问题
I'm using IIS Express to host my website, and I would like to do something similar to Directory Security in IIS 6. In IIS 6, I was able to go to the Directory Security tab and allow the anonymous user to be a local windows account.
Is there something equivalent in IIS Express for that? What changes do I need to make in applicationhost.config?
Thanks
回答1:
IIS Express process runs under the logged on user. With default settings, anonymous requests will execute under the identity of the process.
There is a way to configure explicit user for anonymous authentication, by editing applicationhost.config (in "%userprofile%\documents\iisExpress\config\") and setting your anonymous user and password in anonymousAuthentication section
<anonymousAuthentication enabled="true" userName="foo" password="bar" >
Notes:
- the crypto context is not setup for the IIS Express (unless IIS happens to be also installed on the machine), so encrypted settings will not work
- you cannot make the above setting programatically because programmatic setting will try to set password encrypted and will fail.
- configured user will not have access to the "%userprofile%\documents\My web sites" directory. You will get a confusing authentication/authorization error.
- If you want to use explicitly configured anonymous account, it may be the best to copy your IIS Express site directory outside the "%userprofile%\documents" since sharing the files inside your user profile with other users is not a good idea from the security standpoint.
来源:https://stackoverflow.com/questions/4348615/iis-express-impersonate-a-windows-account