Authorization Problem

[Andrew Davidson]

I have an asp page with just Integrated Windows authentication set.

It works fine if it is accessed with just the server name, but it prompts
the user to enter their credentials if it is accessed with the full domain
name.

Any suggestions on how to eliminate the login box? ( Without allowing
anonymous access...)

It's running on a W2K Server sp4 w/ IIS 5.

Thanks in advance.

Andrew Davidson

[Tom Kaminski [MVP]]

"Andrew Davidson" <andy@twistedbits.REMOVE.com> wrote in message
news:uDdzYOQYDHA.416@tk2msftngp13.phx.gbl...

> I have an asp page with just Integrated Windows authentication set.
>
> It works fine if it is accessed with just the server name, but it prompts
> the user to enter their credentials if it is accessed with the full domain
> name.
>
> Any suggestions on how to eliminate the login box? ( Without allowing
> anonymous access...)

In IE, Go to Tools -> Internet Options -> Security -> Custom Level -> User
Authentication -> Logon and make sure it's not prompting for intranet use.
You can also add your domain or IP to the no proxy setting to get IE to
recognize it as the intranet. Tools -> Internet Options -> Connections ->
LAN Settings -> Advanced.

For security configuration you need to go Tools > Internet Options >
Security > Local intranet > Sites... > Advanced > Add this web site or IP to
the zone.

--
Tom Kaminski IIS MVP
[url]http://www.iistoolshed.com/[/url] - tools, scripts, and utilities for running IIS
[url]http://mvp.support.microsoft.com/[/url]
[url]http://www.microsoft.com/windowsserver2003/community/centers/iis/[/url]

[Sunny]

Hi all,

I have an ASP.NET application which worked fine on the live site. We
performed a recent upgrade and have a strange problem. When I access the
home page (default.aspx) it pops up an authentication dialog box. I click ok
or cancel 3 times and get the following error:

====
Access to the path "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary
ASP.NET Files\root\ec99ce5e\f59722f\xifdaakl.0.vb" is denied.
Description: An unhandled exception occurred during compilation using the
CodeDomProvider 'Microsoft.VisualBasic.VBCodeProvider'. Please review the
stack trace for more information about the error and where it originated in
the code.

Exception Details: System.UnauthorizedAccessException: Access to the path
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET
Files\root\ec99ce5e\f59722f\xifdaakl.0.vb" is denied.

The ASP.NET process is not authorized to access the requested resource. For
security reasons the default ASP.NET process identity is
'{machinename}\ASPNET', which has limited privileges. Consider granting
access rights to the resource to the ASP.NET process identity.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
"{machinename}\ASPNET" user. Highlight the ASP.NET account, and check the
Write box in the Allow column.

Source Error:

An unhandled exception was generated during the execution of the
current web request. Information regarding the origin and location of the
exception can be identified using the exception stack trace below.

Stack Trace:

[UnauthorizedAccessException: Access to the path
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET
Files\root\ec99ce5e\f59722f\xifdaakl.0.vb" is denied.]
System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access,
FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath, Boolean
bFromProxy) +859
System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access,
FileShare share) +45
System.CodeDom.Compiler.CodeCompiler.FromDomBatch( CompilerParameters
options, CodeCompileUnit[] ea) +272
System.CodeDom.Compiler.CodeCompiler.FromDom(Compi lerParameters options,
CodeCompileUnit e) +90

System.CodeDom.Compiler.CodeCompiler.System.CodeDo m.Compiler.ICodeCompiler.C
ompileAssemblyFromDom(CompilerParameters options, CodeCompileUnit e) +37
System.Web.Compilation.BaseCompiler.GetCompiledTyp e() +250



----------------------------------------------------------------------------
----
Version Information: Microsoft .NET Framework Version:1.0.3705.288; ASP.NET
Version:1.0.3705.288
====


Everything seems to work fine when I browse into mysite/admin (I dont get
any authentication popup over here).
The hosting guys say everything is fine with the security of the ASPNET
user. What could be the problem?


Thanks,
Sunny.

[Hernan de Lahitte]

Hi,

You should need full control ACL for the ASPNET account or whaever account
you use in C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempora ry
ASP.NET folder. For more details see:
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT01.asp?frame=true[/url]

Regards,
Hernan.

--
Eng. Hernan de Lahitte - MSDE
Lagash Systems S.A. - Buenos Aires, Argentina
[url]http://www.lagash.com[/url]



"Sunny" <sunil@nospam.net> wrote in message
news:exZldm30DHA.2972@TK2MSFTNGP09.phx.gbl...

