allow groups with Forms Authentication

Discussion in 'ASP .Net Security' started by rmac, Dec 16, 2003.

  1. rmac

    rmac Guest

    I am testing forms authentication against Active
    Directory. I want to limit access to the site based on
    Windows groups. The app is working but it allows anyone
    with a domain account access which is undesirable. I
    followed the Microsoft KB article 326340. Here is the
    entry in my web.config:

    <authorization>
    <allow roles="domainname\group" />
    <deny users="?" />
    </authorization>

    Does anyone know how to accomplish this?

    Thanks
    rmac
     
    rmac, Dec 16, 2003
    #1
    1. Advertising

  2. rmac

    Brad Guest

    You would want to change the <deny users="?"> to <deny users="*">
    Role checks are top down. If the first check passes they're in. In your
    example any authenticated user would also pass the next test <deny
    users="?"> just deny's unauthenticated users.
    By changing to <deny users="*">, if they don't pass the first test they
    won't get in because the * says deny everyone. They will get a network
    login dialog box but no matter what they enter into the login dialog it will
    fail with an access denied....well, this is unless they enter a login that
    is a member of the group you allow in.

    Also - If you wanted to provide a "polite" access denied result, i.e. send
    them somewhere else such as your own error page you could alternately just
    set <deny users="?"> (removing your current allow test) and then in your
    global.asax code do a test if the user is in a permitted role else send them
    somewhere else.

    Example
    Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
    EventArgs)
    If Request.IsAuthenticated AndAlso
    Context.User.IsInRole("domainname\group") = false then
    If Request.Url.ToString.IndexOf("mynoaccesspage") > 0 Then
    Response.Redirect("mynoaccesspage")
    End If
    End If
    End Sub


    Hope this helps some

    Brad


    "rmac" <> wrote in message
    news:046e01c3c419$9b1afed0$...
    > I am testing forms authentication against Active
    > Directory. I want to limit access to the site based on
    > Windows groups. The app is working but it allows anyone
    > with a domain account access which is undesirable. I
    > followed the Microsoft KB article 326340. Here is the
    > entry in my web.config:
    >
    > <authorization>
    > <allow roles="domainname\group" />
    > <deny users="?" />
    > </authorization>
    >
    > Does anyone know how to accomplish this?
    >
    > Thanks
    > rmac
     
    Brad, Dec 19, 2003
    #2
    1. Advertising

  3. rmac

    rmac Guest

    Thank you for your response. It was very helpful.


    >-----Original Message-----
    >You would want to change the <deny users="?"> to <deny

    users="*">
    >Role checks are top down. If the first check passes

    they're in. In your
    >example any authenticated user would also pass the next

    test <deny
    >users="?"> just deny's unauthenticated users.
    >By changing to <deny users="*">, if they don't pass the

    first test they
    >won't get in because the * says deny everyone. They will

    get a network
    >login dialog box but no matter what they enter into the

    login dialog it will
    >fail with an access denied....well, this is unless they

    enter a login that
    >is a member of the group you allow in.
    >
    >Also - If you wanted to provide a "polite" access denied

    result, i.e. send
    >them somewhere else such as your own error page you could

    alternately just
    >set <deny users="?"> (removing your current allow test)

    and then in your
    >global.asax code do a test if the user is in a permitted

    role else send them
    >somewhere else.
    >
    >Example
    > Sub Application_AuthenticateRequest(ByVal sender As

    Object, ByVal e As
    >EventArgs)
    > If Request.IsAuthenticated AndAlso
    >Context.User.IsInRole("domainname\group") = false then
    > If Request.Url.ToString.IndexOf

    ("mynoaccesspage") > 0 Then
    > Response.Redirect("mynoaccesspage")
    > End If
    > End If
    > End Sub
    >
    >
    >Hope this helps some
    >
    >Brad
    >
    >
    >"rmac" <> wrote in

    message
    >news:046e01c3c419$9b1afed0$...
    >> I am testing forms authentication against Active
    >> Directory. I want to limit access to the site based on
    >> Windows groups. The app is working but it allows anyone
    >> with a domain account access which is undesirable. I
    >> followed the Microsoft KB article 326340. Here is the
    >> entry in my web.config:
    >>
    >> <authorization>
    >> <allow roles="domainname\group" />
    >> <deny users="?" />
    >> </authorization>
    >>
    >> Does anyone know how to accomplish this?
    >>
    >> Thanks
    >> rmac

    >
    >
    >.
    >
     
    rmac, Dec 19, 2003
    #3
  4. rmac

    rmac Guest

    Brad,

    I have tried the method you mentioned. I am not able to
    check the roles. If I put in code on the requested page to
    check for the group I come up empty. Ex:

    If context.User.IsInRole("domainname\group") = True Then
    lblName.Text = "Hello " +
    Context.User.Identity.Name & "."
    End IF

    The label text is empty.

    If I do this and deny unathenticated users in the
    web.config:

    If Request.IsAuthenticated = True Then
    lblName.Text = "Hello " + Context.User.Identity.Name
    & "."
    End If

    the label shows the user name.

    In my web.config file if I do this:

    <allow users="domain\group"
    <deny users="*" />

    I cannot login no matter what account I use.

    Am I missing something?

