«

hi ng.

i have a strange behaviour when i want to control who can access a web
application by setting web.config like:
<authorization>
<allow users="DOMAIN\ACCOUNT,..." />
<deny users="*" />

the authorization is working fine, but the user receives the standard
"The page cannot be displayed"
error page.
whereas when the authorization check is disabled, everything is working
fine.

my iis settings are:
allow anonymous access
integrated windows authentication enabled

i have no idea about what could be wrong.
thanks a lot,
dan

it look to me that your <allow... /> and <deny.../> in web.config does not
make sense: first you want to allow access for users in a domain, then you
deny access to ALL USERS, so that your ASP.NET app cannot be accessed to by
anyone. If you want to block anonymous user, it should be <deny users="?"
/>. But the better way to deny anonymous access is simple uncheck "Anonymous
access" in IIS setting for the ASP.NET application.

"Dan" <> wrote in message
news:cna9f1$u4v$...
> hi ng.
>
> i have a strange behaviour when i want to control who can access a web
> application by setting web.config like:
> <authorization>
> <allow users="DOMAIN\ACCOUNT,..." />
> <deny users="*" />
>
> the authorization is working fine, but the user receives the standard
> "The page cannot be displayed"
> error page.
> whereas when the authorization check is disabled, everything is working
> fine.
>
> my iis settings are:
> allow anonymous access
> integrated windows authentication enabled
>
> i have no idea about what could be wrong.
> thanks a lot,
> dan

Norman Yuan wrote:
> it look to me that your <allow... /> and <deny.../> in web.config
> does not make sense: first you want to allow access for users in a
> domain, then you deny access to ALL USERS, so that your ASP.NET app
> cannot be accessed to by anyone. If you want to block anonymous user,
> it should be <deny users="?" />. But the better way to deny anonymous
> access is simple uncheck "Anonymous access" in IIS setting for the
> ASP.NET application.

I'll have to disagree here Norman.
Dan's configuration is 100% OK. See also:
http://msdn.microsoft.com/library/en...haspdotnet.asp

The rule here is that the authorization block is checked
from top to bottom, and the first match is the one that counts.

But I agree with you that disabling "Anonymous access" would
solve Dan's problem.

Dan, you're using the ASPNET account for anonymous
access, which subsequently will be refused access.
Disabling anonymous access will solve this problem.

--

Jos

Norman wrote:

> it look to me that your <allow... /> and <deny.../> in web.config does not
> make sense: first you want to allow access for users in a domain, then you
> deny access to ALL USERS, so that your ASP.NET app cannot be
> accessed to by anyone.

This is not true, his web.config does make sense!

From MSDN:

"At run time, the authorization module iterates through the <allow> and
<deny> tags until it finds the first access rule that fits a particular
user. It then grants or denies access to a URL resource depending on whether
the first access rule found is an <allow> or a <deny> rule."

If a user cannot log in, his account doesn't match the one you specified in
your <allow> block.

Steven

- - -

Thanks for your support, but the problem was that my domainsettings were
wrong.
the settings do make sense: i can control which domain user gets access
to the application
deny=? would mean that every user authenticated by active directory gets
access.

Dan

Norman Yuan wrote:

> it look to me that your <allow... /> and <deny.../> in web.config does not
> make sense: first you want to allow access for users in a domain, then you
> deny access to ALL USERS, so that your ASP.NET app cannot be accessed to by
> anyone. If you want to block anonymous user, it should be <deny users="?"
> />. But the better way to deny anonymous access is simple uncheck "Anonymous
> access" in IIS setting for the ASP.NET application.
>
> "Dan" <> wrote in message
> news:cna9f1$u4v$...
>
>>hi ng.
>>
>>i have a strange behaviour when i want to control who can access a web
>>application by setting web.config like:
>> <authorization>
>> <allow users="DOMAIN\ACCOUNT,..." />
>> <deny users="*" />
>>
>>the authorization is working fine, but the user receives the standard
>>"The page cannot be displayed"
>>error page.
>>whereas when the authorization check is disabled, everything is working
>>fine.
>>
>>my iis settings are:
>>allow anonymous access
>>integrated windows authentication enabled
>>
>>i have no idea about what could be wrong.
>>thanks a lot,
>>dan
>
>
>