Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Configuring Windows-based Authentication and UrlAuthorization

Reply
Thread Tools

Configuring Windows-based Authentication and UrlAuthorization

 
 
MCM
Guest
Posts: n/a
 
      08-29-2009
I have a web application that is partially public and partially intranet. I
need help configuring the security.

All the public urls are located in the root directory. The intranet urls are
located in a subdirectory called Admin. In IIS, I have 2 bindings configured
- one with a public DNS name and one with the internal server name so IE will
recognize the site as part of the intranet. These are the sections in my
web.config as I have them now:

<system.web>
<httpModules>
<remove name="FormsAuthentication" />
<remove name="PassportAuthentication" />
<remove name="AnonymousIdentification" />
<remove name="FileAuthorization" />
<remove name="OutputCache" />
<remove name="RoleManager" />
<remove name="Profile" />
<remove name="ServiceModel" />
<remove name="ErrorHandlerModule" />
<add name="ScriptModule"
type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35" />
</httpModules>
<authentication mode="Windows" />
</system.web>

<location path="Admin">
<system.web>
<authorization>
<allow roles="DOMAIN\Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>

The public portion of the application loads fine. The intranet portion is
giving me access errors. I'm sure I have it configured wrong.
 
Reply With Quote
 
 
 
 
Alexey Smirnov
Guest
Posts: n/a
 
      08-30-2009
On Aug 29, 8:01*am, MCM <(E-Mail Removed)> wrote:
> I have a web application that is partially public and partially intranet.I
> need help configuring the security.
>
> All the public urls are located in the root directory. The intranet urls are
> located in a subdirectory called Admin. In IIS, I have 2 bindings configured
> - one with a public DNS name and one with the internal server name so IE will
> recognize the site as part of the intranet. These are the sections in my
> web.config as I have them now:
>
> * * <system.web>
> * * * * <httpModules>
> * * * * * * <remove name="FormsAuthentication" />
> * * * * * * <remove name="PassportAuthentication" />
> * * * * * * <remove name="AnonymousIdentification" />
> * * * * * * <remove name="FileAuthorization" />
> * * * * * * <remove name="OutputCache" />
> * * * * * * <remove name="RoleManager" />
> * * * * * * <remove name="Profile" />
> * * * * * * <remove name="ServiceModel" />
> * * * * * * <remove name="ErrorHandlerModule" />
> * * * * * * <add name="ScriptModule"
> * * * * * * * * *type="System.Web.Handlers.ScriptModule,
> System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
> PublicKeyToken=31BF3856AD364E35" />
> * * * * </httpModules>
> * * * * <authentication mode="Windows" />
> * * </system.web>
>
> * * <location path="Admin">
> * * * * <system.web>
> * * * * * * <authorization>
> * * * * * * * * <allow roles="DOMAIN\Administrators" />
> * * * * * * * * <deny users="*" />
> * * * * * * </authorization>
> * * * * </system.web>
> * * </location>
>
> The public portion of the application loads fine. The intranet portion is
> giving me access errors. I'm sure I have it configured wrong.


1) Try change the location path to "~/admin"
2) Check if Windows authentication is enabled (if IIS really receives
your membership)
 
Reply With Quote
 
 
 
 
MCM
Guest
Posts: n/a
 
      08-30-2009
> 1) Try change the location path to "~/admin"

That didn't work. It just let's all users have access if I change it to
that. When it is set to "Admin", it does respond correctly by requiring
permission for the appropriate directory. But even authorized users are
getting prompted for credentials. And even admin credentials are being
rejected with "401 - Unauthorized: Access is denied due to invalid
credentials."

> 2) Check if Windows authentication is enabled (if IIS really receives
> your membership)


It is.
 
Reply With Quote
 
Thomas Sun [MSFT]
Guest
Posts: n/a
 
      08-31-2009
Hi MCM,

This is Thomas Sun from MSDN managed newsgroup. I will assist you with this
case.

From your description, I understand that you use Windows Authentication to
authenticate your ASP.NET web application which contains two parts: public
part and private part. For the private part named "Admin" is using
<location> settings to restrict only Administrators role can be allowed to
access. If I have misunderstood you, please feel free to let me know.

