Cannot access aspx page if user is not in Admin group

Discussion in 'ASP .Net Security' started by Mathew Uthup, Jun 20, 2005.

  1. Mathew Uthup

    Mathew Uthup Guest

    We have a secure directory with an aspx page called Reports.aspx runnig on
    Windows2000 server with service pack 4. This directory has access rights to
    only a specific gg_support group.We have Disabled anonymous access to this
    directory and only enabled windows integrated authentication on this page and
    in this directory for this group gg_suupport
    However none of the members of this group can access any aspx page in this
    directory unless they belong to the admin group. We do not want to give admin
    rights to all members of this group nor do we want to give anonymous access
    to this directory. The web config file explicitly sets impersonate to false.
    No matter what, we cannot get it to work. The only way we can get it to work
    is to grant Anonymous access or to give admin rights to this Group. My
    understanding based on the readings from MSDN is that if Impersonate is set
    to false and Integrated Authentication is enabled by IIS. The aspx worker
    thread should execute under the default aspx account for IIS. My question,
    isn’t Default account the same as used by the anonymous account? How do I get
    it to work with the desired security setting that we need?

    Thanks Mathew
    Mathew Uthup, Jun 20, 2005
    #1
    1. Advertising

  2. Mathew Uthup

    Mathew Uthup Guest

    We figured this one out with a Microsoft support case. Apparently one needs
    to Restart IIS if a new user is added to windows authenticated Directory. For
    some Reason Aspx_Isapi does not refresh the Cached ACL in IIS5.0 ( I think
    this is a Bug).Only Aspx extension in the secured directory has this problem
    which leads me to think that ACL information is somehow cached by the
    ASpx_isapi. Well one work around to this problem is to create a Local
    ASP_User Group and give this Group all the necessary ACL permission for
    Running ASP see the Following article
    "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetrequiredaccesscontrollistsacls.asp"
    and add users to this group. Once this Group exists adding new users to this
    group somehow does not require Reboot of IIS. Hence I suggest planning ahead
    by creating a Local user group with proper ACL Permissions for running
    ASP.net if you want to avoid Rebooting IIS in production environment if you
    plan to use Windows authentication. By the way in our case users in the Admin
    Group had the proper ACL Permission for running ASP.net hence adding users
    who belonged to this group always worked and did not require a Reboot of IIS.
    Hope this Bug will be fixed in the next version of Asp.net

    "Mathew Uthup" wrote:

    > We have a secure directory with an aspx page called Reports.aspx runnig on
    > Windows2000 server with service pack 4. This directory has access rights to
    > only a specific gg_support group.We have Disabled anonymous access to this
    > directory and only enabled windows integrated authentication on this page and
    > in this directory for this group gg_suupport
    > However none of the members of this group can access any aspx page in this
    > directory unless they belong to the admin group. We do not want to give admin
    > rights to all members of this group nor do we want to give anonymous access
    > to this directory. The web config file explicitly sets impersonate to false.
    > No matter what, we cannot get it to work. The only way we can get it to work
    > is to grant Anonymous access or to give admin rights to this Group. My
    > understanding based on the readings from MSDN is that if Impersonate is set
    > to false and Integrated Authentication is enabled by IIS. The aspx worker
    > thread should execute under the default aspx account for IIS. My question,
    > isn’t Default account the same as used by the anonymous account? How do I get
    > it to work with the desired security setting that we need?
    >
    > Thanks Mathew
    >
    Mathew Uthup, Jun 22, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jerry Tovar
    Replies:
    1
    Views:
    2,729
    Jim Cheshire [MSFT]
    Oct 23, 2003
  2. Ching-Lung

    Adding new user to admin group

    Ching-Lung, Jan 7, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    4,300
    Coucou à toutes et à tous
    Jan 9, 2004
  3. Chad Dressler
    Replies:
    0
    Views:
    634
    Chad Dressler
    Dec 30, 2006
  4. sarah Fernandes
    Replies:
    0
    Views:
    490
    sarah Fernandes
    Nov 1, 2010
  5. Phlip
    Replies:
    1
    Views:
    280
    Eero Saynatkari
    Sep 15, 2006
Loading...

Share This Page