> Hi all,
>
> I have an ASP.NET application which worked fine on the live site. We
> performed a recent upgrade and have a strange problem. When I access the
> home page (default.aspx) it pops up an authentication dialog box. I click

ok

> or cancel 3 times and get the following error:
>
> ====
> Access to the path "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary
> ASP.NET Files\root\ec99ce5e\f59722f\xifdaakl.0.vb" is denied.
> Description: An unhandled exception occurred during compilation using the
> CodeDomProvider 'Microsoft.VisualBasic.VBCodeProvider'. Please review the
> stack trace for more information about the error and where it originated

in

> the code.
>
> Exception Details: System.UnauthorizedAccessException: Access to the path
> "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET
> Files\root\ec99ce5e\f59722f\xifdaakl.0.vb" is denied.
>
> The ASP.NET process is not authorized to access the requested resource.

For

> security reasons the default ASP.NET process identity is
> '{machinename}\ASPNET', which has limited privileges. Consider granting
> access rights to the resource to the ASP.NET process identity.
>
> To grant ASP.NET write access to a file, right-click the file in Explorer,
> choose "Properties" and select the Security tab. Click "Add" to add the
> "{machinename}\ASPNET" user. Highlight the ASP.NET account, and check the
> Write box in the Allow column.
>
> Source Error:
>
> An unhandled exception was generated during the execution of the
> current web request. Information regarding the origin and location of the
> exception can be identified using the exception stack trace below.
>
> Stack Trace:
>
> [UnauthorizedAccessException: Access to the path
> "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET
> Files\root\ec99ce5e\f59722f\xifdaakl.0.vb" is denied.]
> System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
> System.IO.FileStream..ctor(String path, FileMode mode, FileAccess

access,

> FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath,

Boolean

> bFromProxy) +859
> System.IO.FileStream..ctor(String path, FileMode mode, FileAccess

access,

> FileShare share) +45
> System.CodeDom.Compiler.CodeCompiler.FromDomBatch( CompilerParameters
> options, CodeCompileUnit[] ea) +272
> System.CodeDom.Compiler.CodeCompiler.FromDom(Compi lerParameters

options,

> CodeCompileUnit e) +90
>
>

System.CodeDom.Compiler.CodeCompiler.System.CodeDo m.Compiler.ICodeCompiler.C

> ompileAssemblyFromDom(CompilerParameters options, CodeCompileUnit e) +37
> System.Web.Compilation.BaseCompiler.GetCompiledTyp e() +250
>
>
>
> --------------------------------------------------------------------------

--

> ----
> Version Information: Microsoft .NET Framework Version:1.0.3705.288;

ASP.NET

> Version:1.0.3705.288
> ====
>
>
> Everything seems to work fine when I browse into mysite/admin (I dont get
> any authentication popup over here).
> The hosting guys say everything is fine with the security of the ASPNET
> user. What could be the problem?
>
>
> Thanks,
> Sunny.
>
>
>

[Holly Mazerolle]

You may also want to check and make sure that the asp.net mappings are
still correct on the machine.

306005 HOWTO: Repair IIS Mapping After You Remove and Reinstall IIS
[url]http://support.microsoft.com/?id=306005[/url]

This posting is provided "AS IS" with no warranties, and confers no rights.

Holly

[Sunny]

Thanks Hernan & Holly. I asked the hosting provider to re-check their
settings and they got the problem rectified after having said earlier that
their settings were "perfect".

Sunny.

"Holly Mazerolle" <hollymamsft@online.microsoft.com> wrote in message
news:CRFD7K$0DHA.3088@cpmsftngxa07.phx.gbl...

> You may also want to check and make sure that the asp.net mappings are
> still correct on the machine.
>
> 306005 HOWTO: Repair IIS Mapping After You Remove and Reinstall IIS
> [url]http://support.microsoft.com/?id=306005[/url]
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>
> Holly
>

[Maryam Baseer]

Hi
Please can anyone tell me why I am getting this error when I call one
of my aspx pages

You are not authorized to view this page
You might not have permission to view this directory or page using the
credentials you supplied.

--------------------------------------------------------------------------------

If you believe you should be able to view this directory or page,
please try to contact the Web site by using any e-mail address or
phone number that may be listed on the localhost home page.

You can click Search to look for information on the Internet.

