Hi all,
Sorry for spam. I’m currently struggling with an authorization configuration for our service hosted upon IIS8.0.
Basically we have a service site that has two endpoint entries: CertSvc.svc and CertSvcDSTS.svc. For client requests that come to CertSvc.svc, we use Windows authentication and deny all unauthorized users; for client requests that come to CertSvcDSTS.svc, we use STS authentication thus allow all anonymous users; for client requests that visit any other resources, we apply Windows authentication by default and deny all unauthorized users. The configuration settings look like below:
<location path="CertSvc.svc"><system.web><authorization><deny users="?"/><allow users="*" verbs="*"/></authorization></system.web></location><location path="CertSvcDSTS.svc"><system.web><authorization><allow users="*" verbs="*"/></authorization></system.web></location><system.web> . . .<authentication mode="Windows"/><authorization><deny users="?"/><allow users="*" verbs="*"/></authorization> . . .</system.web>
However, this blocks all the client requests to CertSvcDSTS.svc endpoint by returning 401 unauthorized error. It works only when I remove the yellow highlighted line. By reading MSDN my understanding is that authorization settings in location path should take precedence over any other similar settings in web.config. Did I understand incorrectly?
Thanks a lot for your help.