<authorization> <allow users="*" /> <deny users="?" /> </authorization> not responding as expected

S. S. Seybert 1

The code worked last Tuesday, 9/28/2021. Something happened on GoDaddy related to our database that caused a problem and our site crashed. GoDaddy corrected the problem which they claim to be nonrelated. When I remove all "allow" and "deny" lines of code throughout the web.config, the site will run but the whole world has access to our site since there are no permissions. Anyone who puts our site's URL in a browser will have access to all.

When I put the line: <deny users="?" />

I get a 401.2 error.

The settings in IIS and ASP.net look fine, the framework version (4.8.whatever) and that the authentication mode on both IIS and in the web.config file are set to "none" (because the username/password pairs are stored as cleartext in the web.config file itself)

Any ideas as to why I might be getting these errors?

S. S. Seybert 1 Reputation point

2021-10-05T13:03:40.773+00:00

I am at a stand still. Can anyone send me in the right direction?
Sam Wu-MSFT 7,531 Reputation points Microsoft Vendor

2021-10-06T08:03:10.323+00:00
@S. S. Seybert the <allow user="*" /> mean that allow all the user, the <deny user="?" /> mean that deny the unauthenticated user, what is your purpose for doing this? usually we use the following configuration to allow access as John and deny access to all other users. and can you post detailed error information about 401.2?

<authorization> <allow users="John"/> <deny users="*"/> </authorization>
S. S. Seybert 1 Reputation point

2021-10-06T11:52:37.567+00:00

I have tried both <deny users="*"/> & <deny users="?"/>
I was told the "?" was for all anonymous users.
The error is:

Server Error in '/' Application.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4330.0

I am looking to pay someone if necessary to help me.
S. S. Seybert 1 Reputation point

2021-10-06T13:03:27.677+00:00

I am looking for someone to help me with this...anyone???
S. S. Seybert 1 Reputation point

2021-10-06T13:30:09.43+00:00

I inherited this code and am willing to pay to have someone help me debug it!
Sam Wu-MSFT 7,531 Reputation points Microsoft Vendor

2021-10-07T09:15:50.553+00:00

@S. S. Seybert Back to the original topic, what is the purpose of your configuration like this? If you only want to allow specific users to access the website, then you should follow my configuration above instead of this. or you can open a case via: https://support.microsoft.com.
S. S. Seybert 1 Reputation point

2021-10-07T11:26:13.937+00:00

Thank you for responding.

I have inherited a website that we are discontinuing but need it to continue working until our other site is up and running.

It worked fine on Tuesday, September 28th and then it didn't. It just stopped working. GoDaddy said everything is working as it should. It all has to do with authentication but things are not working as they should. I used the code you recommended and it does not work.

If I remove all deny and allow statements, everything will run but with literally no security.

Please let me know if you can help me.
Sam Wu-MSFT 7,531 Reputation points Microsoft Vendor

2021-10-08T01:47:54.437+00:00

@S. S. Seybert What authentication did you use in iis? Can you post the configuration in the web.config file?

Share via

<authorization> <allow users="*" /> <deny users="?" /> </authorization> not responding as expected

Your answer