V
vp
We have an ASP.NET 1.1 web service that has its own application pool
setup (in IIS 6.0) and that runs under the identity of a Windows
Domain account
(this is for security reason when accessing databases).
We allow only Integrated Widnows Authentication on the web service.
we are setting the impersonate to false as that is the only way the
application pool identity is used for the DB access.
<identity impersonate="false"/>
What we would like to also do is to restrict the web service access to
specific windows accounts. We tried doing with the authorization tags
but this does not seem to work. It seems to allows every Windows user
irrespective of the allow list.
The following is a snapshot of our webconfig. Any help is greatly
appreciated.
<system.web>
<trust level="Full" originUrl="" />
<authentication mode="Windows" />
<identity impersonate="false" />
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="off" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
<location path="test.asmx">
<system.web>
<authorization>
<allow users ="Mydomain\user1" />
<deny users = "*"/>
</authorization>
</system.web>
</location>
We try to restrict access to the user Mydomain\user1 but every one is
able to still access the webservice
setup (in IIS 6.0) and that runs under the identity of a Windows
Domain account
(this is for security reason when accessing databases).
We allow only Integrated Widnows Authentication on the web service.
we are setting the impersonate to false as that is the only way the
application pool identity is used for the DB access.
<identity impersonate="false"/>
What we would like to also do is to restrict the web service access to
specific windows accounts. We tried doing with the authorization tags
but this does not seem to work. It seems to allows every Windows user
irrespective of the allow list.
The following is a snapshot of our webconfig. Any help is greatly
appreciated.
<system.web>
<trust level="Full" originUrl="" />
<authentication mode="Windows" />
<identity impersonate="false" />
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="off" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
<location path="test.asmx">
<system.web>
<authorization>
<allow users ="Mydomain\user1" />
<deny users = "*"/>
</authorization>
</system.web>
</location>
We try to restrict access to the user Mydomain\user1 but every one is
able to still access the webservice