Comments on: How to secure WordPress admin directory on IIS 7.0 http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/ IIS, FastCGI, PHP and other interesting stuff Mon, 30 Jan 2012 13:10:03 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Justin Bartlett http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-10889 Justin Bartlett Fri, 22 Apr 2011 17:43:02 +0000 http://ruslany.net/?p=199#comment-10889 Hi there, I'm interested in having a shared login between a linux hosted wordpress site and an asp.net based cms - Is there any way to have asp.net read the mysql database containing wordpress login info and use that to authenticate users? Or a cookie solution? Any thoughts on sharing login / pass between asp.net and wordpress or pointing me in the right direction would be so very much appreciated. Hi there, I’m interested in having a shared login between a linux hosted wordpress site and an asp.net based cms – Is there any way to have asp.net read the mysql database containing wordpress login info and use that to authenticate users? Or a cookie solution? Any thoughts on sharing login / pass between asp.net and wordpress or pointing me in the right direction would be so very much appreciated.

]]> By: Brent http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-10698 Brent Thu, 24 Feb 2011 17:38:32 +0000 http://ruslany.net/?p=199#comment-10698 I had been using instructions similar to this to allow Forms Authentication to work as a single-signon for Drupal. The weirdly everything worked with integrated pipeline for authenticated users, but anonymous user POST requests received 500.0 errors while GET worked fine. After some redirection from a member of groups.drupal.org (http://groups.drupal.org/node/122299) I reverted to "Classic" mode with a wildcard script mapping and this worked. My question is, why? I don't understand why "Integrated Pipeline" mode did not work for anonymous POSTs. My web.config under "Integrated Pipeline" included these modules: [XML has been removed. Only encoded XML is allowed] and Anonymous POSTs were explicitly allowed in the web.config and worked for ASP.Net, Classic ASP, and HTML in the same Application. What don't I understand here? Thanks for your insights, I have everything working... I just don't understand why it doesn't work in integrated mode. I had been using instructions similar to this to allow Forms Authentication to work as a single-signon for Drupal. The weirdly everything worked with integrated pipeline for authenticated users, but anonymous user POST requests received 500.0 errors while GET worked fine.

After some redirection from a member of groups.drupal.org (http://groups.drupal.org/node/122299) I reverted to “Classic” mode with a wildcard script mapping and this worked. My question is, why? I don’t understand why “Integrated Pipeline” mode did not work for anonymous POSTs.

My web.config under “Integrated Pipeline” included these modules:

[XML has been removed. Only encoded XML is allowed]

and Anonymous POSTs were explicitly allowed in the web.config and worked for ASP.Net, Classic ASP, and HTML in the same Application.

What don’t I understand here? Thanks for your insights, I have everything working… I just don’t understand why it doesn’t work in integrated mode.

]]> By: J. james johnson http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-3543 J. james johnson Wed, 15 Dec 2010 23:48:17 +0000 http://ruslany.net/?p=199#comment-3543 This would transmit the password in clear text though... This would transmit the password in clear text though…

]]> By: ruslany http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-2451 ruslany Wed, 15 Sep 2010 16:26:55 +0000 http://ruslany.net/?p=199#comment-2451 Hi Joey, This error is because some IIS section is locked for modifications on the site level. This can be changed by modifying the file C:\windows\system32\inetsrv\config\applicationHost.config or by using IIS Manager as described <a href="http://learn.iis.net/page.aspx/155/an-overview-of-feature-delegation-in-iis-70/" rel="nofollow">here</a>. Hi Joey,

This error is because some IIS section is locked for modifications on the site level. This can be changed by modifying the file C:\windows\system32\inetsrv\config\applicationHost.config or by using IIS Manager as described here.

]]> By: Joey http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-2450 Joey Wed, 15 Sep 2010 12:58:18 +0000 http://ruslany.net/?p=199#comment-2450 Any idea how to resolve this error? HTTP Error 500.19 – Internal Server Error I have read up on it and it says that there are possibly two lines where is added. In the last cnfig i sent i didnt see that. I am hping you read this soon. I have to have this configured by friday. thanks for your help in advance. Any idea how to resolve this error? HTTP Error 500.19 – Internal Server Error

I have read up on it and it says that there are possibly two lines where is added.

