Rectangle 27 0

asp.net Does an IIS 7.5 web app with windows authentication require end users to have file permissions?


  • Created a local account (IIS-AccessUser)
  • Granted IIS-AccessUser read and execute access to the /home directory of the site.
  • Set IIS-AccessUser as the Physical Path Credentials

@DZx I have never seen the config screen myself, but I suspect that our admin was lamenting that there was no simple option to say "use app pool identity". However, I am not aware of anything to keep you from keying the same credential into both places.

By default, Physical Path Credentials is set to Application User (Pass-through authentication). This means that IIS doesnt do any impersonation when handling Windows Authentication requests. This can, however, be set to a specific user (though not, unfortunately, the application pool identity, which would be ideal). Physical Path Credentials Logon Type is set by default to Clear-Text. For my testing I set this to Interactive (though this may not be the correct value). Possible values are Clear-Text, Batch, Interactive, and Network.

Doing the above allowed me to log in to the application directly, without having to allow Authenticated Users, or me having to be a member of any of the groups in the /home folder. It also still preserved .NET Authorization roles, so I still could not access parts of the site that I was not allowed to.

Thanks, this is good. Too much setup for me so I now ensure AuthenticatedUsers have access, but if one really cared about ensuring users couldn't access the files via windows explorer this would be the way forward.

There are two IIS settings that control this:

We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with

Note
Rectangle 27 0

asp.net Does an IIS 7.5 web app with windows authentication require end users to have file permissions?


  • Created a local account (IIS-AccessUser)
  • Granted IIS-AccessUser read and execute access to the /home directory of the site.
  • Set IIS-AccessUser as the Physical Path Credentials

@DZx I have never seen the config screen myself, but I suspect that our admin was lamenting that there was no simple option to say "use app pool identity". However, I am not aware of anything to keep you from keying the same credential into both places.

By default, Physical Path Credentials is set to Application User (Pass-through authentication). This means that IIS doesnt do any impersonation when handling Windows Authentication requests. This can, however, be set to a specific user (though not, unfortunately, the application pool identity, which would be ideal). Physical Path Credentials Logon Type is set by default to Clear-Text. For my testing I set this to Interactive (though this may not be the correct value). Possible values are Clear-Text, Batch, Interactive, and Network.

Doing the above allowed me to log in to the application directly, without having to allow Authenticated Users, or me having to be a member of any of the groups in the /home folder. It also still preserved .NET Authorization roles, so I still could not access parts of the site that I was not allowed to.

Thanks, this is good. Too much setup for me so I now ensure AuthenticatedUsers have access, but if one really cared about ensuring users couldn't access the files via windows explorer this would be the way forward.

There are two IIS settings that control this:

We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with

Note
Rectangle 27 0

asp.net Does an IIS 7.5 web app with windows authentication require end users to have file permissions?


Sign up for our newsletter and get our top new questions delivered to your inbox (see an example).

For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.

In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).

It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domain\groups a user needs to be in to access your application).

Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.

The short answer is NO. You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.

We were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.

Note
Rectangle 27 0

asp.net Does an IIS 7.5 web app with windows authentication require end users to have file permissions?


For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.

In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).

It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domain\groups a user needs to be in to access your application).

Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.

The short answer is NO. You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.

We were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.

Note
Rectangle 27 0

asp.net Does an IIS 7.5 web app with windows authentication require end users to have file permissions?


I've never seen that group before, nor needed to give it permissions! Isn't that basically the same as giving permissions to Everyone?

Ok, it's not the same as Everyone, since Everyone includes Guest and null sessions such as computer-to-computer connections. But Authenticated Users is almost Everyone, so you're still having to give file access permissions to end users which is what I was trying to avoid. windowsitpro.com/article/file-systems/ has a bit more discussion on Authenticated Users.

That article is about using forms authentication to present a login form to a user and then authenticate to a domain. I want to use Windows Authentication to automatically authenticate the user. I'm not using impersonation so I don't have impersonate="true"; I want the app pool to run as network service, not as the authenticated end user.

Note
Rectangle 27 0

asp.net Does an IIS 7.5 web app with windows authentication require end users to have file permissions?


I've never seen that group before, nor needed to give it permissions! Isn't that basically the same as giving permissions to Everyone?

Ok, it's not the same as Everyone, since Everyone includes Guest and null sessions such as computer-to-computer connections. But Authenticated Users is almost Everyone, so you're still having to give file access permissions to end users which is what I was trying to avoid. windowsitpro.com/article/file-systems/ has a bit more discussion on Authenticated Users.

That article is about using forms authentication to present a login form to a user and then authenticate to a domain. I want to use Windows Authentication to automatically authenticate the user. I'm not using impersonation so I don't have impersonate="true"; I want the app pool to run as network service, not as the authenticated end user.

Note