HTTP Error 403 - Forbidden
Internet Explorer


All the rest of the pages that I call are working but only this page
is not working. Cant seem to unserstand anything. I have checked all
the properties and all the security options everything is same but the
page is not loading. Even the forms with similar coding are running
but this one page.:S

Please Please Please anyone... Its really really urgent. The whole
thing was working A-one but dont know what has happened.


Maryam

[Raterus]

sounds like you don't have the correct NTFS permissiosn on the actual file.

"Maryam Baseer" <maryam.baseer@gmail.com> wrote in message
news:cc09ae76.0407301444.58027ac0@posting.google.c om...

> Hi
> Please can anyone tell me why I am getting this error when I call one
> of my aspx pages
>
> You are not authorized to view this page
> You might not have permission to view this directory or page using the
> credentials you supplied.
>
> --------------------------------------------------------------------------

------

>
> If you believe you should be able to view this directory or page,
> please try to contact the Web site by using any e-mail address or
> phone number that may be listed on the localhost home page.
>
> You can click Search to look for information on the Internet.
>
> HTTP Error 403 - Forbidden
> Internet Explorer
>
>
> All the rest of the pages that I call are working but only this page
> is not working. Cant seem to unserstand anything. I have checked all
> the properties and all the security options everything is same but the
> page is not loading. Even the forms with similar coding are running
> but this one page.:S
>
> Please Please Please anyone... Its really really urgent. The whole
> thing was working A-one but dont know what has happened.
>
>
> Maryam

[Nikolay Petrov]

The following code doesn't produse the expected effect to only allow the
members of Administrators group to access the web method, it stops everyone.
=========
<WebMethod(), _
PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> _
Public Function HelloWorld() As String
Return "Hello World"
End Function
=========

The web service folder is set to require only Windows Authentication, which
goes fine. I can get the user credentials whitout any problem.

What is wrong?
TIA

[Nikolay Petrov]

The following code doesn't produse the expected effect to only allow the
members of Administrators group to access the web method, it stops everyone.
=========
<WebMethod(), _
PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> _
Public Function HelloWorld() As String
Return "Hello World"
End Function
=========

The web service folder is set to require only Windows Authentication, which
goes fine. I can get the user credentials whitout any problem.

What is wrong?
TIA

[Joe Kaplan \(MVP - ADSI\)]

Did you try MACHINE\Administrators or the proper domain suffix? Windows
roles always have a prefix in .NET.

Joe K.

"Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
news:%23hMTZN2uEHA.3624@TK2MSFTNGP09.phx.gbl...

> The following code doesn't produse the expected effect to only allow
> the members of Administrators group to access the web method, it stops
> everyone.
> =========
> <WebMethod(), _
> PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> _
> Public Function HelloWorld() As String
> Return "Hello World"
> End Function
> =========
>
> The web service folder is set to require only Windows Authentication,
> which goes fine. I can get the user credentials whitout any problem.
>
> What is wrong?
> TIA
>

[Joe Kaplan \(MVP - ADSI\)]

Did you try MACHINE\Administrators or the proper domain suffix? Windows
roles always have a prefix in .NET.

Joe K.

"Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
news:%23hMTZN2uEHA.3624@TK2MSFTNGP09.phx.gbl...

> The following code doesn't produse the expected effect to only allow
> the members of Administrators group to access the web method, it stops
> everyone.
> =========
> <WebMethod(), _
> PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> _
> Public Function HelloWorld() As String
> Return "Hello World"
> End Function
> =========
>
> The web service folder is set to require only Windows Authentication,
> which goes fine. I can get the user credentials whitout any problem.
>
> What is wrong?
> TIA
>

[Nikolay Petrov]

I have tried this. Doesn't help.


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23hdL1Q2uEHA.1308@TK2MSFTNGP09.phx.gbl...

> Did you try MACHINE\Administrators or the proper domain suffix? Windows
> roles always have a prefix in .NET.
>
> Joe K.

[Nikolay Petrov]

I have tried this. Doesn't help.


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23hdL1Q2uEHA.1308@TK2MSFTNGP09.phx.gbl...

> Did you try MACHINE\Administrators or the proper domain suffix? Windows
> roles always have a prefix in .NET.
>
> Joe K.

[Joe Kaplan \(MVP - ADSI\)]

Are you certain that the client is being authenticated with Windows
authentication? It would probably be a good idea to dump out the value of
Context.User.Identity.Name and make sure it is the user that you think it
is.

Joe K.

"Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
news:%23iTKwV2uEHA.1376@TK2MSFTNGP10.phx.gbl...

>I have tried this. Doesn't help.
>
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23hdL1Q2uEHA.1308@TK2MSFTNGP09.phx.gbl...

