iis 7 - Enabling PUT on IIS 7.5 for an ASHX handler using Windows Authentication

Question

I have an ASP.NET (.NET 4) website that uses http PUT for an .ashx generic handler. The PUT call originates from a Silverlight front end. All works in VS 2010 on my local machine (Cassini web server).

Then I deployed to an IIS7.5 Win Server 2008 R2 box.

The silverlight/website is fine, but PUT calls to the .ashx handler are met with a Windows Login Prompt.
This is a local intranet so Windows Authentication (with NTLM & Negotiate providers) is the only enabled authentication.

Then I read this: http://blogs.msdn.com/b/joseph_fultz/archive/2009/07/23/enabling-the-put-verb-with-handlers-and-iis-7-0.aspx

I've followed his suggestion and I can now make PUT calls via my .ashx handler. Problem is only folks in the Administrators Group of the web server can do this. No one else can. They are met with the windows login prompt.

Any idea what this could be?

I can't give Everyone in the company Admin privileges on the webserver. They would no doubt cut off one of my hands, eat said hand in front of me, and then show me the door.

Answer 1

Ok I figured it out.

Here are the key configuration elements in IIS 7.5:

1. Under Windows Authentication / Providers - NTLM had to be on top of Negotiate
2. Domain Users needed write access to the directory containing the ashx handler

3. URL Authorization was not enabled as a role on the web server. I added it and then stuck this in the web.config under system.webServer:

   <security>
       <authorization>
           <remove users="*" roles="" verbs="" />
           <add accessType="Allow" users="*" verbs="GET,HEAD,POST,PUT,DELETE,DEBUG" />
       </authorization>
   </security>
   

(I'll trim that down a bit, but for now it works)

My entire system.webServer element is as follows:

<system.webServer>
    <modules>
        <remove name="WebDAVModule" />
    </modules>
    <defaultDocument>
        <files>
            <clear />
            <add value="default.aspx" />
        </files>
    </defaultDocument>
    <handlers accessPolicy="Read, Write, Execute, Script">
        <remove name="WebDAV" />
        <remove name="SimpleHandlerFactory-Integrated-4.0" />
        <remove name="SimpleHandlerFactory-Integrated" />
        <add name="SimpleHandlerFactory-Integrated" path="*.ashx" verb="GET,HEAD,POST,DEBUG,PUT" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Write" preCondition="integratedMode" />
        <add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" verb="GET,HEAD,POST,DEBUG,PUT" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Write" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
    <security>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" users="*" verbs="GET,HEAD,POST,PUT,DELETE,DEBUG" />
        </authorization>
    </security>

</system.webServer>

That did it.