using location tag in web.config with custom application pool in I

Discussion in 'ASP .Net Security' started by Pete, Jun 1, 2005.

  1. Pete

    Pete Guest

    Hi,

    I have a ASP.NET account which uses the ASP.NEt location authorization tag
    in the web.config to restrict only authenicated users in an AD Group can
    access the site. This works wonderfully when using the default application
    pool running with the default NETWORK SERVICE account.

    However, I really wanted to use Integrated access to SQL Server and
    therefore don't really want to use NETWORK SERVICE as the credential to
    access SQL Server.

    So I would rather use a new Active Directory account and use that as the
    application pool account so when it access SQL Server it will use that
    account.

    Note. The new AD Account is pretty much similar to the NETWORK SERVICE
    Account. The account is part of the IIS_WPG group and has the following
    permission:
    1. Adjust memory quotas for a process
    2. Generate security audits
    3. Log on as a service
    4. Replace a process level token

    These permission were updated by changing the Local Security settings (from
    the Administrative Tools).

    My understanding is that the Account I created with the updated permission
    should be able to be use as the Application Pool Account no problem.

    Unfornately, this doesn't go according to plan. When I serve up the page
    with the new Application Pool (using the new AD Account) IE keeps prompting
    for my username and password. So I enter it and will never authenticate or
    authorize.

    Just to test to see if the Application Pool is fine, I allow anonymous
    access to the site and remove all the location tag in the web.config and it
    works fine.

    I have been stucked trying to this thing to work in this manner.
    Theoritcally it should work. But I must be missing something. If any body
    can help would be great. I'd also attached a copy of the location tag bit of
    the web.config.


    <!-- Public Security Settings -->
    <location path="Problem.aspx">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>

    <location path="Includes">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>

    <location path="Images">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>

    <location path="scripts">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>

    <location path="ConfirmRequest.aspx">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>


    <!-- Representatives -->
    <location path="SendAppForm.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_rep" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>
    <location path="Default.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_rep" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>
    <location path="SubmitDashboards.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_rep" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>
    <location path="ViewApplicant.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_rep" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    <location path="ListApplicant.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_rep" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    <!-- Secondary Approver -->
    <location path="SecondaryApprover.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>


    <!-- Office IT -->
    <location path="CreateADAccount.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_OfficeIT" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>


    <location path="Admin">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_OfficeIT" />
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    <!-- all other security groups -->
    <location path="PopUp.aspx">
    <system.web>
    <authorization>
    <allow roles="TSTDOMAIN\M2006_rep" />
    <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
    <allow roles="TSTDOMAIN\M2006_OfficeIT" />

    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    <system.web>
    <pages validateRequest="false" />
    <compilation defaultLanguage="c#" debug="false" />
    <customErrors mode="Off" defaultRedirect="Problem.aspx" />
    <authentication mode="Windows"/>
    <authorization>
    <deny users="*" />
    </authorization>
    <trust level="Full" originUrl=""></trust>
    <sessionState mode="InProc" />
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    <httpRuntime executionTimeout="900" maxRequestLength="12288" />
    </system.web>

    Thanking who ever respond in advance.
     
    Pete, Jun 1, 2005
    #1
    1. Advertising

  2. Hello Pete,

    have you tried

    <authorization>
    <deny users="?" />
    </authorization>

    instead of

    <authorization>
    <deny users="*" />
    </authorization>


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > I have a ASP.NET account which uses the ASP.NEt location authorization
    > tag in the web.config to restrict only authenicated users in an AD
    > Group can access the site. This works wonderfully when using the
    > default application pool running with the default NETWORK SERVICE
    > account.
    >
    > However, I really wanted to use Integrated access to SQL Server and
    > therefore don't really want to use NETWORK SERVICE as the credential
    > to access SQL Server.
    >
    > So I would rather use a new Active Directory account and use that as
    > the application pool account so when it access SQL Server it will use
    > that account.
    >
    > Note. The new AD Account is pretty much similar to the NETWORK
    > SERVICE
    > Account. The account is part of the IIS_WPG group and has the
    > following
    > permission:
    > 1. Adjust memory quotas for a process
    > 2. Generate security audits
    > 3. Log on as a service
    > 4. Replace a process level token
    > These permission were updated by changing the Local Security settings
    > (from the Administrative Tools).
    >
    > My understanding is that the Account I created with the updated
    > permission should be able to be use as the Application Pool Account no
    > problem.
    >
    > Unfornately, this doesn't go according to plan. When I serve up the
    > page with the new Application Pool (using the new AD Account) IE keeps
    > prompting for my username and password. So I enter it and will never
    > authenticate or authorize.
    >
    > Just to test to see if the Application Pool is fine, I allow anonymous
    > access to the site and remove all the location tag in the web.config
    > and it works fine.
    >
    > I have been stucked trying to this thing to work in this manner.
    > Theoritcally it should work. But I must be missing something. If any
    > body can help would be great. I'd also attached a copy of the
    > location tag bit of the web.config.
    >
    > <!-- Public Security Settings -->
    > <location path="Problem.aspx">
    > <system.web>
    > <authorization>
    > <allow users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > <location path="Includes">
    > <system.web>
    > <authorization>
    > <allow users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > <location path="Images">
    > <system.web>
    > <authorization>
    > <allow users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > <location path="scripts">
    > <system.web>
    > <authorization>
    > <allow users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > <location path="ConfirmRequest.aspx">
    > <system.web>
    > <authorization>
    > <allow users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > <!-- Representatives -->
    > <location path="SendAppForm.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_rep" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <location path="Default.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_rep" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <location path="SubmitDashboards.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_rep" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <location path="ViewApplicant.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_rep" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <location path="ListApplicant.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_rep" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <!-- Secondary Approver -->
    > <location path="SecondaryApprover.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <!-- Office IT -->
    > <location path="CreateADAccount.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_OfficeIT" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <location path="Admin">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_OfficeIT" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <!-- all other security groups -->
    > <location path="PopUp.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="TSTDOMAIN\M2006_rep" />
    > <allow roles="TSTDOMAIN\M2006_Secondary_Approver" />
    > <allow roles="TSTDOMAIN\M2006_OfficeIT" />
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > <system.web>
    > <pages validateRequest="false" />
    > <compilation defaultLanguage="c#" debug="false" />
    > <customErrors mode="Off" defaultRedirect="Problem.aspx" />
    > <authentication mode="Windows"/>
    > <authorization>
    > <deny users="*" />
    > </authorization>
    > <trust level="Full" originUrl=""></trust>
    > <sessionState mode="InProc" />
    > <globalization requestEncoding="utf-8"
    > responseEncoding="utf-8" />
    > <httpRuntime executionTimeout="900" maxRequestLength="12288"
    > />
    > </system.web>
    > Thanking who ever respond in advance.
    >
     
    Dominick Baier [DevelopMentor], Jun 1, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob
    Replies:
    1
    Views:
    619
    =?Utf-8?B?SmFzb24gTCBMaW5k?=
    Jul 13, 2005
  2. shruds
    Replies:
    1
    Views:
    938
    John C. Bollinger
    Jan 27, 2006
  3. GD
    Replies:
    4
    Views:
    450
    darrel
    Aug 18, 2006
  4. CSharpner
    Replies:
    0
    Views:
    1,132
    CSharpner
    Apr 9, 2007
  5. Rick Lawson
    Replies:
    8
    Views:
    862
    Graham Dumpleton
    Jul 17, 2009
Loading...

Share This Page