One hell of an error I got while working with membership provider in my project. The error said something like "It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
Now this doesn't really help as an error message, but a quick googling got me some surprising scenarios where you can have this error. Surprising because, there were only two ways it can surface!
You cannot set the Authentication, Session State and a couple of other properties for the sub folder in the web.config at that levet. It must inherit those properties from the parent file in principle. This after careful thinking was pretty common sense to me. You cannot have an application that accepts Form authentication at the application level, and suddenly execute windows authentication in a sub folder. You can have it vice-versa though, but I think just as a precaution, and not making it scary and confusing for the developer, MS has configured the parser accordingly.
The good news is, that this is true only for Authentication, and not Authorization. You can configure authorization at folder level, because, you need to! For all those who are having this error, I have enclosed following solution to the problem.
You should have the authentication at the Application root level web.config under the <configuration>
<location path="ClientArea">
<system.web>
<authorization>
<allow roles="Clients"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
However, if you wish to have a web.config at the sub-directory level and protect the sub-directory, you can only specify the Authorization mode as follows:
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Now this doesn't really help as an error message, but a quick googling got me some surprising scenarios where you can have this error. Surprising because, there were only two ways it can surface!
- When you create a new application and the IIS fails to configure, the virtual folder as an application. Now I seriously don't believe there are many geeky nerds, who actually create an application virtual folder manually (I don't want to be rude, but have'nt come across any!). Also no one creates even a folder into the application manually. Atleast I do it via Visual Studio. It is quick, efficient and prevents me to configure it properly in the IIS!
- The second scenario, is the one that is quite possible most of the time. When you have sub-directories in your application, you can have web.config for all the sub-directory nodes. You can configure, almost everything for that folder using that web.config, and it will override the settings, in the parent web.config. But saying that I must admit, there are certain properties which cannot be set in the web.config of the sub-directory.
You cannot set the Authentication, Session State and a couple of other properties for the sub folder in the web.config at that levet. It must inherit those properties from the parent file in principle. This after careful thinking was pretty common sense to me. You cannot have an application that accepts Form authentication at the application level, and suddenly execute windows authentication in a sub folder. You can have it vice-versa though, but I think just as a precaution, and not making it scary and confusing for the developer, MS has configured the parser accordingly.
The good news is, that this is true only for Authentication, and not Authorization. You can configure authorization at folder level, because, you need to! For all those who are having this error, I have enclosed following solution to the problem.
You should have the authentication at the Application root level web.config under the <configuration>
<location path="ClientArea">
<system.web>
<authorization>
<allow roles="Clients"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
However, if you wish to have a web.config at the sub-directory level and protect the sub-directory, you can only specify the Authorization mode as follows:
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
