Newbie: How to ensure only domain admin could use an ASP.NET web page

[Navin Mishra]

Hi,

I've built an administration application using ASP.NET. Now how I could
ensure only domain admin could use the ASP.NET web page ? I tried setting
window autentication for virtual directory security and aspz security and
add domain adminstartor in allowed users in allowed users in web.config.
When browing the aspx page I'm challenged for credentials and though I enter
them all right the authentication fails. Then I tried basic authnetication
using domain as realm and though I could access the page but it is
accessible by all domain users and not only Adminstrator which I want and
added in allowed users list.

What I may be missing ? How it could be accomplished ?

Thanks in advance and regards

Navin

 

[Dominick Baier]

Hi,

when you are adding <allow xxx /> elements to the authorization element,
you also have to explicitly end the list with a <deny users="*" />

read more about it here:

http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx

dominick

 

[Navin Mishra]

Thank you so much...it worked but only with using basic authentication mode
with domain in IIS. If I use windows authentication mode only, then it still
does not work.

 

[Dominick Baier]

what's not working??

You definitely only grant access now to the specified groups...

dominick

 

[Navin Mishra]

It is working on another machine...not sure what is going on with machine on
which it is not working.

BTW how to ensure that users who are in only local adminstrator group could
use the web site ?

Thanks!