I think the key thing is this
website set up as an application in a
subdirectory of another site
If it's a separate application within IIS it should have it's own web.config file and the security settings can be set from there. So you'll have one web.config for the main site and one for the subsite. really they are two applications.
If it's just a subfolder under your website then this doesn't apply. It depends how you've set it up under IIS. If it's a seperate app then the icon will be a world/cabbage type icon. If it's a sub-folder they the icon will be ... well a folder.
updated:
Oops, I overlooked the fact that you have a parent involved, my fault. Once permission defaults are set on the parent, you can just setup per-user access to the child web service/app.
The tightest configuration I could setup was the following.
For the parent, I used this barebones setup (nobody is allowed in):
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Then for the child (web service, in your case), I used this setup (only the DOMAIN\username
principal is allowed in):
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="DOMAIN\username" />
</authorization>
</system.web>
</configuration>
This resulted in no access at the parent level, but only the given user at the child (web service) level. Also, as you mentioned, setting the authentication mode doesn't work on the child web.config
.
Without setting up at least one allow
entry at the child web.config, though, nobody can get in, as the parent's deny
entry takes precedence.
original
Your settings work for me, but I believe you are missing a few elements.
Try including the impersonation element, make sure the authentication mode is set to Windows, and if deploying for IIS, make sure the IIS location has anonymous access off.
Try the following barebones config, with debug on or off as needed:
<?xml version="1.0"?>
<configuration>
<appSettings />
<connectionStrings />
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="DOMAIN\username" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Best Answer
Try this: