Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Cannot access aspx page if user is not in Admin group

Reply
Thread Tools

Cannot access aspx page if user is not in Admin group

 
 
Mathew Uthup
Guest
Posts: n/a
 
      06-20-2005
We have a secure directory with an aspx page called Reports.aspx runnig on
Windows2000 server with service pack 4. This directory has access rights to
only a specific gg_support group.We have Disabled anonymous access to this
directory and only enabled windows integrated authentication on this page and
in this directory for this group gg_suupport
However none of the members of this group can access any aspx page in this
directory unless they belong to the admin group. We do not want to give admin
rights to all members of this group nor do we want to give anonymous access
to this directory. The web config file explicitly sets impersonate to false.
No matter what, we cannot get it to work. The only way we can get it to work
is to grant Anonymous access or to give admin rights to this Group. My
understanding based on the readings from MSDN is that if Impersonate is set
to false and Integrated Authentication is enabled by IIS. The aspx worker
thread should execute under the default aspx account for IIS. My question,
isn’t Default account the same as used by the anonymous account? How do I get
it to work with the desired security setting that we need?

Thanks Mathew

 
Reply With Quote
 
 
 
 
Mathew Uthup
Guest
Posts: n/a
 
      06-22-2005
We figured this one out with a Microsoft support case. Apparently one needs
to Restart IIS if a new user is added to windows authenticated Directory. For
some Reason Aspx_Isapi does not refresh the Cached ACL in IIS5.0 ( I think
this is a Bug).Only Aspx extension in the secured directory has this problem
which leads me to think that ACL information is somehow cached by the
ASpx_isapi. Well one work around to this problem is to create a Local
ASP_User Group and give this Group all the necessary ACL permission for
Running ASP see the Following article
"http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetrequiredaccesscontrollistsacls.asp"
and add users to this group. Once this Group exists adding new users to this
group somehow does not require Reboot of IIS. Hence I suggest planning ahead
by creating a Local user group with proper ACL Permissions for running
ASP.net if you want to avoid Rebooting IIS in production environment if you
plan to use Windows authentication. By the way in our case users in the Admin
Group had the proper ACL Permission for running ASP.net hence adding users
who belonged to this group always worked and did not require a Reboot of IIS.
Hope this Bug will be fixed in the next version of Asp.net

"Mathew Uthup" wrote:

> We have a secure directory with an aspx page called Reports.aspx runnig on
> Windows2000 server with service pack 4. This directory has access rights to
> only a specific gg_support group.We have Disabled anonymous access to this
> directory and only enabled windows integrated authentication on this page and
> in this directory for this group gg_suupport
> However none of the members of this group can access any aspx page in this
> directory unless they belong to the admin group. We do not want to give admin
> rights to all members of this group nor do we want to give anonymous access
> to this directory. The web config file explicitly sets impersonate to false.
> No matter what, we cannot get it to work. The only way we can get it to work
> is to grant Anonymous access or to give admin rights to this Group. My
> understanding based on the readings from MSDN is that if Impersonate is set
> to false and Integrated Authentication is enabled by IIS. The aspx worker
> thread should execute under the default aspx account for IIS. My question,
> isn’t Default account the same as used by the anonymous account? How do I get
> it to work with the desired security setting that we need?
>
> Thanks Mathew
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Urgent : Direct Client is looking for Informatica Admin &Developer(Admin must) sarah Fernandes Java 0 11-01-2010 05:03 PM
Add domain user to local group via web application running under local admin account Chad Dressler ASP .Net 0 12-30-2006 01:27 AM
Tablet PC User Group introduction (and Windows Mobile User Group reminder) Mauricio Freitas NZ Computing 0 07-09-2005 09:19 PM
Adding new user to admin group Ching-Lung ASP .Net 1 01-09-2004 10:54 PM
Cannot view any .aspx page without .aspx.cs present Jerry Tovar ASP .Net 1 10-23-2003 05:59 PM



Advertisments