Unauthorized logon

[niall29]

I have a site on the intranet at work and what I am trying to do is when an employee does not belong to a Group which is Authorized to look at a page it will go directly to the Page that says unauthorized instead of giving them 3 chances to log in.
Please can some body help.

Thanks in advance

 

[mhildner]

Have you looked at forms authentication? This is one place to start.

 

[niall29]

But that is the problem, I don't want to give them a form to log on. I want it to check their Windows logon and if it doesn't have authentication then redirect to the other page and not give the form for an alternative signon.

 

[coldfusion244]

But that is the problem, I don't want to give them a form to log on. I want it to check their Windows logon and if it doesn't have authentication then redirect to the other page and not give the form for an alternative signon.

So you're saying that depending on their logon name you're going to give/deny access? Seems really insecure...

 

[niall29]

It is only a site on the Intranet which we would prefer if agents didnt see so I have set it up as.

<authentication mode="Windows" />

<authorization>
<allow roles="Management " />
<deny users="*" />
</authorization>

and if you are in management it will go to the page and if your not it will go to the Unauthorized page. Or what would you recommend??

 

[Derek Stone]

If you're using ASP.NET to manage user roles, you'll need to look at using the "location" configuration setting.

Configuration <location> Settings

 

[niall29]

Thanks
I will look at it. I have never used it before, I know Im being a bit of a pain but can you give me any examples how to use it

 

[ombun2]

maybe i'm just tired. not thinking straight and i've got this all wrong, but
isn't this an IIS issue instead of an asp.net issue? Sine this isn't using forms authentication (IIS set to anonymous) then this logon prompt comes from IIS not the application. Espcially that thing with the limiting the 3 errors to just one...can one solve this by creating a GPO and playing with ComputerConfiguration -> WindowsSettings -> security settings -> account policies -> (account lockout policy and account lockout duration)...even if not this way, isn't this a windows issue instead of a app issue?

it sound fishy, but i'm really curious what others think

 

[ombun2]

just to complete what i said, I guess i was trying to point out the difference between IIS Integrated Windows Authentication and ASP.Net Windows authentication.

After IIS authentication (Anonymous, Basic, Digest, Integrated Windows) ASP.Net also has 4 "authentication" modes (None, Windows, Forms, and Passport)

The reason I put the ASP.NET "authentication" modes in quotes is because I believe that only the last 2 actually do authentication because in order to use them one had to put IIS authentication to anonymous. ASP.NET "None" and "Windows" actually have more to do with AUTHORIZATION, and which accounts are allowed access to what resources, however the AUTHENTICATION part comes from IIS.