Access denied when using active directory groups and windows authentication

Discussion in 'ASP .Net Security' started by David, Nov 2, 2005.

  1. David

    David Guest

    Hi, I am trying to configure my app using windows authentication. I
    would like to limit access to an Active Directory group but do not want
    to implement impersonation. I've setup the config section as follows:

    <authentication mode="Windows" />
    <authorization>
    <allow roles="domainname\groupname" />
    <deny users="*" />
    </authorization>
    <identity impersonate="false" />

    I am being prompted for user credentials, however, it is not letting me
    in with a valid account. If I change the config section to limit to an
    Active Directory user only, example: <allow users
    ="domainname\username" />, this setting works just fine. It's very
    frustrating and I'm hoping I won't need to open a Microsoft Support
    ticket. Any suggestions are greatly appreciated.

    David
     
    David, Nov 2, 2005
    #1
    1. Advertising

  2. Just out of curiosity, does the group-based authorization work if you enable
    impersonation?

    I've heard of situations where impersonation needed to be enabled in order
    for the SIDs in the user's token to get resolved into friendly names at
    runtime, but I have no idea what causes this. That might be the problem
    though.

    It is also possible you are spelling the group name wrong, but hopefully
    that isn't it. :)

    Joe K.

    "David" <> wrote in message
    news:...
    > Hi, I am trying to configure my app using windows authentication. I
    > would like to limit access to an Active Directory group but do not want
    > to implement impersonation. I've setup the config section as follows:
    >
    > <authentication mode="Windows" />
    > <authorization>
    > <allow roles="domainname\groupname" />
    > <deny users="*" />
    > </authorization>
    > <identity impersonate="false" />
    >
    > I am being prompted for user credentials, however, it is not letting me
    > in with a valid account. If I change the config section to limit to an
    > Active Directory user only, example: <allow users
    > ="domainname\username" />, this setting works just fine. It's very
    > frustrating and I'm hoping I won't need to open a Microsoft Support
    > ticket. Any suggestions are greatly appreciated.
    >
    > David
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 2, 2005
    #2
    1. Advertising

  3. Davis as Joe adviced i think you have to enable impersonation
    I have done a simlar solution for a company and i had to use impersonation
    unless i am wrong.
    I was redirecting users after login in an intranet based Windows Auth to
    perform authorisation.
    Hope that helps
    Patrick




    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > Just out of curiosity, does the group-based authorization work if you

    enable
    > impersonation?
    >
    > I've heard of situations where impersonation needed to be enabled in order
    > for the SIDs in the user's token to get resolved into friendly names at
    > runtime, but I have no idea what causes this. That might be the problem
    > though.
    >
    > It is also possible you are spelling the group name wrong, but hopefully
    > that isn't it. :)
    >
    > Joe K.
    >
    > "David" <> wrote in message
    > news:...
    > > Hi, I am trying to configure my app using windows authentication. I
    > > would like to limit access to an Active Directory group but do not want
    > > to implement impersonation. I've setup the config section as follows:
    > >
    > > <authentication mode="Windows" />
    > > <authorization>
    > > <allow roles="domainname\groupname" />
    > > <deny users="*" />
    > > </authorization>
    > > <identity impersonate="false" />
    > >
    > > I am being prompted for user credentials, however, it is not letting me
    > > in with a valid account. If I change the config section to limit to an
    > > Active Directory user only, example: <allow users
    > > ="domainname\username" />, this setting works just fine. It's very
    > > frustrating and I'm hoping I won't need to open a Microsoft Support
    > > ticket. Any suggestions are greatly appreciated.
    > >
    > > David
    > >

    >
    >
     
    Patrick.O.Ige, Nov 2, 2005
    #3
  4. Hello david,

    the users additionally need read ACLs on the .aspx pages...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi, I am trying to configure my app using windows authentication. I
    > would like to limit access to an Active Directory group but do not
    > want to implement impersonation. I've setup the config section as
    > follows:
    >
    > <authentication mode="Windows" />
    > <authorization>
    > <allow roles="domainname\groupname" />
    > <deny users="*" />
    > </authorization>
    > <identity impersonate="false" />
    > I am being prompted for user credentials, however, it is not letting
    > me in with a valid account. If I change the config section to limit to
    > an Active Directory user only, example: <allow users
    > ="domainname\username" />, this setting works just fine. It's very
    > frustrating and I'm hoping I won't need to open a Microsoft Support
    > ticket. Any suggestions are greatly appreciated.
    >
    > David
    >
     
    Dominick Baier [DevelopMentor], Nov 2, 2005
    #4
  5. David

    David Guest

    Thanks for all your help. By setting read rights on the root web folder
    to the AD group fixed the problem.
     
