integrated login and folder permissions

Discussion in 'ASP .Net Security' started by fuzzyreality@gmail.com, Oct 13, 2005.

  1. Guest

    I am running and asp.net site with IIS6.0. I have integrated login
    turned on and it works fine for all our users. However, I am trying to
    prevent all but specific groups of users from having access to specific
    folders on the website.
    I tried doing this by setting the permissions on the folders to no
    avail. I read that I may have to turn on impersonation, so I set that
    to true, but did not specify an account. Still no luck.
    Am I missing something here?
     
    , Oct 13, 2005
    #1
    1. Advertising

  2. Paul Clement Guest

    On 13 Oct 2005 09:07:35 -0700, wrote:

    ¤ I am running and asp.net site with IIS6.0. I have integrated login
    ¤ turned on and it works fine for all our users. However, I am trying to
    ¤ prevent all but specific groups of users from having access to specific
    ¤ folders on the website.
    ¤ I tried doing this by setting the permissions on the folders to no
    ¤ avail. I read that I may have to turn on impersonation, so I set that
    ¤ to true, but did not specify an account. Still no luck.
    ¤ Am I missing something here?

    Well yes if you're limiting access to specific users you need to enable impersonation so that NTLM
    can validate credentials per user for your file resources. You should then be able to enable group
    level security at the folder level by setting the appropriate access for those folders. I'm assuming
    at this point that these folders are local to the web server.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Oct 13, 2005
    #2
    1. Advertising

  3. Guest

    i have set impersonation to true, but did not specify a user as i
    understand it should be. Yet the permissions that i set on the folders
    still seem to have no effect. Yes the folders are local to the
    webserver. Is there some other line besides
    <identity impersonate="true" />
    that i need to add to the web.config file to get this to work?
     
    , Oct 13, 2005
    #3
  4. Guest

    i have set impersonation to true, but did not specify a user as i
    understand it should be. Yet the permissions that i set on the folders
    still seem to have no effect. Yes the folders are local to the
    webserver. Is there some other line besides
    <identity impersonate="true" />
    that i need to add to the web.config file to get this to work?
     
    , Oct 13, 2005
    #4
  5. Hello Paul,

    the FileAuthorizationModule which does the access checking for disk files
    (when <authentication mode="Windows" /> is set) uses the windows token that
    resulted in IIS integrated authentication. Turning impersonation on for this
    to work is NOT required.

    the domain users need at least read privileges for the files that should
    be accessible to them.

    another option is to set resource permissions in web.config by using a <authorization>
    element.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > On 13 Oct 2005 09:07:35 -0700, wrote:
    >
    > ¤ I am running and asp.net site with IIS6.0. I have integrated login
    > ¤ turned on and it works fine for all our users. However, I am trying
    > to
    > ¤ prevent all but specific groups of users from having access to
    > specific
    > ¤ folders on the website.
    > ¤ I tried doing this by setting the permissions on the folders to no
    > ¤ avail. I read that I may have to turn on impersonation, so I set
    > that
    > ¤ to true, but did not specify an account. Still no luck.
    > ¤ Am I missing something here?
    > Well yes if you're limiting access to specific users you need to
    > enable impersonation so that NTLM can validate credentials per user
    > for your file resources. You should then be able to enable group level
    > security at the folder level by setting the appropriate access for
    > those folders. I'm assuming at this point that these folders are local
    > to the web server.
    >
    > Paul
    > ~~~~
    > Microsoft MVP (Visual Basic)
     
    Dominick Baier [DevelopMentor], Oct 13, 2005
    #5
  6. Guest

    I thought i might need to clarify further.
    integrated login is turned on
    impersonation is set to true
    i have a folder "admin", containing a asp.net page, which i wish my
    "domain users" to be denied access to.
    However i want my "admin assistants" to have access to this folder and
    thus the page.
    I have played around with the folder permissions and NTFS permissions
    do not appear to work. Even if i remove all domain users from the
    folder, everyone can still access the folder.
    I have noticed that the "localcomputer\USERS" must have read rights to
    the folder for anyone to be able to access the page. Im wondering if
    this should be removed and replaced with a different account? Simply
    removing the account generates a error which, i am as yet unable to get
    to display.
    Hopefully this makes a little more sense.
     
