Currently, the ServerInfo virtual directory is configured to allow anonymous access and Integrated Windows authentication (IWA). In spite of this configuration, no authentication takes place because the anonymous connection is always attempted first (which explains why things happen relatively quickly).
To authenticate users, leave IIS in its current configuration ( with anonymous access and IWA turned on) and use the Web.config file to control who has access to the resource.
To prevent anonymous users from accessing the assembly, use:
<configuration> <system.runtime.remoting> <!--remoting settings are up here </system.runtime.remoting> <system.web> <authentication mode="Windows" /> <authorization> <deny users="?" /> </authorization> </system.web> </configuration>
Specific users can be granted access by initially denying everyone and then specifying who has permission:
<authorization> <deny users="*" /> <allow users="Administrator, ServerInfoClient" /> </authorization>
Or, permissions can be assigned based on roles (or a permutation of all of the above):
<authorization> <deny users="*" /> <allow users="ServerInfoClient" roles="Administrators, Remote Objects" /> </authorization>
To avoid confusion, the ? represents unauthenticated users, while the * refers to all users, whether or not they are authenticated.
Typically, when an application accesses restricted resources, it does so through an account created specifically for that purpose (rather than by ...