Authorization using Windows Authentication

Discussion in 'ASP .Net' started by DK, Sep 23, 2008.

  1. DK

    DK Guest

    I have an intranet application I've built using asp.net 3.5 / running on
    IIS6

    I want to use BUILTIN groups on the server that contain domain users. So I
    set up my web.config like so for example:
    <authorization>
    <allow roles="BUILTIN\Intranet_Admin"/>
    <!--<allow roles="GNB\archivesemp"/> works-->
    <!--<allow users="GNB\dking"/> works-->
    <deny users="*"/>
    ......

    Using BUILTIN roles, when accessing the app, a windows pop-up appears asking
    for a user name and password? Why and how can I get around this?

    Using domain users or groups works fine.

    Thanks.
     
    DK, Sep 23, 2008
    #1
    1. Advertising

  2. DK

    Usenet User Guest

    On Tue, 23 Sep 2008 11:24:27 -0300, "DK" <>
    wrote:

    >I have an intranet application I've built using asp.net 3.5 / running on
    >IIS6
    >
    >I want to use BUILTIN groups on the server that contain domain users. So I
    >set up my web.config like so for example:
    ><authorization>
    > <allow roles="BUILTIN\Intranet_Admin"/>
    > <!--<allow roles="GNB\archivesemp"/> works-->
    > <!--<allow users="GNB\dking"/> works-->
    > <deny users="*"/>
    >.....
    >
    >Using BUILTIN roles, when accessing the app, a windows pop-up appears asking
    >for a user name and password? Why and how can I get around this?
    >
    >Using domain users or groups works fine.
    >
    >Thanks.


    When a app requires Windows authentication, IIS sends a challenge to
    the browser asking for credentials. If your remote client is logged in
    to the domain and the app is located on the local intranet/trusted
    site, the browser (IE specifically, others do not do that) sends back
    client's NT authentication token. The IIS accepts and verifies it
    against the domain, and then lets the user in without asking for
    logon.

    In your case you're only letting BUILTIN\Intranet_Admin group in. That
    group is local to the server where IIS is located. While your client
    user may be a part of this group, the IIS does not perform
    authentication against the domain for this group, therefore your
    client's domain token is no good.

    Perhaps, I am not quite correct about the semantics here, but that's I
    believe what happens.
     
    Usenet User, Sep 23, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ollie
    Replies:
    8
    Views:
    5,810
    Joe Kaplan \(MVP - ADSI\)
    Dec 9, 2004
  2. Replies:
    2
    Views:
    400
    Mike Mueller
    Jun 22, 2005
  3. Bob Osborne
    Replies:
    0
    Views:
    225
    Bob Osborne
    Nov 18, 2003
  4. Ollie
    Replies:
    7
    Views:
    133
    Joe Kaplan \(MVP - ADSI\)
    Dec 9, 2004
  5. SeanRW
    Replies:
    1
    Views:
    384
    Dominick Baier [DevelopMentor]
    May 25, 2006
Loading...

Share This Page