authorization

N

niall29

Freshman
Joined
Sep 13, 2004
Messages
35
Hi
I have a problem which I am sure somebody will think is a very easy question but I am having alot of trouble with it.

I have created an intranet site and also a group in my Active directory called "issusers" and have written in my web.config file "allow roles =domain\iisusers" and I have only put 3 people in the list but my site is opening for everybody in the domain.

Please can somebody hel pme understand what Im doing wrong.

Thanks in advance
 
niall29 said:
Hi
I have a problem which I am sure somebody will think is a very easy question but I am having alot of trouble with it.

I have created an intranet site and also a group in my Active directory called "issusers" and have written in my web.config file "allow roles =domain\iisusers" and I have only put 3 people in the list but my site is opening for everybody in the domain.

Please can somebody hel pme understand what Im doing wrong.

Thanks in advance
Click to expand...
I know it's a silly question, but the most obious, are you using (is it turned on) Windows Authentication? By default your web config file will set the authorization to none
 
This is part of web.config file:

<authorization>

<allow roles="Domain\iisusers" />
<deny users ="?" />

</authorization>

I tried changing the "?" to a "*" but when I do it gives me a log in form which I do not want.
 
I have impersonation on.

Can you also tell me If I put:

<allow roles="Domain\iisusers" />
<deny users ="*" />

Why does it give me the login in Msgbox
but if I remove the <deny users ="*" /> or change it to <deny users ="?" />
it goes straight to the web page no matter if you are in the iisusers group or not.
 
If you have them in the order
<allow roles="Domain\iisusers" />
<deny users ="*" />
you are saying allow iisusers in and deny everyone else.

If you change it to deny users = "?" you are saying deny anyone who isn't logged in.

Either way it is not rejecting users - go with the deny = "*" option.

The reason you are getting the login prompt is the server is rejecting your current credentials (correct) so the browser is prompting for alternate ones.
 
Did you debug the app to see if IIS is passing the appropriate token?

This line will give you the current user:
Code: 
string user = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
 
Ok
Thanks I have found the problem with your help, So hopefully with your help again I will get a solution.

I have impersonation ="true" userName ="Domain\ReportReader" password= "password"

I thought it would keep the users ID until the page opened and then impersonate the user "ReportReader" but it takes the ID as soon as it opens hence why it never likes the ID no matter who logs in because ReportReader is not a member of the "IISGroup"

Please can you help me to work round this.
 
When you define userName and password attributes in the impersonation element you are specifying that it will always use this identity regardless of the identity of the request. If you want to use the real requests identity you should remove these attributes from impersonation.
 
Thanks.
Now am I right in saying if I want to make a connection to a SQL server to pull a query I would just put the Username and password into the SQL connection string then. Instead of using SSPI because I dont want to give users rights to the Server
 
what is wrong with this:

Public strConn As String = "Data Source=Igloo;uid=Domain\User;pwd=password;Database=dbName;"

Public Conn As New SqlConnection(strConn)

every time it fails
 
Ok I dont know if it is always this way but when I used a server user login in stead of a domain/User it works but I still have a problem with the login box coming up when you open the page. Which I dont want.
 
Back
Top