asp.netiis-7integrated-pipeline-mode

ASP.NET Authentication with Roles in IIS7 Integrated Mode for Static Content


I am experimenting with the integrated authentication mode for static content in IIS7. I followed the instructions in this article: https://web.archive.org/web/20210612113955/https://aspnet.4guysfromrolla.com/articles/122408-1.aspx It is working fine if I allow/deny access by login status (like in the article). However I want to allow/deny access based on roles (using the ASP.NET built in Roles Provider). When I put an allow rule for the role "Admin" in the web.config and deny rule for all other users I am not able to access the static files even when I login as an admin. The same folder contains non-static content (aspx pages) that are accessed just fine based on the Role Provider information.

Any ideas?


Solution

  • Try adding the following to your <system.webServer> <modules> block:

    <configuration>
      <system.webServer>
        <modules>
          <remove name="FormsAuthentication" />
          <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
          <remove name="UrlAuthorization" />
          <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
          <remove name="DefaultAuthentication" />
          <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
          <remove name="RoleManager" />
          <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
        </modules>
      </system.webServer>
    </configuration>
    

    The RoleManager bit is key, and it's not included in any of the online examples that I could find. Without that, the user's role membership isn't initialized for static content, so role-based authorization will always fail.

    (Disclaimer: I've pieced this together myself based on my limited understanding of IIS, but it seems to work.)

    Edit (in response to your comment): Sorry, I don't know much about how RoleManager depends on other modules. You can view the default IIS configuration by looking at c:\Windows\System32\inetsrv\config\applicationHost.config (at least, that's the past on my Windows Vista machine) to see the order in which modules are loaded (note the use of managedHandler by default to restrict RoleManager to non-static content), and MSDN covers RoleManagerModule along with the rest of the modules in the System.Web.Security namespace, so you could probably find what you need there.