Firstly, we need to make sure the identity that requests your website is in
the Administrators role that you specify in <allow> section of <location>
settings. For test, we can present the identity name in page by following
code:
===============================
Response.Write(User.Identity.Name);
===============================

Besides, we also can specify a domain user in <location> settings and then
request your website with that identity to see whether it works. For
example:
===============================
<location path="Admin">
<system.web>
<authorization>
<allow users="YourDomain\OneUserName"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
===============================

I look forward to receiving your test results.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

>
>> 1) Try change the location path to "~/admin"

>
>That didn't work. It just let's all users have access if I change it to
>that. When it is set to "Admin", it does respond correctly by requiring
>permission for the appropriate directory. But even authorized users are
>getting prompted for credentials. And even admin credentials are being
>rejected with "401 - Unauthorized: Access is denied due to invalid
>credentials."
>
>> 2) Check if Windows authentication is enabled (if IIS really receives
>> your membership)

>
>It is.
>


 
Reply With Quote
 
MCM
Guest
Posts: n/a
 
      08-31-2009
Hi Thomas-

> Firstly, we need to make sure the identity that requests your website is in
> the Administrators role that you specify in <allow> section of <location>
> settings. For test, we can present the identity name in page by following
> code:
> ===============================
> Response.Write(User.Identity.Name);
> ===============================


No name is displaying at all. This value is blank. Could this be a browser
setting?


> Besides, we also can specify a domain user in <location> settings and then
> request your website with that identity to see whether it works. For
> example:
> ===============================
> <location path="Admin">
> <system.web>
> <authorization>
> <allow users="YourDomain\OneUserName"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> ===============================


This also does not let me have access. But I presume that until we fix the
blank username problem, we won't get anywhere.

-Max
 
Reply With Quote
 
Thomas Sun [MSFT]
Guest
Posts: n/a
 
      08-31-2009
Hi MCM,

Thanks for your response.

Please make sure we only enable Integrated Windows Authentication and
disable Anonymous access option on IIS. When anonymous access is enabled,
no authenticated user credentials are required to access the site. For more
information, see http://support.microsoft.com/kb/324274


I look forward to receiving your test results.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support

>
>Hi Thomas-
>
>> Firstly, we need to make sure the identity that requests your website is

in
>> the Administrators role that you specify in <allow> section of

<location>
>> settings. For test, we can present the identity name in page by

following
>> code:
>> ===============================
>> Response.Write(User.Identity.Name);
>> ===============================

>
>No name is displaying at all. This value is blank. Could this be a browser
>setting?
>
>
>> Besides, we also can specify a domain user in <location> settings and

then
>> request your website with that identity to see whether it works. For
>> example:
>> ===============================
>> <location path="Admin">
>> <system.web>
>> <authorization>
>> <allow users="YourDomain\OneUserName"/>
>> <deny users="*"/>
>> </authorization>
>> </system.web>
>> </location>
>> ===============================

>
>This also does not let me have access. But I presume that until we fix the
>blank username problem, we won't get anywhere.
>
>-Max
>


 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      08-31-2009
On Aug 30, 5:12*pm, MCM <(E-Mail Removed)> wrote:
> > 1) Try change the location path to "~/admin"

>
> That didn't work. It just let's all users have access if I change it to
> that. When it is set to "Admin", it does respond correctly by requiring
> permission for the appropriate directory. But even authorized users are
> getting prompted for credentials. And even admin credentials are being
> rejected with "401 - Unauthorized: Access is denied due to invalid
> credentials."
>
> > 2) Check if Windows authentication is enabled (if IIS really receives
> > your membership)

>
> It is.


hm...

What happens if you delete location path from main web.config file and
move that configuration in to Admin folder? You should put there

<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="DOMAIN\Administrators" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      08-31-2009
On Aug 31, 4:36*pm, MCM <(E-Mail Removed)> wrote:
> Is it possible to disable anonymous access just for the Admin folder? I'd
> like to allow it for the public section.
>
>
>
> "Thomas Sun [MSFT]" wrote:
> > Hi MCM,

>
> > Thanks for your response.

>
> > Please make sure we only enable Integrated Windows Authentication and
> > disable Anonymous access option on IIS. When anonymous access is enabled,
> > no authenticated user credentials are required to access the site. For more
> > information, seehttp://support.microsoft.com/kb/324274

>
> > I look forward to receiving your test results.

>
> > --
> > Best Regards,
> > Thomas Sun

>
> > Microsoft Online Partner Support

>
> > >Hi Thomas-

>
> > >> Firstly, we need to make sure the identity that requests your website is

> > in
> > >> the Administrators role that you specify in <allow> section of

> > <location>
> > >> settings. For test, we can present *the identity name in page by

> > following
> > >> code:
> > >> ===============================
> > >> Response.Write(User.Identity.Name);
> > >> ===============================

>
> > >No name is displaying at all. This value is blank. Could this be a browser
> > >setting?

>
> > >> Besides, we also can specify a domain user in <location> settings and

> > then
> > >> request your website with that identity to see whether it works. For
> > >> example:
> > >> ===============================
> > >> * <location path="Admin">
> > >> * * * * * <system.web>
> > >> * * * * * * * * * <authorization>
> > >> * * * * * * * * * * * * * <allow users="YourDomain\OneUserName"/>
> > >> * * * * * * * * * * * * * <deny users="*"/>
> > >> * * * * * * * * * </authorization>
> > >> * * * * * </system.web>
> > >> * </location>
> > >> ===============================

>
> > >This also does not let me have access. But I presume that until we fixthe
> > >blank username problem, we won't get anywhere.

