Datasheet
</security>
</system.webServer>
</location>
To allow the same developer on the same site to enable or disable Windows authentication but not to
change the
providers element, you could use
<location path=”MySite” overrideMode=”Allow”>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled=”true” lockElements=”providers”>
<providers>
<add value=”Negotiate” />
<add value=”NTLM” />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
</location>
Feature delegation extends to the GUI administration tool as well. At the server level, for example, you
can configure which features can be changed by lower-level administrators using the Administration
tool. You can configure administrators for any level in the Administration tool, and those administrators
have access to features at or below their level. For example, server administrators can configure any site,
whereas a site administrator can configure only features within that site.
Delegation of management functions is something administrators should consider carefully when plan-
ning an IIS 7.0 deployment in their organization. In Chapter 3, we discuss planning deployments. Chapter
6 covers using the
applicationHost.config file. Chapter 9 describes administration delegation.
Unified Authentication and Authorization
In IIS 7.0, the authentication and authorization process merges the traditional IIS authentication options
with ASP.NET options. This allows administrators and developers to use ASP.NET authentication across
all files, folders, and applications in a site.
In IIS 6.0 and previous versions, controlling access to an Adobe Acrobat (PDF) file was difficult through
ASP.NET authentication schemes. You would need to enable Windows authentication or basic authenti-
cation on the web site, folder, or file and create a Windows account to have access to the file. Then you
would need to require the user to provide valid credentials for that Windows account, even if he or she
already had logged into your ASP.NET application, to be able to access that PDF file. The alternative was
to use impersonation in ASP.NET to access the file using the ASP.NET process account — all to prevent
someone from opening the PDF file by pasting the direct URL into their browser. Options involving
streaming the content from a protected location were just as cumbersome, and redirecting files to be
processed by the ASP.NET DLL was even more problematic.
In IIS 7.0, using ASP.NET authentication no longer requires the file to be processed as an ASPX exten-
sion; thus file extensions of all types can be secured with Forms authentication or any other ASP.NET
method. This reduces the requirement for Windows Client Access Licenses (CALs) to provide access
17
Chapter 1: Background on IIS and New Features in IIS 7.0
97823c01.qxd:WroxPro 2/4/08 6:47 PM Page 17