Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > authentication: deny users=* problem

Reply
Thread Tools

authentication: deny users=* problem

 
 
Dan
Guest
Posts: n/a
 
      11-15-2004
hi ng.

i have a strange behaviour when i want to control who can access a web
application by setting web.config like:
<authorization>
<allow users="DOMAIN\ACCOUNT,..." />
<deny users="*" />

the authorization is working fine, but the user receives the standard
"The page cannot be displayed"
error page.
whereas when the authorization check is disabled, everything is working
fine.

my iis settings are:
allow anonymous access
integrated windows authentication enabled

i have no idea about what could be wrong.
thanks a lot,
dan
 
Reply With Quote
 
 
 
 
Norman Yuan
Guest
Posts: n/a
 
      11-15-2004
it look to me that your <allow... /> and <deny.../> in web.config does not
make sense: first you want to allow access for users in a domain, then you
deny access to ALL USERS, so that your ASP.NET app cannot be accessed to by
anyone. If you want to block anonymous user, it should be <deny users="?"
/>. But the better way to deny anonymous access is simple uncheck "Anonymous
access" in IIS setting for the ASP.NET application.

"Dan" <(E-Mail Removed)-tuebingen.de> wrote in message
news:cna9f1$u4v$(E-Mail Removed)-tuebingen.de...
> hi ng.
>
> i have a strange behaviour when i want to control who can access a web
> application by setting web.config like:
> <authorization>
> <allow users="DOMAIN\ACCOUNT,..." />
> <deny users="*" />
>
> the authorization is working fine, but the user receives the standard
> "The page cannot be displayed"
> error page.
> whereas when the authorization check is disabled, everything is working
> fine.
>
> my iis settings are:
> allow anonymous access
> integrated windows authentication enabled
>
> i have no idea about what could be wrong.
> thanks a lot,
> dan



 
Reply With Quote
 
 
 
 
Jos
Guest
Posts: n/a
 
      11-15-2004
Norman Yuan wrote:
> it look to me that your <allow... /> and <deny.../> in web.config
> does not make sense: first you want to allow access for users in a
> domain, then you deny access to ALL USERS, so that your ASP.NET app
> cannot be accessed to by anyone. If you want to block anonymous user,
> it should be <deny users="?" />. But the better way to deny anonymous
> access is simple uncheck "Anonymous access" in IIS setting for the
> ASP.NET application.


I'll have to disagree here Norman.
Dan's configuration is 100% OK. See also:
http://msdn.microsoft.com/library/en...haspdotnet.asp

The rule here is that the authorization block is checked
from top to bottom, and the first match is the one that counts.

But I agree with you that disabling "Anonymous access" would
solve Dan's problem.

Dan, you're using the ASPNET account for anonymous
access, which subsequently will be refused access.
Disabling anonymous access will solve this problem.

--

Jos


 
Reply With Quote
 
Steven Spits
Guest
Posts: n/a
 
      11-15-2004
Norman wrote:

> it look to me that your <allow... /> and <deny.../> in web.config does not
> make sense: first you want to allow access for users in a domain, then you
> deny access to ALL USERS, so that your ASP.NET app cannot be
> accessed to by anyone.


This is not true, his web.config does make sense!

From MSDN:

"At run time, the authorization module iterates through the <allow> and
<deny> tags until it finds the first access rule that fits a particular
user. It then grants or denies access to a URL resource depending on whether
the first access rule found is an <allow> or a <deny> rule."

If a user cannot log in, his account doesn't match the one you specified in
your <allow> block.

Steven

- - -


 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      11-15-2004
Thanks for your support, but the problem was that my domainsettings were
wrong.
the settings do make sense: i can control which domain user gets access
to the application
deny=? would mean that every user authenticated by active directory gets
access.

Dan

Norman Yuan wrote:

> it look to me that your <allow... /> and <deny.../> in web.config does not
> make sense: first you want to allow access for users in a domain, then you
> deny access to ALL USERS, so that your ASP.NET app cannot be accessed to by
> anyone. If you want to block anonymous user, it should be <deny users="?"
> />. But the better way to deny anonymous access is simple uncheck "Anonymous
> access" in IIS setting for the ASP.NET application.
>
> "Dan" <(E-Mail Removed)-tuebingen.de> wrote in message
> news:cna9f1$u4v$(E-Mail Removed)-tuebingen.de...
>
>>hi ng.
>>
>>i have a strange behaviour when i want to control who can access a web
>>application by setting web.config like:
>> <authorization>
>> <allow users="DOMAIN\ACCOUNT,..." />
>> <deny users="*" />
>>
>>the authorization is working fine, but the user receives the standard
>>"The page cannot be displayed"
>>error page.
>>whereas when the authorization check is disabled, everything is working
>>fine.
>>
>>my iis settings are:
>>allow anonymous access
>>integrated windows authentication enabled
>>
>>i have no idea about what could be wrong.
>>thanks a lot,
>>dan

>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 506E Deny inbound (No xlate) tcp jan david dijk Cisco 6 01-07-2009 09:24 PM
newbie: allow deny vs deny allow Jeff ASP .Net 2 09-19-2006 02:12 AM
Domain controller GPO does not deny logon locally right to IWAM_machinename when running aspnet.wp.exe \Rob\ ASP .Net 4 05-12-2004 12:13 AM
Strange PIX Deny Inbound Error Richard Cisco 3 01-20-2004 09:09 PM
permit only outbound icmp requests and inbound replies, deny other Mark Matheney Cisco 1 12-10-2003 02:00 PM



Advertisments