>
> > >-Max- Hide quoted text -

>
> - Show quoted text -


Use <deny users="?"/> to disable anonymous users

<deny users="*"/> blocks everyone
 
Reply With Quote
 
MCM
Guest
Posts: n/a
 
      08-31-2009
I tried disabling Anonymous access, but there was no change.


"Thomas Sun [MSFT]" wrote:

> Hi MCM,
>
> Thanks for your response.
>
> Please make sure we only enable Integrated Windows Authentication and
> disable Anonymous access option on IIS. When anonymous access is enabled,
> no authenticated user credentials are required to access the site. For more
> information, see http://support.microsoft.com/kb/324274
>
>
> I look forward to receiving your test results.
>
>
> --
> Best Regards,
> Thomas Sun
>
> Microsoft Online Partner Support
>
> >
> >Hi Thomas-
> >
> >> Firstly, we need to make sure the identity that requests your website is

> in
> >> the Administrators role that you specify in <allow> section of

> <location>
> >> settings. For test, we can present the identity name in page by

> following
> >> code:
> >> ===============================
> >> Response.Write(User.Identity.Name);
> >> ===============================

> >
> >No name is displaying at all. This value is blank. Could this be a browser
> >setting?
> >
> >
> >> Besides, we also can specify a domain user in <location> settings and

> then
> >> request your website with that identity to see whether it works. For
> >> example:
> >> ===============================
> >> <location path="Admin">
> >> <system.web>
> >> <authorization>
> >> <allow users="YourDomain\OneUserName"/>
> >> <deny users="*"/>
> >> </authorization>
> >> </system.web>
> >> </location>
> >> ===============================

> >
> >This also does not let me have access. But I presume that until we fix the
> >blank username problem, we won't get anywhere.
> >
> >-Max
> >

>
>

 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      08-31-2009
On Aug 31, 11:29*pm, MCM <(E-Mail Removed)> wrote:
> I tried disabling Anonymous access, but there was no change.
>
>
>
> "Thomas Sun [MSFT]" wrote:
> > Hi MCM,

>
> > Thanks for your response.

>
> > Please make sure we only enable Integrated Windows Authentication and
> > disable Anonymous access option on IIS. When anonymous access is enabled,
> > no authenticated user credentials are required to access the site. For more
> > information, seehttp://support.microsoft.com/kb/324274

>
> > I look forward to receiving your test results.

>
> > --
> > Best Regards,
> > Thomas Sun

>
> > Microsoft Online Partner Support

>
> > >Hi Thomas-

>
> > >> Firstly, we need to make sure the identity that requests your website is

> > in
> > >> the Administrators role that you specify in <allow> section of

> > <location>
> > >> settings. For test, we can present *the identity name in page by

> > following
> > >> code:
> > >> ===============================
> > >> Response.Write(User.Identity.Name);
> > >> ===============================

>
> > >No name is displaying at all. This value is blank. Could this be a browser
> > >setting?

>
> > >> Besides, we also can specify a domain user in <location> settings and

> > then
> > >> request your website with that identity to see whether it works. For
> > >> example:
> > >> ===============================
> > >> * <location path="Admin">
> > >> * * * * * <system.web>
> > >> * * * * * * * * * <authorization>
> > >> * * * * * * * * * * * * * <allow users="YourDomain\OneUserName"/>
> > >> * * * * * * * * * * * * * <deny users="*"/>
> > >> * * * * * * * * * </authorization>
> > >> * * * * * </system.web>
> > >> * </location>
> > >> ===============================

>
> > >This also does not let me have access. But I presume that until we fixthe
> > >blank username problem, we won't get anywhere.

>
> > >-Max- Hide quoted text -

>
> - Show quoted text -


Well, I would try to setup clean web.config, get rid of

<remove name="FormsAuthentication" />
<remove name="PassportAuthentication" />
<remove name="AnonymousIdentification" />
<remove name="FileAuthorization" />
<remove name="OutputCache" />
<remove name="RoleManager" />
<remove name="Profile" />
<remove name="ServiceModel" />
<remove name="ErrorHandlerModule" />

(let's load all by default)

enable trace

and put just

<deny users="?"/>

and see what happens
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring ACS 4.2 to delegate authentication request 2 radiusserver Arnnei Cisco 0 12-10-2009 06:40 PM
re configuring dlink524 and wireless laptop and wii gaming system vid Computer Support 0 01-13-2008 09:35 PM
a urlauthorization question =?Utf-8?B?UG9ueSBUc3Vp?= ASP .Net 9 04-07-2006 02:03 AM
Windows authentication breaks after configuring application pool identity Igor Dombrovan ASP .Net Security 2 03-01-2005 05:35 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments