Subject: RE: file permissions
Date: Thu, 16 Oct 2003 10:58:46 -0700
Lines: 286
Message-ID: <
[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcOUDyTYlIZvxbQ6RYKFOARDgaKPtA==
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7208
NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
Ok here is what I now know based on some pointers from
ZRH. These are the steps I had to take to enable selective
access to files using Windows as the authentication
format. I chose this format because the management of
users and files is already in place and it does not
require yet another username and password combination to
be remembered.
Keep in mind my configuration included a W2K server, IIS
5, and Active Directory services with the web server also
acting as a Domain Controller. So, having said that, to
control access to a file or directory with W2K and IIS5
when accessed via a web browser you must do the following:
In IIS Management Console set the "Authentication" method
to whatever level you prefer. This can be done for the
folder or virtual directory as well as individual files.
In my case I wish to allow some files to be accessed by
everyone so I have enabled both "Anonymous Access" for
this purpose and under "Authenticated Access" I have
enabled "Integrated Windows authentication". This allows
further access control using NTFS file permissions. The
most restrictive permissions will apply.
Enabling "Anonymous Access" will not allow an
unauthenticated user or user without proper credentials to
access a resource for which he has not been given access
rights through NTFS permissions. As a side note my
installation used the IUSR_machinename as the Anonymous
User account and the checkbox was enabled to allow IIS to
manage the password. Close IIS Management Console.
In Windows Explorer right-click on the file or folder that
you wish to change permissions for. Add or remove groups
and users as needed and change permissions for these
groups and users. I have found that the following accounts
must be added regardless of the other settings and have
found documentation that seems to support this:
Creator Owner - Full Control
System - Full Control
domainname\ASPNET - Read, Read/Execute
domainname\IWAM_machinename - Read, Read/Execute
and any other accounts you wish to have access this
resource. Close Windows Explorer.
Once this has been accomplished go to Start-->Program
Files-->Administrative Tools and open the Domain
Controller Security Policy. Once inside the Domain
Controller Security Policy Console go to Windows Settings--
Security Settings-->Local Policies-->User Rights
Assignments. In the right hand pane double-click
on "Impersonate a client after authentication". Enable
the "Define these policy settings" checkbox and
click "Add". Click "Browse" then find and select the
account IWAM_machinename and click OK-->OK-->OK. Close the
Domain Controller Security Policy Console.
At a command prompt issue the following command:
secedit /refreshpolicy machine_policy /enforce
then at the command prompt issue the following command:
iisreset
Close the command prompt window. Now we need to modify the
web.config file for the ASP.NET application as follows:
<authentication mode="Windows" />
<authorization>
<allow users="*" /> <!-- This allows all users to access
even if they are outside the domain provided NTFS
permissions allow it and IIS allows "Anonymous Access" -->
</authorization>
<identity impersonate="true"/> <!-- This allows ASP.NET to
impersonate the user requesting a restricted resource
after authentication has taken place. It requires that an
account be specified for the impersonation on the macine
hosting the ASP.NET application -->
Save the file and check for proper operation of the web
site pages you have modified the permissions for. If
anyone notices inaccuracies in document please feel free
to make corrections and thanks again to ZRH.
Here are some external resources I used:
http://support.microsoft.com/default.aspx?scid=kb;EN-
US;Q815171#4
http://4guysfromrolla.411asp.net/
http://www.jsiinc.com/SUBN/tip6900/rh6981.htm
-----Original Message-----
Okay in web.config I have :
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" userName="" password=""/>
I added mydomain\ASPNET to the ACL.
When I attempt to access the page I am NO LONGER prompted
for a username/password/domain and the web page returned
reports the following:
Server Error in '/Apps' Application.
---------------------------------------------------------- -
---------------------
Access is denied.
Description: An unhandled exception occurred during the
execution of the current web request. Please review the
stack trace for more information about the error and where
it originated in the code.
Exception Details: System.ApplicationException: Access is
denied.
Source Error:
An unhandled exception was generated during the execution
of the current web request. Information regarding the
origin and location of the exception can be identified
using the exception stack trace below.
Stack Trace:
[ApplicationException: Access is denied.
]
System.Security.Principal.WindowsIdentity._ResolveIdentity
(IntPtr userToken) +0
System.Security.Principal.WindowsIdentity.get_Name() +71
System.Web.Configuration.AuthorizationConfigRule.IsUserAll
o
wed(IPrincipal user, String verb) +100
System.Web.Configuration.AuthorizationConfig.IsUserAllowed
(IPrincipal user, String verb) +81
System.Web.Security.UrlAuthorizationModule.OnEnter
(Object source, EventArgs eventArgs) +178
System.Web.SyncEventExecutionStep.System.Web.HttpApplicati o
n+IExecutionStep.Execute() +60
System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously) +87
-----Original Message-----
James,
In the scenario you describe, you will need to give the aspnet_wp.exe
process account access or make it a member of your group. By default, this
would be the ASPNET account.
You can also enable impersonation and deny unauthenticated users so that
you get the identity of the user actually browsing the site.
Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)
This post is provided as-is with no warranties and confers no rights.
Subject: file permissions
Date: Wed, 15 Oct 2003 09:21:31 -0700
Lines: 58
Message-ID: <
[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:7186
NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
I have a W2K server, running IIS 6 and Active Directory
Services. I have an ASP.Net application off the root web
directory named "Apps". Within the IIS Manager I have the
Authentication method set to "Anonymous Access" as well
as "Authenticated Access" using "Integrated Windows
Authentication" for both the root web and the "Apps" sub-
directory. All files and directories under the "Apps"
folder are set in this manner.
The web config file is set to use "Windows" for
Authentication and "*" for Authorization.
Using Explorer I have changed the permissions for one file
in the "Apps" directory. For this file, let's call
it "myfile.aspx", I have removed the "Everyone" group. The
permissions for this file are as follows:
Creator Owner - Full Control
System - Full Control
mydomain\Administrators - Full Control
mydomain\MyGroup - Read, Read/Execute
If I attempt to access any file on this web via a web
browser it works as it should with the exception of this
single file, "myfile.aspx". When attempting to access this
file it will ask for a username/password/domain and will
not accept anyone, including anyone from
the "Administrators" or "MyGroup" groups.
The error I get in the browser is:
Server Error in '/Apps' Application.
--------------------------------------------------------
-
--
---------------------
Access is denied.
Description: An error occurred while accessing the
resources required to serve this request. You might not
have permission to view the requested resources.
Error message 401.3: You do not have permission to view
this directory or page using the credentials you supplied
(access denied due to ACLs). Ask the Web server's
administrator to give you access
to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
--------------------------------------------------------
-
--
---------------------
Version Information: Microsoft .NET Framework
Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
This is the same basic configuration I use on other web
servers for security and have not had this problem before.
I have another server within this domain that is
configured in the same manner that works although it is
not an ASP.Net application. I have tried this from systems
logged into the domain and from systems not logged into
the domain with the same results.
.
.
