this? If I need the configSections node added,
an example would be very helpful. Thanks.


<!-- Web.Config -->


<configuration>
<system.web>
<authorization>
<allow users="?" />
</authorization>
<compilation defaultLanguage="C#">
<assemblies>
<add assembly="MyAssembly" />
</assemblies>
</compilation>
<customErrors mode="Off" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>

<location path="Admin">
<system.web>
<authentication mode="Forms">
<forms name=".MYAPPAUTH" loginUrl="login.aspx"
protection="Encryption" timeout="20" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<httpRuntime executionTimeout="90" maxRequestLength="512"
useFullyQualifiedRedirectUrl="false" minFreeThreads="8"
minLocalRequestFreeThreads="4" appRequestQueueLimit="100" />
</system.web>
</location>

</configuration>

 

[Chris Mohan]

Is this an IIS config issue, or do I need to create a configSections node in
my web.config to facilitate this? If I need the configSections node added,
an example would be very helpful. Thanks.

The way to address this is to configure the admin sub dir as an application in IIS.

The problem is that the authentication element can only be declared at the machine(for all apps hosted on a server), site, or application level. The documentation states: "Any attempt to declare it in a configuration file at the subdirectory or page level will result in a parser error message."
See: http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp

Here's a good article for more info on setting up an app that uses windows and forms auth:
http://www.theserverside.net/articles/showarticle.tss?id=FormAuthentication

 

[Grant Harmeyer]

Thanks, I see that very clearly now and it makes sense. I went to
http://www.gotdotnet.com and downloaded the source code for the .Text blog
application to analyze some of the tactics used in that application for
authentication and also for some performance techniques.

Thanks for the reply


Grant

The way to address this is to configure the admin sub dir as an application in IIS.

The problem is that the authentication element can only be declared at the

machine(for all apps hosted on a server), site, or application level. The
documentation states: "Any attempt to declare it in a configuration file at
the subdirectory or page level will result in a parser error message."