P
pjdouillard
Hello all,
Here is the context of my problem:
We have an ASP.NET 1.1 application that has its own application pool
setup and that runs under the identity of a NT Domain service account
(this is for security reason when accessing databases). We use the
Integrated Windows authentication to authenticate users, and we have
setup the Web.config file to authenticate those users against 3 NT
Domain Global Groups. Everything is working fine (the application is
up and running since 1.5 year already) and security is respecting the
application's security requirements.
We are in the process of moving all of our servers (including this IIS
6.0 server) into AD (Active Directory). This week was this server's
turn to be migrated and everything turns out ok from a migration point
of view. What is not working anymore is is the authentication of
users.
Remember I just said that the application pool is running under a NT
Domain service account? Well since we are moving to AD, we also have
to move the user accounts (and service accounts) into AD. So we are
now using an AD service account to run the application pool. So far so
good, but to our dismay, we are unable to authenticate any users
anymore! It looks like IIS's new Application Pool identity isn't able
to validate against AD properly. Me and the migration team have check
a lot of things, but we must be missing something trivial.
If anyone can point me into some direction, I would appreciate.
And here is and excerp from our Web.config file concerning the
authentication and authorization.
<system.web>
....
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow roles="AD\group1, AD\group2, AD\group3" />
<deny users="*" />
</authorization>
....
</system.web>
And yes, the <identity impersonate="false"/> is correct since we are
using the Application's Pool identity.
Thank you for any help!
P.J
Here is the context of my problem:
We have an ASP.NET 1.1 application that has its own application pool
setup and that runs under the identity of a NT Domain service account
(this is for security reason when accessing databases). We use the
Integrated Windows authentication to authenticate users, and we have
setup the Web.config file to authenticate those users against 3 NT
Domain Global Groups. Everything is working fine (the application is
up and running since 1.5 year already) and security is respecting the
application's security requirements.
We are in the process of moving all of our servers (including this IIS
6.0 server) into AD (Active Directory). This week was this server's
turn to be migrated and everything turns out ok from a migration point
of view. What is not working anymore is is the authentication of
users.
Remember I just said that the application pool is running under a NT
Domain service account? Well since we are moving to AD, we also have
to move the user accounts (and service accounts) into AD. So we are
now using an AD service account to run the application pool. So far so
good, but to our dismay, we are unable to authenticate any users
anymore! It looks like IIS's new Application Pool identity isn't able
to validate against AD properly. Me and the migration team have check
a lot of things, but we must be missing something trivial.
If anyone can point me into some direction, I would appreciate.
And here is and excerp from our Web.config file concerning the
authentication and authorization.
<system.web>
....
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow roles="AD\group1, AD\group2, AD\group3" />
<deny users="*" />
</authorization>
....
</system.web>
And yes, the <identity impersonate="false"/> is correct since we are
using the Application's Pool identity.
Thank you for any help!
P.J