Portal Starter Kit authentication

[.net user]

can some one point me what i'm doing wrong? I have spent half a day figuring
out and totally stuck now.

Here's what I'm trying to accomplish: I am writing a web appl - an intranet
portal site (based on the portal starter kit) and I want to apply role based
security to the site. - When the users type in the intranet URL, a windows
logon window would pop up and then users login with their NT credentials.
Based upon theie level of security they see the tabs on the portal.
Here's what I have accomplished so far:
1. Created new groups on the domain.
2. Turned on the authentication to "windows" in the web.config file of the
portal site.
3. Added
<authorization>
<allow roles = "doaminname\role1,doaminname\role4" />
<deny users="*">
</authorization>
in the web.config.
4. Added the LogOnID to the users table and the exact domain roles to the
Roles table.

However the wuthentication is not working correctly, the windows logon
prompt keeps poping.. and the app redirects to the AccessDenied page.

Your kind help is greatly appreciated.



"Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@comcast.netNoSpamM> wrote in
message news:uOQ0qsmxDHA.1856@TK2MSFTNGP09.phx.gbl...

> I am not sure what would be consider good and simple in your vernacular,

but

> there are plenty of free (thats right folks, free) books at
> [url]http://msdn.microsoft.com/architecture[/url]. Look for the patterns and

practices

> section. Great information on security, infrastructure and architecture

for

> developers. Does not completely relate directly to .NET windows
> authentication, but you will find the topics in there.
>
> Now, as far as windows authentication goes, what you are you trying to
> accomplish. A web app or a windows app, or are you just looking for the
> basics of NTFS permissions and how they relate to user's logons? Or, do

you

> want to get into Active Directory?
>
> The answers to these questions will help myself and others lead you in the
> right direction, as there is a lot of information out there, both in books
> and online.
>
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
>
> ************************************************** ********************
> Think Outside the Box!
> ************************************************** ********************
> <.net user> wrote in message news:OEyflHmxDHA.1744@TK2MSFTNGP12.phx.gbl...

> > I have been using .net for a while. I want to have my windows

> authentication

> > concepts cleared - . particularly how it works on Intranet sites. Is

> there

> > a good, simple to understand reference book/sites that can help me with?
> >
> > Appreciate any help.
> >
> >

>
>

[Cowboy \(Gregory A. Beamer\)]

".net user" <msnews.microsoft.com> wrote in message
news:OzbZUHnxDHA.1736@TK2MSFTNGP09.phx.gbl...

>
> can some one point me what i'm doing wrong? I have spent half a day

figuring

> out and totally stuck now.
>
> Here's what I'm trying to accomplish: I am writing a web appl - an

intranet

> portal site (based on the portal starter kit) and I want to apply role

based

> security to the site. - When the users type in the intranet URL, a windows
> logon window would pop up and then users login with their NT credentials.
> Based upon theie level of security they see the tabs on the portal.
> Here's what I have accomplished so far:
> 1. Created new groups on the domain.

Good for windows authentication.

> 2. Turned on the authentication to "windows" in the web.config file of the
> portal site.

Also good for windows authentication.

> 3. Added
> <authorization>
> <allow roles = "doaminname\role1,doaminname\role4" />
> <deny users="*">
> </authorization>
> in the web.config.

Looks fine so far.

> 4. Added the LogOnID to the users table and the exact domain roles to the
> Roles table.

This sounds more like forms based authentication.

> However the wuthentication is not working correctly, the windows logon
> prompt keeps poping.. and the app redirects to the AccessDenied page.
>
> Your kind help is greatly appreciated.

Here are the steps for windows.

1. Add the group in question (either to machine or domain).
2. Add users to group
3. Make sure the user is logging onto the domain
This is most likely where you problem is

Three options to fix:
1. Have user add domain name before user, like
USER BOX: DomainName\Username
PASSWORD BOX: Password

2. Set up the app to use the domain. This a dual edged sword.
a. Open Internet Services Manager
b. Goto Directory Security tab
c. Click the top edit button: Enable Anonymous Access ....
d. Use Basic authentication (the edge of the sword)
e. Cllick edit and add the domain name

>Now, try logging on again with the name.
>For the dual edge part. A person logging in can have their logon

compromised.

3. Make a local group(s) on the web server and use it.
a. Add domain group(s) to local group(s)
b. Change authentication to use the local group(s), not the domain (in
web.config)

This is standard windows. You add domain users to domain groups and then add
domain groups to local groups for access to the local machine. The rules can
be played a bit different in Active Directory, of course, but this will
still work.

NOTE: You can also add users to the local group and bypass the domain group
addition, if you feel you can manage it there. IN general, I would not
advise this.

I am sure there are others who can come up with even more options.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************** ********************
Think Outside the Box!
************************************************** ********************