Ask a Question related to ASP.NET Security, Design and Development.
-
rmac #1
allow groups with Forms Authentication
I am testing forms authentication against Active
Directory. I want to limit access to the site based on
Windows groups. The app is working but it allows anyone
with a domain account access which is undesirable. I
followed the Microsoft KB article 326340. Here is the
entry in my web.config:
<authorization>
<allow roles="domainname\group" />
<deny users="?" />
</authorization>
Does anyone know how to accomplish this?
Thanks
rmac
rmac Guest
-
Accessing htm files without authentication (forms authentication)
I have application with forms authentication. All works fine. When user opens .aspx file gets login form, login and then get the .aspx page. But... -
Forms Based Authentication - Groups
What example are you talking about? It doesn't appear in the newsgroup where you posted. Joe K. "cathie corcoran via .NET 247"... -
ASP.Net Forms authentication with basic authentication popup
Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user... -
Forms authentication then redirection to a secure web with NT authentication?
Hi, I want to allow access to particular secured intranet web sites. These intranet are stored in sharepoint (2003 version) Actually I've... -
Authentication ticket, cookieless, forms authentication?
Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the... -
Brad #2 Re: allow groups with Forms Authentication
You would want to change the <deny users="?"> to <deny users="*">
Role checks are top down. If the first check passes they're in. In your
example any authenticated user would also pass the next test <deny
users="?"> just deny's unauthenticated users.
By changing to <deny users="*">, if they don't pass the first test they
won't get in because the * says deny everyone. They will get a network
login dialog box but no matter what they enter into the login dialog it will
fail with an access denied....well, this is unless they enter a login that
is a member of the group you allow in.
Also - If you wanted to provide a "polite" access denied result, i.e. send
them somewhere else such as your own error page you could alternately just
set <deny users="?"> (removing your current allow test) and then in your
global.asax code do a test if the user is in a permitted role else send them
somewhere else.
Example
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
If Request.IsAuthenticated AndAlso
Context.User.IsInRole("domainname\group") = false then
If Request.Url.ToString.IndexOf("mynoaccesspage") > 0 Then
Response.Redirect("mynoaccesspage")
End If
End If
End Sub
Hope this helps some
Brad
"rmac" <anonymous@discussions.microsoft.com> wrote in message
news:046e01c3c419$9b1afed0$a101280a@phx.gbl...> I am testing forms authentication against Active
> Directory. I want to limit access to the site based on
> Windows groups. The app is working but it allows anyone
> with a domain account access which is undesirable. I
> followed the Microsoft KB article 326340. Here is the
> entry in my web.config:
>
> <authorization>
> <allow roles="domainname\group" />
> <deny users="?" />
> </authorization>
>
> Does anyone know how to accomplish this?
>
> Thanks
> rmac
Brad Guest
-
rmac #3 Re: allow groups with Forms Authentication
Thank you for your response. It was very helpful.
users="*">>-----Original Message-----
>You would want to change the <deny users="?"> to <denythey're in. In your>Role checks are top down. If the first check passestest <deny>example any authenticated user would also pass the nextfirst test they>users="?"> just deny's unauthenticated users.
>By changing to <deny users="*">, if they don't pass theget a network>won't get in because the * says deny everyone. They willlogin dialog it will>login dialog box but no matter what they enter into theenter a login that>fail with an access denied....well, this is unless theyresult, i.e. send>is a member of the group you allow in.
>
>Also - If you wanted to provide a "polite" access deniedalternately just>them somewhere else such as your own error page you couldand then in your>set <deny users="?"> (removing your current allow test)role else send them>global.asax code do a test if the user is in a permittedObject, ByVal e As>somewhere else.
>
>Example
> Sub Application_AuthenticateRequest(ByVal sender As("mynoaccesspage") > 0 Then>EventArgs)
> If Request.IsAuthenticated AndAlso
>Context.User.IsInRole("domainname\group") = false then
> If Request.Url.ToString.IndexOfmessage> Response.Redirect("mynoaccesspage")
> End If
> End If
> End Sub
>
>
>Hope this helps some
>
>Brad
>
>
>"rmac" <anonymous@discussions.microsoft.com> wrote in>news:046e01c3c419$9b1afed0$a101280a@phx.gbl...>>> I am testing forms authentication against Active
>> Directory. I want to limit access to the site based on
>> Windows groups. The app is working but it allows anyone
>> with a domain account access which is undesirable. I
>> followed the Microsoft KB article 326340. Here is the
>> entry in my web.config:
>>
>> <authorization>
>> <allow roles="domainname\group" />
>> <deny users="?" />
>> </authorization>
>>
>> Does anyone know how to accomplish this?
>>
>> Thanks
>> rmac
>
>.
>rmac Guest
-
rmac #4 Re: allow groups with Forms Authentication
Brad,
I have tried the method you mentioned. I am not able to
check the roles. If I put in code on the requested page to
check for the group I come up empty. Ex:
If context.User.IsInRole("domainname\group") = True Then
lblName.Text = "Hello " +
Context.User.Identity.Name & "."
End IF
The label text is empty.
If I do this and deny unathenticated users in the
web.config:
If Request.IsAuthenticated = True Then
lblName.Text = "Hello " + Context.User.Identity.Name
& "."
End If
the label shows the user name.