    , Oct 14, 2005
    #6
  7. Guest

    After playing with the site some more, i found that if i disable
    inheritance on the actual page file, and assign the desired NTFS
    permissions i get the desired result. While this is a suitable
    workaround i know this should not be the case.
     
    , Oct 14, 2005
    #7
  8. Paul Clement Guest

    On Thu, 13 Oct 2005 13:55:32 -0700, Dominick Baier [DevelopMentor]
    <> wrote:

    ¤ Hello Paul,
    ¤
    ¤ the FileAuthorizationModule which does the access checking for disk files
    ¤ (when <authentication mode="Windows" /> is set) uses the windows token that
    ¤ resulted in IIS integrated authentication. Turning impersonation on for this
    ¤ to work is NOT required.
    ¤
    ¤ the domain users need at least read privileges for the files that should
    ¤ be accessible to them.
    ¤
    ¤ another option is to set resource permissions in web.config by using a <authorization>
    ¤ element.
    ¤

    Hi Dominick,

    Are you saying there is no difference between accessing web application resources and resources
    accessed via code? My understanding was that the latter required that the web app process execute
    under an identity that had sufficient permissions to do so.

    Of course I may have assumed incorrectly that was what he was attempting to do.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Oct 17, 2005
    #8
  9. Hello Paul,

    i am saying that impersonation does not make a difference, because the FileAuthorizationModule
    always uses the impersonation (=client) token to check for resource access.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > On Thu, 13 Oct 2005 13:55:32 -0700, Dominick Baier [DevelopMentor]
    > <> wrote:
    >
    > ¤ Hello Paul,
    > ¤
    > ¤ the FileAuthorizationModule which does the access checking for disk
    > files
    > ¤ (when <authentication mode="Windows" /> is set) uses the windows
    > token that
    > ¤ resulted in IIS integrated authentication. Turning impersonation on
    > for this
    > ¤ to work is NOT required.
    > ¤
    > ¤ the domain users need at least read privileges for the files that
    > should
    > ¤ be accessible to them.
    > ¤
    > ¤ another option is to set resource permissions in web.config by using
    > a <authorization>
    > ¤ element.
    > ¤
    > Hi Dominick,
    >
    > Are you saying there is no difference between accessing web
    > application resources and resources accessed via code? My
    > understanding was that the latter required that the web app process
    > execute under an identity that had sufficient permissions to do so.
    >
    > Of course I may have assumed incorrectly that was what he was
    > attempting to do.
    >
    > Paul
    > ~~~~
    > Microsoft MVP (Visual Basic
     
    Dominick Baier [DevelopMentor], Oct 17, 2005
    #9
  10. Paul Clement Guest

    On Mon, 17 Oct 2005 10:04:48 -0700, Dominick Baier [DevelopMentor]
    <> wrote:

    ¤ Hello Paul,
    ¤
    ¤ i am saying that impersonation does not make a difference, because the FileAuthorizationModule
    ¤ always uses the impersonation (=client) token to check for resource access.

    OK, gotcha. I was having some trouble keeping my authentication methods straight.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Oct 19, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott Allen
    Replies:
    0
    Views:
    455
    Scott Allen
    Jul 13, 2004
  2. Zdzislaw
    Replies:
    0
    Views:
    400
    Zdzislaw
    Apr 25, 2004
  3. Curt K
    Replies:
    0
    Views:
    578
    Curt K
    Nov 3, 2006
  4. Billy

    Login page for windows integrated

    Billy, Apr 22, 2008, in forum: ASP .Net
    Replies:
    1
    Views:
    264
    Billy
    Apr 23, 2008
  5. HG

    Integrated security and form based login

    HG, Jul 6, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    114
Loading...

Share This Page