«

Hi,

I have a ASP.NET account which uses the ASP.NEt location authorization tag
in the web.config to restrict only authenicated users in an AD Group can
access the site. This works wonderfully when using the default application
pool running with the default NETWORK SERVICE account.

However, I really wanted to use Integrated access to SQL Server and
therefore don't really want to use NETWORK SERVICE as the credential to
access SQL Server.

So I would rather use a new Active Directory account and use that as the
application pool account so when it access SQL Server it will use that
account.

Note. The new AD Account is pretty much similar to the NETWORK SERVICE
Account. The account is part of the IIS_WPG group and has the following
permission:
1. Adjust memory quotas for a process
2. Generate security audits
3. Log on as a service
4. Replace a process level token

These permission were updated by changing the Local Security settings (from
the Administrative Tools).

My understanding is that the Account I created with the updated permission
should be able to be use as the Application Pool Account no problem.

Unfornately, this doesn't go according to plan. When I serve up the page
with the new Application Pool (using the new AD Account) IE keeps prompting
for my username and password. So I enter it and will never authenticate or
authorize.

Just to test to see if the Application Pool is fine, I allow anonymous
access to the site and remove all the location tag in the web.config and it
works fine.

I have been stucked trying to this thing to work in this manner.
Theoritcally it should work. But I must be missing something. If any body
can help would be great. I'd also attached a copy of the location tag bit of
the web.config.


<!-- Public Security Settings -->
<location path="Problem.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="Includes">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="scripts">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="ConfirmRequest.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>


<!-- Representatives -->
<location path="SendAppForm.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="SubmitDashboards.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="ViewApplicant.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>

<location path="ListApplicant.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<deny users="*"/>
</authorization>
</system.web>
</location>

<!-- Secondary Approver -->
<location path="SecondaryApprover.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
<deny users="*"/>
</authorization>
</system.web>
</location>


<!-- Office IT -->
<location path="CreateADAccount.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_OfficeIT" />
<deny users="*"/>
</authorization>
</system.web>
</location>


<location path="Admin">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_OfficeIT" />
<deny users="*"/>
</authorization>
</system.web>
</location>

<!-- all other security groups -->
<location path="PopUp.aspx">
<system.web>
<authorization>
<allow roles="TSTDOMAIN\M2006_rep" />
<allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
<allow roles="TSTDOMAIN\M2006_OfficeIT" />

<deny users="*"/>
</authorization>
</system.web>
</location>

<system.web>
<pages validateRequest="false" />
<compilation defaultLanguage="c#" debug="false" />
<customErrors mode="Off" defaultRedirect="Problem.aspx" />
<authentication mode="Windows"/>
<authorization>
<deny users="*" />
</authorization>
<trust level="Full" originUrl=""></trust>
<sessionState mode="InProc" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<httpRuntime executionTimeout="900" maxRequestLength="12288" />
</system.web>

Thanking who ever respond in advance.

Hello Pete,

have you tried

<authorization>
<deny users="?" />
</authorization>

instead of

<authorization>
<deny users="*" />
</authorization>


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I have a ASP.NET account which uses the ASP.NEt location authorization
> tag in the web.config to restrict only authenicated users in an AD
> Group can access the site. This works wonderfully when using the
> default application pool running with the default NETWORK SERVICE
> account.
>
> However, I really wanted to use Integrated access to SQL Server and
> therefore don't really want to use NETWORK SERVICE as the credential
> to access SQL Server.
>
> So I would rather use a new Active Directory account and use that as
> the application pool account so when it access SQL Server it will use
> that account.
>
> Note. The new AD Account is pretty much similar to the NETWORK
> SERVICE
> Account. The account is part of the IIS_WPG group and has the
> following
> permission:
> 1. Adjust memory quotas for a process
> 2. Generate security audits
> 3. Log on as a service
> 4. Replace a process level token
> These permission were updated by changing the Local Security settings
> (from the Administrative Tools).
>
> My understanding is that the Account I created with the updated
> permission should be able to be use as the Application Pool Account no
> problem.
>
> Unfornately, this doesn't go according to plan. When I serve up the
> page with the new Application Pool (using the new AD Account) IE keeps
> prompting for my username and password. So I enter it and will never
> authenticate or authorize.
>
> Just to test to see if the Application Pool is fine, I allow anonymous
> access to the site and remove all the location tag in the web.config
> and it works fine.
>
> I have been stucked trying to this thing to work in this manner.
> Theoritcally it should work. But I must be missing something. If any
> body can help would be great. I'd also attached a copy of the
> location tag bit of the web.config.
>
> <!-- Public Security Settings -->
> <location path="Problem.aspx">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="Includes">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="Images">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="scripts">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="ConfirmRequest.aspx">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
> <!-- Representatives -->
> <location path="SendAppForm.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="Default.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="SubmitDashboards.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="ViewApplicant.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="ListApplicant.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <!-- Secondary Approver -->
> <location path="SecondaryApprover.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <!-- Office IT -->
> <location path="CreateADAccount.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_OfficeIT" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <location path="Admin">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_OfficeIT" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <!-- all other security groups -->
> <location path="PopUp.aspx">
> <system.web>
> <authorization>
> <allow roles="TSTDOMAIN\M2006_rep" />
> <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
> <allow roles="TSTDOMAIN\M2006_OfficeIT" />
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> <system.web>
> <pages validateRequest="false" />
> <compilation defaultLanguage="c#" debug="false" />
> <customErrors mode="Off" defaultRedirect="Problem.aspx" />
> <authentication mode="Windows"/>
> <authorization>
> <deny users="*" />
> </authorization>
> <trust level="Full" originUrl=""></trust>
> <sessionState mode="InProc" />
> <globalization requestEncoding="utf-8"
> responseEncoding="utf-8" />
> <httpRuntime executionTimeout="900" maxRequestLength="12288"
> />
> </system.web>
> Thanking who ever respond in advance.
>