In my web.config file if I do this:
<allow users="domain\group"
<deny users="*" />
I cannot login no matter what account I use.
Am I missing something?
Thanks
rmac
users="*">>-----Original Message-----
>You would want to change the <deny users="?"> to <denythey're in. In your>Role checks are top down. If the first check passestest <deny>example any authenticated user would also pass the nextfirst test they>users="?"> just deny's unauthenticated users.
>By changing to <deny users="*">, if they don't pass theget a network>won't get in because the * says deny everyone. They willlogin dialog it will>login dialog box but no matter what they enter into theenter a login that>fail with an access denied....well, this is unless theyresult, i.e. send>is a member of the group you allow in.
>
>Also - If you wanted to provide a "polite" access deniedalternately just>them somewhere else such as your own error page you couldand then in your>set <deny users="?"> (removing your current allow test)role else send them>global.asax code do a test if the user is in a permittedObject, ByVal e As>somewhere else.
>
>Example
> Sub Application_AuthenticateRequest(ByVal sender As("mynoaccesspage") > 0 Then>EventArgs)
> If Request.IsAuthenticated AndAlso
>Context.User.IsInRole("domainname\group") = false then
> If Request.Url.ToString.IndexOfmessage> Response.Redirect("mynoaccesspage")
> End If
> End If
> End Sub
>
>
>Hope this helps some
>
>Brad
>
>
>"rmac" <anonymous@discussions.microsoft.com> wrote in>news:046e01c3c419$9b1afed0$a101280a@phx.gbl...>>> I am testing forms authentication against Active
>> Directory. I want to limit access to the site based on
>> Windows groups. The app is working but it allows anyone
>> with a domain account access which is undesirable. I
>> followed the Microsoft KB article 326340. Here is the
>> entry in my web.config:
>>
>> <authorization>
>> <allow roles="domainname\group" />
>> <deny users="?" />
>> </authorization>
>>
>> Does anyone know how to accomplish this?
>>
>> Thanks
>> rmac
>
>.
>rmac Guest
-
Brad #5 Re: allow groups with Forms Authentication
Your example of
<allow users="domain\group">
<deny users="*" />
Should be
<allow roles="domain\group">
<deny users="*" />
FYI - You can also look at "Configure ASP.NET Settings" of the following
MSDN topic
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp[/url]
It's from the book "Building Secure Microsoft ASP.NET Applications", which I
highly reccomend.
Brad
"rmac" <anonymous@discussions.microsoft.com> wrote in message
news:0b9e01c3c638$8d1fb700$a101280a@phx.gbl...> Brad,
>
> I have tried the method you mentioned. I am not able to
> check the roles. If I put in code on the requested page to
> check for the group I come up empty. Ex:
>
> If context.User.IsInRole("domainname\group") = True Then
> lblName.Text = "Hello " +
> Context.User.Identity.Name & "."
> End IF
>
> The label text is empty.
>
> If I do this and deny unathenticated users in the
> web.config:
>
> If Request.IsAuthenticated = True Then
> lblName.Text = "Hello " + Context.User.Identity.Name
> & "."
> End If
>
> the label shows the user name.
>
> In my web.config file if I do this:
>
> <allow users="domain\group"
> <deny users="*" />
>
> I cannot login no matter what account I use.
>
> Am I missing something?
>
> Thanks
> rmac
>> users="*">> >-----Original Message-----
> >You would want to change the <deny users="?"> to <deny> they're in. In your> >Role checks are top down. If the first check passes> test <deny> >example any authenticated user would also pass the next> first test they> >users="?"> just deny's unauthenticated users.
> >By changing to <deny users="*">, if they don't pass the> get a network> >won't get in because the * says deny everyone. They will> login dialog it will> >login dialog box but no matter what they enter into the> enter a login that> >fail with an access denied....well, this is unless they> result, i.e. send> >is a member of the group you allow in.
> >
> >Also - If you wanted to provide a "polite" access denied> alternately just> >them somewhere else such as your own error page you could> and then in your> >set <deny users="?"> (removing your current allow test)> role else send them> >global.asax code do a test if the user is in a permitted> Object, ByVal e As> >somewhere else.
> >
> >Example
> > Sub Application_AuthenticateRequest(ByVal sender As> ("mynoaccesspage") > 0 Then> >EventArgs)
> > If Request.IsAuthenticated AndAlso
> >Context.User.IsInRole("domainname\group") = false then
> > If Request.Url.ToString.IndexOf> message> > Response.Redirect("mynoaccesspage")
> > End If
> > End If
> > End Sub
> >
> >
> >Hope this helps some
> >
> >Brad
> >
> >
> >"rmac" <anonymous@discussions.microsoft.com> wrote in> >news:046e01c3c419$9b1afed0$a101280a@phx.gbl...> >> >> I am testing forms authentication against Active
> >> Directory. I want to limit access to the site based on
> >> Windows groups. The app is working but it allows anyone
> >> with a domain account access which is undesirable. I
> >> followed the Microsoft KB article 326340. Here is the
> >> entry in my web.config:
> >>
> >> <authorization>
> >> <allow roles="domainname\group" />
> >> <deny users="?" />
> >> </authorization>
> >>
> >> Does anyone know how to accomplish this?
> >>
> >> Thanks
> >> rmac
> >
> >.
> >
Brad Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