    David, Nov 2, 2005
    #5
  6. David

    David Guest

    I was a little hasty in saying that the problem was fixed. As Dominick
    mentioned I needed to give the users themselves read permissions on the
    web pages. Granting these permissions on the AD groups did nothing.
    This does not seem right in my mind as it goes against the advantages
    of using groups in the first place. I might just as well add the users
    to the web.config directly and not use groups at all.
     
    David, Nov 2, 2005
    #6
  7. Back to my original suggestion then: does enabling impersonation fix the
    group problem? Is it possible that the users are not actually members of
    the group you are using? You might try logging on to the server as one of
    the users and trying the whoami command.

    Joe K.

    "David" <> wrote in message
    news:...
    >I was a little hasty in saying that the problem was fixed. As Dominick
    > mentioned I needed to give the users themselves read permissions on the
    > web pages. Granting these permissions on the AD groups did nothing.
    > This does not seem right in my mind as it goes against the advantages
    > of using groups in the first place. I might just as well add the users
    > to the web.config directly and not use groups at all.
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 2, 2005
    #7
  8. Hello Joe,

    impersonation SHOULD not be the problem - the FileAuthorizationModule takes
    the token that was produced by IIS authentication to do the ACL check (regardless
    of any other settings in ASP.NET)

    you can check this identity using the new Request.LogonUserIdentity (2.0
    only)

    i have written a small page for troubleshooting (2.0 only too)
    http://www.leastprivilege.com/ShowContextsUpdatedAgainAndAgain.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Back to my original suggestion then: does enabling impersonation fix
    > the group problem? Is it possible that the users are not actually
    > members of the group you are using? You might try logging on to the
    > server as one of the users and trying the whoami command.
    >
    > Joe K.
    >
    > "David" <> wrote in message
    > news:...
    >
    >> I was a little hasty in saying that the problem was fixed. As
    >> Dominick mentioned I needed to give the users themselves read
    >> permissions on the web pages. Granting these permissions on the AD
    >> groups did nothing. This does not seem right in my mind as it goes
    >> against the advantages of using groups in the first place. I might
    >> just as well add the users to the web.config directly and not use
    >> groups at all.
    >>
     
    Dominick Baier [DevelopMentor], Nov 2, 2005
    #8
  9. David

    David Guest

    Yup, as you mentioned turning on impersonation does not resolve the
    problem. I guess for now I will just suggest adding the users directly
    to the web.config (aren't that many anyway) and will put in a better
    solution when we upgrade to 2.0 which we are in the process of doing
    now. I'll look into the new Request.LogonUserIdentity feature.

    Thanks again for all your help
    David
     
    David, Nov 2, 2005
    #9
  10. Sorry I missed that. There must be something wrong then that is preventing
    groups from working correctly.

    I definitely recommend checking out Dominick's troubleshooting tools and
    perhaps doing whatever else you can to figure out why the user's token
    doesn't contain the groups in question or their names aren't resolving.

    Is it possible that the groups are domain local and the domain is still 2000
    mixed mode? Could they be domain local groups from a different domain?

    Joe K.

    "David" <> wrote in message
    news:...
    > Yup, as you mentioned turning on impersonation does not resolve the
    > problem. I guess for now I will just suggest adding the users directly
    > to the web.config (aren't that many anyway) and will put in a better
    > solution when we upgrade to 2.0 which we are in the process of doing
    > now. I'll look into the new Request.LogonUserIdentity feature.
    >
    > Thanks again for all your help
    > David
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 2, 2005
    #10
  11. David

    Guest

    We had this problem. We solved it in two steps (impersonation is not
    the solution).

    Step 1: asp.net account needs read and execute to the folder.

    Step 2: make sure you **DENY** all other roles.

    EXAMPLE:
    <allow roles="domain\group" /> <!-- limit to this role -->
    <deny roles="*" />

    I haven't figured it out why the "deny" but if you do not deny all
    other, it does not work.
     
    , Nov 2, 2005
    #11
  12. Hello ,

    in global web.config there is a implicit <allow users="*" />

    otherwise no asp.net app would work by default.

    because your local web.config inherits the global one - you have to set the
    deny manually.


