I have an IIS on a Windows Server 2016. It works as our intranet and it has windows-authentification enabled for using the user login. This works all perfect.
Now we do want to develop an api using the same server. Therefore i need to exclude a path from the windows authentification and make it available for anonymous connections. The path e.g. "[server]/api/" will be handled by an PHP, so there is no 'physical' /api folder.
I edited the web.config with the following part i found on the internet
<location path="Default Web Site/api">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
My second attempt was to change
<section name="anonymousAuthentication" overrideModeDefault="Deny" />
to
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
in the applicationHost.config and adding the following to the web.config
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Both attempts do not work, if i open [server]/api it still asks for my credentials..any help is appreciated.
Update: i followed the given link from MisterSmith and edited the applicationHost.config Deny to Allow
<section name="access" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
and added/replaced the following in my web.config
<location path="api">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
But i still get a Authentication Request for /api i think it's an easy error but i can't figure out what i am missing.. I have an 64bit OS and used a 64bit notepad++, but for making sure i tried the recommended notepad2 und the build in notepad.exe, with no luck. For making sure i didn't my editing of the web.config is not causing the error, here it is in total
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="<server>" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
<rewrite>
<rules>
<rule name="Importierte Regel 1" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php/{R:1}" />
</rule>
</rules>
</rewrite>
<httpErrors errorMode="Detailed" />
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
<location path="api">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Found it with the help of MisterSmith
The 'error' was that i had a wrong location. Because my route in general do not exist physically, but are only handled in the php script i have the rewrite rule in the web.config
This result in <server>/test beeing rewritten to <server>/index.php/test.
Having this in mind, the path in the location block needed to be changed from <location path="api"> to <location path="index.php/api"> which solves the problem!