Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Access denied when using active directory groups and windows authentication

Reply
Thread Tools

Access denied when using active directory groups and windows authentication

 
 
evian_spring@canada.com
Guest
Posts: n/a
 
      11-02-2005
We had this problem. We solved it in two steps (impersonation is not
the solution).

Step 1: asp.net account needs read and execute to the folder.

Step 2: make sure you **DENY** all other roles.

EXAMPLE:
<allow roles="domain\group" /> <!-- limit to this role -->
<deny roles="*" />

I haven't figured it out why the "deny" but if you do not deny all
other, it does not work.

 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      11-02-2005
Hello http://www.velocityreviews.com/forums/(E-Mail Removed),

in global web.config there is a implicit <allow users="*" />

otherwise no asp.net app would work by default.

because your local web.config inherits the global one - you have to set the
deny manually.


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> We had this problem. We solved it in two steps (impersonation is not
> the solution).
>
> Step 1: asp.net account needs read and execute to the folder.
>
> Step 2: make sure you **DENY** all other roles.
>
> EXAMPLE:
> <allow roles="domain\group" /> <!-- limit to this role -->
> <deny roles="*" />
> I haven't figured it out why the "deny" but if you do not deny all
> other, it does not work.
>



 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      11-02-2005
Hello david,

you should definitely log on as the user in question and do a whoami /groups
to double check if the user is indeed in this group (at least from the point
of view of that machine).
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Yup, as you mentioned turning on impersonation does not resolve the
> problem. I guess for now I will just suggest adding the users directly
> to the web.config (aren't that many anyway) and will put in a better
> solution when we upgrade to 2.0 which we are in the process of doing
> now. I'll look into the new Request.LogonUserIdentity feature.
>
> Thanks again for all your help
> David



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      11-02-2005
Hello Joe,

yeah - i should add "whoami /groups" functionality to my test page. good
idea

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Sorry I missed that. There must be something wrong then that is
> preventing groups from working correctly.
>
> I definitely recommend checking out Dominick's troubleshooting tools
> and perhaps doing whatever else you can to figure out why the user's
> token doesn't contain the groups in question or their names aren't
> resolving.
>
> Is it possible that the groups are domain local and the domain is
> still 2000 mixed mode? Could they be domain local groups from a
> different domain?
>
> Joe K.
>
> "David" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
>
>> Yup, as you mentioned turning on impersonation does not resolve the
>> problem. I guess for now I will just suggest adding the users
>> directly to the web.config (aren't that many anyway) and will put in
>> a better solution when we upgrade to 2.0 which we are in the process
>> of doing now. I'll look into the new Request.LogonUserIdentity
>> feature.
>>
>> Thanks again for all your help
>> David



 
Reply With Quote
 
Patrick.O.Ige
Guest
Posts: n/a
 
      11-04-2005
I would try removing some ACL read on some files and try it.
I didn't really think of that becos the folder in which the aspx files
contained had read,write permmisons
Thx for the info guys
Patrick



"Patrick.O.Ige" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Davis as Joe adviced i think you have to enable impersonation
> I have done a simlar solution for a company and i had to use impersonation
> unless i am wrong.
> I was redirecting users after login in an intranet based Windows Auth to
> perform authorisation.
> Hope that helps
> Patrick
>
>
>
>
> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
> in message news:(E-Mail Removed)...
> > Just out of curiosity, does the group-based authorization work if you

> enable
> > impersonation?
> >
> > I've heard of situations where impersonation needed to be enabled in

order
> > for the SIDs in the user's token to get resolved into friendly names at
> > runtime, but I have no idea what causes this. That might be the problem
> > though.
> >
> > It is also possible you are spelling the group name wrong, but hopefully
> > that isn't it.
> >
> > Joe K.
> >
> > "David" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) oups.com...
> > > Hi, I am trying to configure my app using windows authentication. I
> > > would like to limit access to an Active Directory group but do not

want
> > > to implement impersonation. I've setup the config section as follows:
> > >
> > > <authentication mode="Windows" />
> > > <authorization>
> > > <allow roles="domainname\groupname" />
> > > <deny users="*" />
> > > </authorization>
> > > <identity impersonate="false" />
> > >
> > > I am being prompted for user credentials, however, it is not letting

me
> > > in with a valid account. If I change the config section to limit to an
> > > Active Directory user only, example: <allow users
> > > ="domainname\username" />, this setting works just fine. It's very
> > > frustrating and I'm hoping I won't need to open a Microsoft Support
> > > ticket. Any suggestions are greatly appreciated.
> > >
> > > David
> > >

> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible? Authentication using Windows/Active directory, but access SQL Server using Membership class Andy ASP .Net 1 04-15-2006 08:48 PM
403 Forbidden: You were denied access because: Access denied by access control list Southern Kiwi NZ Computing 6 03-19-2006 05:19 AM
Using Windows Integrated Authentication to access Active Directory K SK ASP .Net Security 1 12-10-2004 04:34 PM
Using Integrated Windows Authentication to access Active Directory metridevkk ASP .Net Security 2 12-06-2004 07:31 PM
ASP .NET on Win 2003 Standard + Domain Controller with Active Directory : Temporary folder-Access denied Juleke ASP .Net 2 04-12-2004 08:22 AM



Advertisments