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > We had this problem. We solved it in two steps (impersonation is not
    > the solution).
    >
    > Step 1: asp.net account needs read and execute to the folder.
    >
    > Step 2: make sure you **DENY** all other roles.
    >
    > EXAMPLE:
    > <allow roles="domain\group" /> <!-- limit to this role -->
    > <deny roles="*" />
    > I haven't figured it out why the "deny" but if you do not deny all
    > other, it does not work.
    >
     
    Dominick Baier [DevelopMentor], Nov 2, 2005
    #12
  13. Hello david,

    you should definitely log on as the user in question and do a whoami /groups
    to double check if the user is indeed in this group (at least from the point
    of view of that machine).
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Yup, as you mentioned turning on impersonation does not resolve the
    > problem. I guess for now I will just suggest adding the users directly
    > to the web.config (aren't that many anyway) and will put in a better
    > solution when we upgrade to 2.0 which we are in the process of doing
    > now. I'll look into the new Request.LogonUserIdentity feature.
    >
    > Thanks again for all your help
    > David
     
    Dominick Baier [DevelopMentor], Nov 2, 2005
    #13
  14. Hello Joe,

    yeah - i should add "whoami /groups" functionality to my test page. good
    idea :)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Sorry I missed that. There must be something wrong then that is
    > preventing groups from working correctly.
    >
    > I definitely recommend checking out Dominick's troubleshooting tools
    > and perhaps doing whatever else you can to figure out why the user's
    > token doesn't contain the groups in question or their names aren't
    > resolving.
    >
    > Is it possible that the groups are domain local and the domain is
    > still 2000 mixed mode? Could they be domain local groups from a
    > different domain?
    >
    > Joe K.
    >
    > "David" <> wrote in message
    > news:...
    >
    >> Yup, as you mentioned turning on impersonation does not resolve the
    >> problem. I guess for now I will just suggest adding the users
    >> directly to the web.config (aren't that many anyway) and will put in
    >> a better solution when we upgrade to 2.0 which we are in the process
    >> of doing now. I'll look into the new Request.LogonUserIdentity
    >> feature.
    >>
    >> Thanks again for all your help
    >> David
     
    Dominick Baier [DevelopMentor], Nov 2, 2005
    #14
  15. I would try removing some ACL read on some files and try it.
    I didn't really think of that becos the folder in which the aspx files
    contained had read,write permmisons
    Thx for the info guys
    Patrick



    "Patrick.O.Ige" <> wrote in message
    news:%...
    > Davis as Joe adviced i think you have to enable impersonation
    > I have done a simlar solution for a company and i had to use impersonation
    > unless i am wrong.
    > I was redirecting users after login in an intranet based Windows Auth to
    > perform authorisation.
    > Hope that helps
    > Patrick
    >
    >
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    > > Just out of curiosity, does the group-based authorization work if you

    > enable
    > > impersonation?
    > >
    > > I've heard of situations where impersonation needed to be enabled in

    order
    > > for the SIDs in the user's token to get resolved into friendly names at
    > > runtime, but I have no idea what causes this. That might be the problem
    > > though.
    > >
    > > It is also possible you are spelling the group name wrong, but hopefully
    > > that isn't it. :)
    > >
    > > Joe K.
    > >
    > > "David" <> wrote in message
    > > news:...
    > > > Hi, I am trying to configure my app using windows authentication. I
    > > > would like to limit access to an Active Directory group but do not

    want
    > > > to implement impersonation. I've setup the config section as follows:
    > > >
    > > > <authentication mode="Windows" />
    > > > <authorization>
    > > > <allow roles="domainname\groupname" />
    > > > <deny users="*" />
    > > > </authorization>
    > > > <identity impersonate="false" />
    > > >
    > > > I am being prompted for user credentials, however, it is not letting

    me
    > > > in with a valid account. If I change the config section to limit to an
    > > > Active Directory user only, example: <allow users
    > > > ="domainname\username" />, this setting works just fine. It's very
    > > > frustrating and I'm hoping I won't need to open a Microsoft Support
    > > > ticket. Any suggestions are greatly appreciated.
    > > >
    > > > David
    > > >

    > >
    > >

    >
    >
     
    Patrick.O.Ige, Nov 4, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andy
    Replies:
    1
    Views:
    500
  2. Scott
    Replies:
    2
    Views:
    2,609
    Juan T. Llibre
    May 16, 2006
  3. L Magarian
    Replies:
    3
    Views:
    235
    Joe Kaplan \(MVP - ADSI\)
    Sep 28, 2004
  4. K SK
    Replies:
    1
    Views:
    195
    Daniel Fisher\(lennybacon\)
    Dec 10, 2004
  5. metridevkk
    Replies:
    2
    Views:
    506
    John M Deal
    Dec 6, 2004
Loading...

Share This Page