Configuring Windows-based Authentication and UrlAuthorization

M

MCM

I have a web application that is partially public and partially intranet. I
need help configuring the security.

All the public urls are located in the root directory. The intranet urls are
located in a subdirectory called Admin. In IIS, I have 2 bindings configured
- one with a public DNS name and one with the internal server name so IE will
recognize the site as part of the intranet. These are the sections in my
web.config as I have them now:

<system.web>
<httpModules>
<remove name="FormsAuthentication" />
<remove name="PassportAuthentication" />
<remove name="AnonymousIdentification" />
<remove name="FileAuthorization" />
<remove name="OutputCache" />
<remove name="RoleManager" />
<remove name="Profile" />
<remove name="ServiceModel" />
<remove name="ErrorHandlerModule" />
<add name="ScriptModule"
type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35" />
</httpModules>
<authentication mode="Windows" />
</system.web>

<location path="Admin">
<system.web>
<authorization>
<allow roles="DOMAIN\Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>

The public portion of the application loads fine. The intranet portion is
giving me access errors. I'm sure I have it configured wrong.
 
G

Guest

I have a web application that is partially public and partially intranet.I
need help configuring the security.

All the public urls are located in the root directory. The intranet urls are
located in a subdirectory called Admin. In IIS, I have 2 bindings configured
- one with a public DNS name and one with the internal server name so IE will
recognize the site as part of the intranet. These are the sections in my
web.config as I have them now:

    <system.web>
        <httpModules>
            <remove name="FormsAuthentication" />
            <remove name="PassportAuthentication" />
            <remove name="AnonymousIdentification" />
            <remove name="FileAuthorization" />
            <remove name="OutputCache" />
            <remove name="RoleManager" />
            <remove name="Profile" />
            <remove name="ServiceModel" />
            <remove name="ErrorHandlerModule" />
            <add name="ScriptModule"
                 type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35" />
        </httpModules>
        <authentication mode="Windows" />
    </system.web>

    <location path="Admin">
        <system.web>
            <authorization>
                <allow roles="DOMAIN\Administrators" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>

The public portion of the application loads fine. The intranet portion is
giving me access errors. I'm sure I have it configured wrong.

1) Try change the location path to "~/admin"
2) Check if Windows authentication is enabled (if IIS really receives
your membership)
 
M

MCM

1) Try change the location path to "~/admin"

That didn't work. It just let's all users have access if I change it to
that. When it is set to "Admin", it does respond correctly by requiring
permission for the appropriate directory. But even authorized users are
getting prompted for credentials. And even admin credentials are being
rejected with "401 - Unauthorized: Access is denied due to invalid
credentials."
2) Check if Windows authentication is enabled (if IIS really receives
your membership)

It is.
 
T

Thomas Sun [MSFT]

Hi MCM,

This is Thomas Sun from MSDN managed newsgroup. I will assist you with this
case.

From your description, I understand that you use Windows Authentication to
authenticate your ASP.NET web application which contains two parts: public
part and private part. For the private part named "Admin" is using
<location> settings to restrict only Administrators role can be allowed to
access. If I have misunderstood you, please feel free to let me know.

Firstly, we need to make sure the identity that requests your website is in
the Administrators role that you specify in <allow> section of <location>
settings. For test, we can present the identity name in page by following
code:
===============================
Response.Write(User.Identity.Name);
===============================

Besides, we also can specify a domain user in <location> settings and then
request your website with that identity to see whether it works. For
example:
===============================
<location path="Admin">
<system.web>
<authorization>
<allow users="YourDomain\OneUserName"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
===============================

I look forward to receiving your test results.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
 
M

MCM

Hi Thomas-
Firstly, we need to make sure the identity that requests your website is in
the Administrators role that you specify in <allow> section of <location>
settings. For test, we can present the identity name in page by following
code:
===============================
Response.Write(User.Identity.Name);
===============================

No name is displaying at all. This value is blank. Could this be a browser
setting?

Besides, we also can specify a domain user in <location> settings and then
request your website with that identity to see whether it works. For
example:
===============================
<location path="Admin">
<system.web>
<authorization>
<allow users="YourDomain\OneUserName"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
===============================

This also does not let me have access. But I presume that until we fix the
blank username problem, we won't get anywhere.

-Max
 
T

Thomas Sun [MSFT]

Hi MCM,

Thanks for your response.

Please make sure we only enable Integrated Windows Authentication and
disable Anonymous access option on IIS. When anonymous access is enabled,
no authenticated user credentials are required to access the site. For more
information, see http://support.microsoft.com/kb/324274


I look forward to receiving your test results.
 
G

Guest

That didn't work. It just let's all users have access if I change it to
that. When it is set to "Admin", it does respond correctly by requiring
permission for the appropriate directory. But even authorized users are
getting prompted for credentials. And even admin credentials are being
rejected with "401 - Unauthorized: Access is denied due to invalid
credentials."


It is.

hm...

What happens if you delete location path from main web.config file and
move that configuration in to Admin folder? You should put there

<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="DOMAIN\Administrators" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
 
G

Guest

Is it possible to disable anonymous access just for the Admin folder? I'd
like to allow it for the public section.









