A
ASP.Net programmer
I have a weird problem securing my ASP.Net application. I know it's
probably my fault, but I just don't get it to work.
- Anonymous access is disabled on the IIS Server.
- Integrated Windows security is enabled on the IIS Server.
Web.config (excerpt, slightly edited):
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<location path="admin">
<system.web>
<authorization>
<allow users="Domain\admin_account"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="Domain\Domain Users" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
The problem is: I (as a normal user) can access the normal pages as
expected, but also the admin directory.
I enabled trace and the only status-code for a request is 200. I know
there also should be a 400 (or 401) for the authentication, but it just
isn't there.
The LOGON_USER property of the trace shows my account.
My question is: what did I forget?
probably my fault, but I just don't get it to work.
- Anonymous access is disabled on the IIS Server.
- Integrated Windows security is enabled on the IIS Server.
Web.config (excerpt, slightly edited):
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<location path="admin">
<system.web>
<authorization>
<allow users="Domain\admin_account"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="Domain\Domain Users" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
The problem is: I (as a normal user) can access the normal pages as
expected, but also the admin directory.
I enabled trace and the only status-code for a request is 200. I know
there also should be a 400 (or 401) for the authentication, but it just
isn't there.
The LOGON_USER property of the trace shows my account.
My question is: what did I forget?