>> Did you try MACHINE\Administrators or the proper domain suffix? Windows
>> roles always have a prefix in .NET.
>>
>> Joe K.

>
>

[Joe Kaplan \(MVP - ADSI\)]

Are you certain that the client is being authenticated with Windows
authentication? It would probably be a good idea to dump out the value of
Context.User.Identity.Name and make sure it is the user that you think it
is.

Joe K.

"Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
news:%23iTKwV2uEHA.1376@TK2MSFTNGP10.phx.gbl...

>I have tried this. Doesn't help.
>
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23hdL1Q2uEHA.1308@TK2MSFTNGP09.phx.gbl...

>> Did you try MACHINE\Administrators or the proper domain suffix? Windows
>> roles always have a prefix in .NET.
>>
>> Joe K.

>
>

[Nikolay Petrov]

I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:efhvF42uEHA.1976@TK2MSFTNGP09.phx.gbl...

> Are you certain that the client is being authenticated with Windows
> authentication? It would probably be a good idea to dump out the value of
> Context.User.Identity.Name and make sure it is the user that you think it
> is.
>
> Joe K.
>
> "Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
> news:%23iTKwV2uEHA.1376@TK2MSFTNGP10.phx.gbl...

>>I have tried this. Doesn't help.
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:%23hdL1Q2uEHA.1308@TK2MSFTNGP09.phx.gbl...

>>> Did you try MACHINE\Administrators or the proper domain suffix? Windows
>>> roles always have a prefix in .NET.
>>>
>>> Joe K.

>>
>>

>
>

[Nikolay Petrov]

I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:efhvF42uEHA.1976@TK2MSFTNGP09.phx.gbl...

> Are you certain that the client is being authenticated with Windows
> authentication? It would probably be a good idea to dump out the value of
> Context.User.Identity.Name and make sure it is the user that you think it
> is.
>
> Joe K.
>
> "Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
> news:%23iTKwV2uEHA.1376@TK2MSFTNGP10.phx.gbl...

>>I have tried this. Doesn't help.
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:%23hdL1Q2uEHA.1308@TK2MSFTNGP09.phx.gbl...

>>> Did you try MACHINE\Administrators or the proper domain suffix? Windows
>>> roles always have a prefix in .NET.
>>>
>>> Joe K.

>>
>>

>
>

[Joe Kaplan \(MVP - ADSI\)]

One other thing to check:

Can you do a programmatic check instead of a declarative one? Try
Context.User.IsInRole("machine\administrators") or
Thread.CurrentPrincipal.IsInRole("machine\administ rators")?

Those should do the same thing as the declarative demand, but it is worth a
shot.

Another thing to try is to use reflection on _GetRoles private method on
WindowsIdentity to see what the actual values are. This can be helpful for
troubleshooting Windows group resolution. Don't use this in production
though!

Google will dig up a bunch of code samples showing how to do that if you
need it.

Joe K.

"Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
news:eVwiaG3uEHA.3948@TK2MSFTNGP15.phx.gbl...

>I have done that. It is fine.
> Something else is broken. The auditing don't show nothing also.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:efhvF42uEHA.1976@TK2MSFTNGP09.phx.gbl...

>> Are you certain that the client is being authenticated with Windows
>> authentication? It would probably be a good idea to dump out the value
>> of Context.User.Identity.Name and make sure it is the user that you think
>> it is.
>>
>> Joe K.

[Joe Kaplan \(MVP - ADSI\)]

One other thing to check:

Can you do a programmatic check instead of a declarative one? Try
Context.User.IsInRole("machine\administrators") or
Thread.CurrentPrincipal.IsInRole("machine\administ rators")?

Those should do the same thing as the declarative demand, but it is worth a
shot.

Another thing to try is to use reflection on _GetRoles private method on
WindowsIdentity to see what the actual values are. This can be helpful for
troubleshooting Windows group resolution. Don't use this in production
though!

Google will dig up a bunch of code samples showing how to do that if you
need it.

Joe K.

"Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
news:eVwiaG3uEHA.3948@TK2MSFTNGP15.phx.gbl...

>I have done that. It is fine.
> Something else is broken. The auditing don't show nothing also.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:efhvF42uEHA.1976@TK2MSFTNGP09.phx.gbl...

>> Are you certain that the client is being authenticated with Windows
>> authentication? It would probably be a good idea to dump out the value
>> of Context.User.Identity.Name and make sure it is the user that you think
>> it is.
>>
>> Joe K.