- Show quoted text -

Use <deny users="?"/> to disable anonymous users

<deny users="*"/> blocks everyone
 
G

Guest

I tried disabling Anonymous access, but there was no change.









- Show quoted text -

Well, I would try to setup clean web.config, get rid of

<remove name="FormsAuthentication" />
<remove name="PassportAuthentication" />
<remove name="AnonymousIdentification" />
<remove name="FileAuthorization" />
<remove name="OutputCache" />
<remove name="RoleManager" />
<remove name="Profile" />
<remove name="ServiceModel" />
<remove name="ErrorHandlerModule" />

(let's load all by default)

enable trace

and put just

<deny users="?"/>

and see what happens
 
M

MCM

I have tried that as well.

Anon User said:
Well, I would try to setup clean web.config, get rid of

<remove name="FormsAuthentication" />
<remove name="PassportAuthentication" />
<remove name="AnonymousIdentification" />
<remove name="FileAuthorization" />
<remove name="OutputCache" />
<remove name="RoleManager" />
<remove name="Profile" />
<remove name="ServiceModel" />
<remove name="ErrorHandlerModule" />

(let's load all by default)

enable trace

and put just

<deny users="?"/>

and see what happens
 
T

Thomas Sun [MSFT]

Hi MCM,

Could you please tell me how you configure your website on IIS? Do you
create Virtual Directory for the Admin folder? As I mentioned above, when
we use Anonymous access, user credentials won't be sent. And one
application just can have one authentication mode.

If you want to enable Anonymous access for public part and use Integrated
Windows Authentication for Admin part, I suggest you treat them as separate
website. By doing so, we can configure them separately on IIS.

For example, you can add web.config file with Windows Authentication and
<authorization> section in Admin folder. On IIS, we can add new Application
under your Public section and point its Physical path to the Admin folder.
If we do so, the Admin is the child application of Public application. And
then you can configure Admin application using Integrated Windows
Authentication and configure Public application using Anonymous access on
IIS.

I look forward to receiving your test results.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support



--------------------
 
M

MCM

I'm happy to work with Virtual Directories as needed. But just to get this
working at all, I tried to switch the whole site to Windows Authentication. I
used the following in my web.config:

<authentication mode="Windows"/>
<authorization>
<deny users="?" />
</authorization>

It is STILL giving me 401 access denied errors. Not sure what to try next.
 
M

MCM

Here's a weird twist... I tried it in FireFox and it works. Still no change
with IE8 though.
 
M

MCM

So I have all the security working as planned in FireFox, but still not
functional in IE8. A quick search for "windows authentication ie8" will show
you there are a lot of people out there with this problem. I assume there
must be a fix for it by now. Probably a security setting within IE? Any ideas?
 
T

Thomas Sun [MSFT]

Hi MCM,

If we create a simple ASP.NET website with Window Authentication and deploy
it on IIS, does it have the same issue? What URL you were using to request
your website? Please try to add the URL into local Web Site
(IE->Tools->Internet Options->Security tab->Select "Local intranet"-> Click
"Sites"->Click "Advanced" button->Add the URL), and enable "Automatic Logon
with current username and password" (Internet Explorer --> Tools-->Internet
Options --> Security-->Local Intranet Zone-->Custom Level-->User
Authentication-->Logon -->Automatic Logon with current username and
password).

If the issue still exists, could you please post detailed steps here that
can repro the issue? You also can send me a simplified package that can
repro the error on your machine. My email is (e-mail address removed).


I look forward to hearing from you.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support



--------------------
 
M

MCM

I was in the process of creating a package for you to test when I solved the
problem. In IIS, I had set the bindings for the site to http://SERVER. When I
changed the binding to http://test.domain.local and added that to the IE
Intranet zone, it works.

I still believe this is a pretty annoying bug in IE8 - especially since it
was working fine in FireFox. But in the end, I am able to work around it.

Thank you for your help.
 
T

Thomas Sun [MSFT]

Hi MCM,

Thanks for your update and I am glad that you resolved it.

For security, IE doesn't send sensitive information to website that is not
in Local intranet list automatically by default.

You also can post the feedback on the Connect Website
(https://connect.microsoft.com/IE/Feedback). Our developer will evaluate
them seriously and take them into consideration when designing future
release of the product.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support


--------------------
 
M

MCM

Yes. I understand that the site had to be in the Intranet Zone - and it was.
I was just using the abbreviated server name instead of a FQDN. So even
though it was listed in Intranet and even though it worked in FireFox, it
didn't work in IE. I'll write a note to the IE Feedback site like you
suggested. Thanks.
 
G

Guest

Yes. I understand that the site had to be in the Intranet Zone - and it was.
I was just using the abbreviated server name instead of a FQDN. So even
though it was listed in Intranet and even though it worked in FireFox, it
didn't work in IE. I'll write a note to the IE Feedback site like you
suggested. Thanks.

Ensure that the Include all network paths (UNC) check box has been
checked. (Internet Options - Security - Sites). If it was checked, it
could be interesting to see the difference in Fiddler between IE with
the abbreviated server name and with FQDN

Fiddler can be found here www.fiddlertool.com

You might also try to add *.domain.local or 10.*.*.* to sites list to
see if it works or not
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,479
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top