integrated login and folder permissions

F

fuzzyreality

I am running and asp.net site with IIS6.0. I have integrated login
turned on and it works fine for all our users. However, I am trying to
prevent all but specific groups of users from having access to specific
folders on the website.
I tried doing this by setting the permissions on the folders to no
avail. I read that I may have to turn on impersonation, so I set that
to true, but did not specify an account. Still no luck.
Am I missing something here?
 
P

Paul Clement

On 13 Oct 2005 09:07:35 -0700, (e-mail address removed) wrote:

¤ I am running and asp.net site with IIS6.0. I have integrated login
¤ turned on and it works fine for all our users. However, I am trying to
¤ prevent all but specific groups of users from having access to specific
¤ folders on the website.
¤ I tried doing this by setting the permissions on the folders to no
¤ avail. I read that I may have to turn on impersonation, so I set that
¤ to true, but did not specify an account. Still no luck.
¤ Am I missing something here?

Well yes if you're limiting access to specific users you need to enable impersonation so that NTLM
can validate credentials per user for your file resources. You should then be able to enable group
level security at the folder level by setting the appropriate access for those folders. I'm assuming
at this point that these folders are local to the web server.


Paul
~~~~
Microsoft MVP (Visual Basic)
 
F

fuzzyreality

i have set impersonation to true, but did not specify a user as i
understand it should be. Yet the permissions that i set on the folders
still seem to have no effect. Yes the folders are local to the
webserver. Is there some other line besides
<identity impersonate="true" />
that i need to add to the web.config file to get this to work?
 
F

fuzzyreality

i have set impersonation to true, but did not specify a user as i
understand it should be. Yet the permissions that i set on the folders
still seem to have no effect. Yes the folders are local to the
webserver. Is there some other line besides
<identity impersonate="true" />
that i need to add to the web.config file to get this to work?
 
D

Dominick Baier [DevelopMentor]

Hello Paul,

the FileAuthorizationModule which does the access checking for disk files
(when <authentication mode="Windows" /> is set) uses the windows token that
resulted in IIS integrated authentication. Turning impersonation on for this
to work is NOT required.

the domain users need at least read privileges for the files that should
be accessible to them.

another option is to set resource permissions in web.config by using a <authorization>
element.
 
F

fuzzyreality

I thought i might need to clarify further.
integrated login is turned on
impersonation is set to true
i have a folder "admin", containing a asp.net page, which i wish my
"domain users" to be denied access to.
However i want my "admin assistants" to have access to this folder and
thus the page.
I have played around with the folder permissions and NTFS permissions
do not appear to work. Even if i remove all domain users from the
folder, everyone can still access the folder.
I have noticed that the "localcomputer\USERS" must have read rights to
the folder for anyone to be able to access the page. Im wondering if
this should be removed and replaced with a different account? Simply
removing the account generates a error which, i am as yet unable to get
to display.
Hopefully this makes a little more sense.
 
F

fuzzyreality

After playing with the site some more, i found that if i disable
inheritance on the actual page file, and assign the desired NTFS
permissions i get the desired result. While this is a suitable
workaround i know this should not be the case.
 
P

Paul Clement

On Thu, 13 Oct 2005 13:55:32 -0700, Dominick Baier [DevelopMentor]

¤ Hello Paul,
¤
¤ the FileAuthorizationModule which does the access checking for disk files
¤ (when <authentication mode="Windows" /> is set) uses the windows token that
¤ resulted in IIS integrated authentication. Turning impersonation on for this
¤ to work is NOT required.
¤
¤ the domain users need at least read privileges for the files that should
¤ be accessible to them.
¤
¤ another option is to set resource permissions in web.config by using a <authorization>
¤ element.
¤

Hi Dominick,

Are you saying there is no difference between accessing web application resources and resources
accessed via code? My understanding was that the latter required that the web app process execute
under an identity that had sufficient permissions to do so.

Of course I may have assumed incorrectly that was what he was attempting to do.


Paul
~~~~
Microsoft MVP (Visual Basic)
 
D

Dominick Baier [DevelopMentor]

Hello Paul,

i am saying that impersonation does not make a difference, because the FileAuthorizationModule
always uses the impersonation (=client) token to check for resource access.
 
P

Paul Clement

On Mon, 17 Oct 2005 10:04:48 -0700, Dominick Baier [DevelopMentor]

¤ Hello Paul,
¤
¤ i am saying that impersonation does not make a difference, because the FileAuthorizationModule
¤ always uses the impersonation (=client) token to check for resource access.

OK, gotcha. I was having some trouble keeping my authentication methods straight.


Paul
~~~~
Microsoft MVP (Visual Basic)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,733
Messages
2,569,440
Members
44,832
Latest member
GlennSmall

Latest Threads

Top