In the last cnfig i sent i didnt see that. I am hping you read this soon. I have to have this configured by friday.
thanks for your help in advance.

]]> By: Joey http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-2447 Joey Tue, 14 Sep 2010 20:15:45 +0000 http://ruslany.net/?p=199#comment-2447 Yeah i had to add the module in IIS. got it sorted. Now i have the following errors. Server ErrorInternet Information Services 7.0 Error Summary HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid. Detailed Error Information Module IIS Web Core Notification BeginRequest Handler Not yet determined Error Code 0x80070021 Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false". Config File \\?\P:\inetpub\wwwroot\web.config Requested URL http://magazine.lynn.edu:80/ Physical Path P:\inetpub\wwwroot Logon Method Not yet determined Logon User Not yet determined Config Source 10: 11: 12: Links and More InformationThis error occurs when there is a problem reading the configuration file for the Web server or Web application. In some cases, the event logs may contain more information about what caused this error. View more information » Here is a copy of my web.config file. something is most likely done incorrectly. <!-- Deny access to wp-admin for anonymous users --> <!-- Allow access to wp-admin/css folder for anonymous users --> <!-- this is needed in order for WordPress login page to display correctly --> <!-- Allow access to wp-admin/images folder for anonymous users --> <!-- this is needed in order for WordPress login page to display correctly --> Yeah i had to add the module in IIS. got it sorted.

Now i have the following errors.

Server ErrorInternet Information Services 7.0
Error Summary
HTTP Error 500.19 – Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid. Detailed Error Information
Module IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0×80070021
Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault=”Deny”), or set explicitly by a location tag with overrideMode=”Deny” or the legacy allowOverride=”false”.
Config File \\?\P:\inetpub\wwwroot\web.config
Requested URL http://magazine.lynn.edu:80/
Physical Path P:\inetpub\wwwroot
Logon Method Not yet determined
Logon User Not yet determined
Config Source
10:
11:
12:
Links and More InformationThis error occurs when there is a problem reading the configuration file for the Web server or Web application. In some cases, the event logs may contain more information about what caused this error.
View more information »

Here is a copy of my web.config file. something is most likely done incorrectly.



]]> By: ruslany http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-2426 ruslany Wed, 08 Sep 2010 00:09:17 +0000 http://ruslany.net/?p=199#comment-2426 Hi Joey, The Forms Authentication should be already installed when you install IIS 7. Hi Joey,

The Forms Authentication should be already installed when you install IIS 7.

]]> By: Joey http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-2425 Joey Tue, 07 Sep 2010 19:36:10 +0000 http://ruslany.net/?p=199#comment-2425 Sorry, Using Server 2008 Enterprise Edition. Sorry, Using Server 2008 Enterprise Edition.

]]> By: Joey http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-2424 Joey Tue, 07 Sep 2010 18:55:01 +0000 http://ruslany.net/?p=199#comment-2424 Unfortunately I don't see forms authentication as a checkable module in IIS? I was able to add URL authorization module though from the Add Role Services Section in IIS. Am I missing something? Unfortunately I don’t see forms authentication as a checkable module in IIS? I was able to add URL authorization module though from the Add Role Services Section in IIS.

Am I missing something?

]]> By: John http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1523 John Wed, 09 Dec 2009 16:09:49 +0000 http://ruslany.net/?p=199#comment-1523 Ruslany, You were right, I did not have URL authorization enabled, and I got confused because I was using VS development server alongside IIS7 (http://www.4guysfromrolla.com/articles/122408-1.aspx cleared this up for me) and the behavior was different for each. So, I am beginning to understand now, but I have a follow up question. Does plugging the asp.net modules into the pipeline (i.e. removing and then adding FormsAuthenticationModule) also enable authentication on static content through the system.web authentication rule? If so, what is the advantage to using the system.webServer namespace? Thanks again. John Ruslany,
You were right, I did not have URL authorization enabled, and I got confused because I was using VS development server alongside IIS7 (http://www.4guysfromrolla.com/articles/122408-1.aspx cleared this up for me) and the behavior was different for each. So, I am beginning to understand now, but I have a follow up question. Does plugging the asp.net modules into the pipeline (i.e. removing and then adding FormsAuthenticationModule) also enable authentication on static content through the system.web authentication rule? If so, what is the advantage to using the system.webServer namespace? Thanks again.
John

]]>