    Thanks
    rmac

    >-----Original Message-----
    >You would want to change the <deny users="?"> to <deny

    users="*">
    >Role checks are top down. If the first check passes

    they're in. In your
    >example any authenticated user would also pass the next

    test <deny
    >users="?"> just deny's unauthenticated users.
    >By changing to <deny users="*">, if they don't pass the

    first test they
    >won't get in because the * says deny everyone. They will

    get a network
    >login dialog box but no matter what they enter into the

    login dialog it will
    >fail with an access denied....well, this is unless they

    enter a login that
    >is a member of the group you allow in.
    >
    >Also - If you wanted to provide a "polite" access denied

    result, i.e. send
    >them somewhere else such as your own error page you could

    alternately just
    >set <deny users="?"> (removing your current allow test)

    and then in your
    >global.asax code do a test if the user is in a permitted

    role else send them
    >somewhere else.
    >
    >Example
    > Sub Application_AuthenticateRequest(ByVal sender As

    Object, ByVal e As
    >EventArgs)
    > If Request.IsAuthenticated AndAlso
    >Context.User.IsInRole("domainname\group") = false then
    > If Request.Url.ToString.IndexOf

    ("mynoaccesspage") > 0 Then
    > Response.Redirect("mynoaccesspage")
    > End If
    > End If
    > End Sub
    >
    >
    >Hope this helps some
    >
    >Brad
    >
    >
    >"rmac" <> wrote in

    message
    >news:046e01c3c419$9b1afed0$...
    >> I am testing forms authentication against Active
    >> Directory. I want to limit access to the site based on
    >> Windows groups. The app is working but it allows anyone
    >> with a domain account access which is undesirable. I
    >> followed the Microsoft KB article 326340. Here is the
    >> entry in my web.config:
    >>
    >> <authorization>
    >> <allow roles="domainname\group" />
    >> <deny users="?" />
    >> </authorization>
    >>
    >> Does anyone know how to accomplish this?
    >>
    >> Thanks
    >> rmac

    >
    >
    >.
    >
     
    rmac, Dec 19, 2003
    #4
  5. rmac

    Brad Guest

    Your example of
    <allow users="domain\group">
    <deny users="*" />
    Should be
    <allow roles="domain\group">
    <deny users="*" />


    FYI - You can also look at "Configure ASP.NET Settings" of the following
    MSDN topic
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
    It's from the book "Building Secure Microsoft ASP.NET Applications", which I
    highly reccomend.

    Brad



    "rmac" <> wrote in message
    news:0b9e01c3c638$8d1fb700$...
    > Brad,
    >
    > I have tried the method you mentioned. I am not able to
    > check the roles. If I put in code on the requested page to
    > check for the group I come up empty. Ex:
    >
    > If context.User.IsInRole("domainname\group") = True Then
    > lblName.Text = "Hello " +
    > Context.User.Identity.Name & "."
    > End IF
    >
    > The label text is empty.
    >
    > If I do this and deny unathenticated users in the
    > web.config:
    >
    > If Request.IsAuthenticated = True Then
    > lblName.Text = "Hello " + Context.User.Identity.Name
    > & "."
    > End If
    >
    > the label shows the user name.
    >
    > In my web.config file if I do this:
    >
    > <allow users="domain\group"
    > <deny users="*" />
    >
    > I cannot login no matter what account I use.
    >
    > Am I missing something?
    >
    > Thanks
    > rmac
    >
    > >-----Original Message-----
    > >You would want to change the <deny users="?"> to <deny

    > users="*">
    > >Role checks are top down. If the first check passes

    > they're in. In your
    > >example any authenticated user would also pass the next

    > test <deny
    > >users="?"> just deny's unauthenticated users.
    > >By changing to <deny users="*">, if they don't pass the

    > first test they
    > >won't get in because the * says deny everyone. They will

    > get a network
    > >login dialog box but no matter what they enter into the

    > login dialog it will
    > >fail with an access denied....well, this is unless they

    > enter a login that
    > >is a member of the group you allow in.
    > >
    > >Also - If you wanted to provide a "polite" access denied

    > result, i.e. send
    > >them somewhere else such as your own error page you could

    > alternately just
    > >set <deny users="?"> (removing your current allow test)

    > and then in your
    > >global.asax code do a test if the user is in a permitted

    > role else send them
    > >somewhere else.
    > >
    > >Example
    > > Sub Application_AuthenticateRequest(ByVal sender As

    > Object, ByVal e As
    > >EventArgs)
    > > If Request.IsAuthenticated AndAlso
    > >Context.User.IsInRole("domainname\group") = false then
    > > If Request.Url.ToString.IndexOf

    > ("mynoaccesspage") > 0 Then
    > > Response.Redirect("mynoaccesspage")
    > > End If
    > > End If
    > > End Sub
    > >
    > >
    > >Hope this helps some
    > >
    > >Brad
    > >
    > >
    > >"rmac" <> wrote in

    > message
    > >news:046e01c3c419$9b1afed0$...
    > >> I am testing forms authentication against Active
    > >> Directory. I want to limit access to the site based on
    > >> Windows groups. The app is working but it allows anyone
    > >> with a domain account access which is undesirable. I
    > >> followed the Microsoft KB article 326340. Here is the
    > >> entry in my web.config:
    > >>
    > >> <authorization>
    > >> <allow roles="domainname\group" />
    > >> <deny users="?" />
    > >> </authorization>
    > >>
    > >> Does anyone know how to accomplish this?
    > >>
    > >> Thanks
    > >> rmac

    > >
    > >
    > >.
    > >
     
    Brad, Dec 19, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,480
    Tommy
    Feb 13, 2004
  2. Jeff
    Replies:
    2
    Views:
    952
    clintonG
    Sep 19, 2006
  3. Alan Silver
    Replies:
    0
    Views:
    384
    Alan Silver
    Feb 27, 2008
  4. Ryan Taylor
    Replies:
    1
    Views:
    688
    Ryan Taylor
    Sep 9, 2004
  5. Eric
    Replies:
    2
    Views:
    534
Loading...

Share This Page