authentication: deny users=* problem

Discussion in 'ASP .Net' started by Dan, Nov 15, 2004.

  1. Dan

    Dan Guest

    hi ng.

    i have a strange behaviour when i want to control who can access a web
    application by setting web.config like:
    <authorization>
    <allow users="DOMAIN\ACCOUNT,..." />
    <deny users="*" />

    the authorization is working fine, but the user receives the standard
    "The page cannot be displayed"
    error page.
    whereas when the authorization check is disabled, everything is working
    fine.

    my iis settings are:
    allow anonymous access
    integrated windows authentication enabled

    i have no idea about what could be wrong.
    thanks a lot,
    dan
    Dan, Nov 15, 2004
    #1
    1. Advertising

  2. Dan

    Norman Yuan Guest

    it look to me that your <allow... /> and <deny.../> in web.config does not
    make sense: first you want to allow access for users in a domain, then you
    deny access to ALL USERS, so that your ASP.NET app cannot be accessed to by
    anyone. If you want to block anonymous user, it should be <deny users="?"
    />. But the better way to deny anonymous access is simple uncheck "Anonymous
    access" in IIS setting for the ASP.NET application.

    "Dan" <-tuebingen.de> wrote in message
    news:cna9f1$u4v$-tuebingen.de...
    > hi ng.
    >
    > i have a strange behaviour when i want to control who can access a web
    > application by setting web.config like:
    > <authorization>
    > <allow users="DOMAIN\ACCOUNT,..." />
    > <deny users="*" />
    >
    > the authorization is working fine, but the user receives the standard
    > "The page cannot be displayed"
    > error page.
    > whereas when the authorization check is disabled, everything is working
    > fine.
    >
    > my iis settings are:
    > allow anonymous access
    > integrated windows authentication enabled
    >
    > i have no idea about what could be wrong.
    > thanks a lot,
    > dan
    Norman Yuan, Nov 15, 2004
    #2
    1. Advertising

  3. Dan

    Jos Guest

    Norman Yuan wrote:
    > it look to me that your <allow... /> and <deny.../> in web.config
    > does not make sense: first you want to allow access for users in a
    > domain, then you deny access to ALL USERS, so that your ASP.NET app
    > cannot be accessed to by anyone. If you want to block anonymous user,
    > it should be <deny users="?" />. But the better way to deny anonymous
    > access is simple uncheck "Anonymous access" in IIS setting for the
    > ASP.NET application.


    I'll have to disagree here Norman.
    Dan's configuration is 100% OK. See also:
    http://msdn.microsoft.com/library/en-us/dnbda/html/authaspdotnet.asp

    The rule here is that the authorization block is checked
    from top to bottom, and the first match is the one that counts.

    But I agree with you that disabling "Anonymous access" would
    solve Dan's problem.

    Dan, you're using the ASPNET account for anonymous
    access, which subsequently will be refused access.
    Disabling anonymous access will solve this problem.

    --

    Jos
    Jos, Nov 15, 2004
    #3
  4. Dan

    Steven Spits Guest

    Norman wrote:

    > it look to me that your <allow... /> and <deny.../> in web.config does not
    > make sense: first you want to allow access for users in a domain, then you
    > deny access to ALL USERS, so that your ASP.NET app cannot be
    > accessed to by anyone.


    This is not true, his web.config does make sense!

    From MSDN:

    "At run time, the authorization module iterates through the <allow> and
    <deny> tags until it finds the first access rule that fits a particular
    user. It then grants or denies access to a URL resource depending on whether
    the first access rule found is an <allow> or a <deny> rule."

    If a user cannot log in, his account doesn't match the one you specified in
    your <allow> block.

    Steven

    - - -
    Steven Spits, Nov 15, 2004
    #4
  5. Dan

    Dan Guest

    Thanks for your support, but the problem was that my domainsettings were
    wrong.
    the settings do make sense: i can control which domain user gets access
    to the application
    deny=? would mean that every user authenticated by active directory gets
    access.

    Dan

    Norman Yuan wrote:

    > it look to me that your <allow... /> and <deny.../> in web.config does not
    > make sense: first you want to allow access for users in a domain, then you
    > deny access to ALL USERS, so that your ASP.NET app cannot be accessed to by
    > anyone. If you want to block anonymous user, it should be <deny users="?"
    > />. But the better way to deny anonymous access is simple uncheck "Anonymous
    > access" in IIS setting for the ASP.NET application.
    >
    > "Dan" <-tuebingen.de> wrote in message
    > news:cna9f1$u4v$-tuebingen.de...
    >
    >>hi ng.
    >>
    >>i have a strange behaviour when i want to control who can access a web
    >>application by setting web.config like:
    >> <authorization>
    >> <allow users="DOMAIN\ACCOUNT,..." />
    >> <deny users="*" />
    >>
    >>the authorization is working fine, but the user receives the standard
    >>"The page cannot be displayed"
    >>error page.
    >>whereas when the authorization check is disabled, everything is working
    >>fine.
    >>
    >>my iis settings are:
    >>allow anonymous access
    >>integrated windows authentication enabled
    >>
    >>i have no idea about what could be wrong.
    >>thanks a lot,
    >>dan

    >
    >
    >
    Dan, Nov 15, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ABC
    Replies:
    7
    Views:
    820
  2. =?Utf-8?B?QWRvbGZv?=

    Problems with AJAX an <location deny users=? ...

    =?Utf-8?B?QWRvbGZv?=, Feb 21, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    441
    =?Utf-8?B?QWRvbGZv?=
    Feb 21, 2006
  3. Alper Özgür
    Replies:
    0
    Views:
    476
    Alper Özgür
    May 15, 2006
  4. Jeff
    Replies:
    2
    Views:
    942
    clintonG
    Sep 19, 2006
  5. Kylin

    <deny users="?" /> <allow users="*" />

    Kylin, May 17, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    585
    Ravichandran J.V.
    May 19, 2005
Loading...

Share This Page