Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > using location tag in web.config with custom application pool in I

Reply
Thread Tools

using location tag in web.config with custom application pool in I

 
 
Pete
Guest
Posts: n/a
 
      06-01-2005
Hi,

I have a ASP.NET account which uses the ASP.NEt location authorization tag
in the web.config to restrict only authenicated users in an AD Group can
access the site. This works wonderfully when using the default application
pool running with the default NETWORK SERVICE account.

However, I really wanted to use Integrated access to SQL Server and
therefore don't really want to use NETWORK SERVICE as the credential to
access SQL Server.

So I would rather use a new Active Directory account and use that as the
application pool account so when it access SQL Server it will use that
account.

Note. The new AD Account is pretty much similar to the NETWORK SERVICE
Account. The account is part of the IIS_WPG group and has the following
permission:
1. Adjust memory quotas for a process
2. Generate security audits
3. Log on as a service
4. Replace a process level token

These permission were updated by changing the Local Security settings (from
the Administrative Tools).

My understanding is that the Account I created with the updated permission
should be able to be use as the Application Pool Account no problem.

Unfornately, this doesn't go according to plan. When I serve up the page
with the new Application Pool (using the new AD Account) IE keeps prompting
for my username and password. So I enter it and will never authenticate or
authorize.

Just to test to see if the Application Pool is fine, I allow anonymous
access to the site and remove all the location tag in the web.config and it
works fine.

I have been stucked trying to this thing to work in this manner.
Theoritcally it should work. But I must be missing something. If any body
can help would be great. I'd also attached a copy of the location tag bit of
the web.config.


<!-- Public Security Settings -->
<location path="Problem.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="Includes">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="scripts">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="ConfirmRequest.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>


<!-- Representatives -->
<location path="SendAppForm.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="SubmitDashboards.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="ViewApplicant.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>

<location path="ListApplicant.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>

<!-- Secondary Approver -->
<location path="SecondaryApprover.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
<deny users="*"/>
</authorization>
</system.web>
</location>


<!-- Office IT -->
<location path="CreateADAccount.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_OfficeIT" />
<deny users="*"/>
</authorization>
</system.web>
</location>


<location path="Admin">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_OfficeIT" />
<deny users="*"/>
</authorization>
</system.web>
</location>

<!-- all other security groups -->
<location path="PopUp.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
<allow roles="TSTDOMAIN\M2006_OfficeIT" />

<deny users="*"/>
</authorization>
</system.web>
</location>

<system.web>
<pages validateRequest="false" />
<compilation defaultLanguage="c#" debug="false" />
<customErrors mode="Off" defaultRedirect="Problem.aspx" />
<authentication mode="Windows"/>
<authorization>
<deny users="*" />
</authorization>
<trust level="Full" originUrl=""></trust>
<sessionState mode="InProc" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<httpRuntime executionTimeout="900" maxRequestLength="12288" />
</system.web>

Thanking who ever respond in advance.
 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      06-01-2005
Hello Pete,

have you tried

<authorization>
<deny users="?" />
</authorization>

instead of

<authorization>
<deny users="*" />
</authorization>


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I have a ASP.NET account which uses the ASP.NEt location authorization
> tag in the web.config to restrict only authenicated users in an AD
> Group can access the site. This works wonderfully when using the
> default application pool running with the default NETWORK SERVICE
> account.
>
> However, I really wanted to use Integrated access to SQL Server and
> therefore don't really want to use NETWORK SERVICE as the credential
> to access SQL Server.
>
> So I would rather use a new Active Directory account and use that as
> the application pool account so when it access SQL Server it will use
> that account.
>
> Note. The new AD Account is pretty much similar to the NETWORK
> SERVICE
> Account. The account is part of the IIS_WPG group and has the
> following
> permission:
> 1. Adjust memory quotas for a process
> 2. Generate security audits
> 3. Log on as a service
> 4. Replace a process level token
> These permission were updated by changing the Local Security settings
> (from the Administrative Tools).
>
> My understanding is that the Account I created with the updated
> permission should be able to be use as the Application Pool Account no
> problem.
>
> Unfornately, this doesn't go according to plan. When I serve up the
> page with the new Application Pool (using the new AD Account) IE keeps
> prompting for my username and password. So I enter it and will never
> authenticate or authorize.
>
> Just to test to see if the Application Pool is fine, I allow anonymous
> access to the site and remove all the location tag in the web.config
> and it works fine.
>
> I have been stucked trying to this thing to work in this manner.
> Theoritcally it should work. But I must be missing something. If any
> body can help would be great. I'd also attached a copy of the
> location tag bit of the web.config.
>
> <!-- Public Security Settings -->
> <location path="Problem.aspx">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="Includes">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="Images">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="scripts">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="ConfirmRequest.aspx">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <!-- Representatives -->
> <location path="SendAppForm.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="Default.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="SubmitDashboards.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="ViewApplicant.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="ListApplicant.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <!-- Secondary Approver -->
> <location path="SecondaryApprover.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <!-- Office IT -->
> <location path="CreateADAccount.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_OfficeIT" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="Admin">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_OfficeIT" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <!-- all other security groups -->
> <location path="PopUp.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
> <allow roles="TSTDOMAIN\M2006_OfficeIT" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <system.web>
> <pages validateRequest="false" />
> <compilation defaultLanguage="c#" debug="false" />
> <customErrors mode="Off" defaultRedirect="Problem.aspx" />
> <authentication mode="Windows"/>
> <authorization>
> <deny users="*" />
> </authorization>
> <trust level="Full" originUrl=""></trust>
> <sessionState mode="InProc" />
> <globalization requestEncoding="utf-8"
> responseEncoding="utf-8" />
> <httpRuntime executionTimeout="900" maxRequestLength="12288"
> />
> </system.web>
> Thanking who ever respond in advance.
>




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error Consuming Web Service from WIndows application when WebService is using Custom Service Account ( Create an Application Pool with a Custom Identity) DNB ASP .Net Security 1 01-22-2008 09:08 PM
Error Consuming Web Service from WIndows application when WebService is using Custom Service Account ( Create an Application Pool with a Custom Identity) DNB ASP .Net Web Services 1 01-20-2008 01:47 PM
Location, location, location =?Utf-8?B?VHJhY2V5?= Wireless Networking 2 02-17-2007 08:37 PM
how do u invoke Tag b's Tag Handler from within Tag a's tag Handler? shruds Java 1 01-27-2006 03:00 AM
Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached. Guoqi Zheng ASP .Net 4 06-03-2004 06:39 PM



Advertisments