Access denied when using active directory groups and windows authentication

[David]

Hi, I am trying to configure my app using windows authentication. I
would like to limit access to an Active Directory group but do not want
to implement impersonation. I've setup the config section as follows:

<authentication mode="Windows" />
<authorization>
<allow roles="domainname\groupname" />
<deny users="*" />
</authorization>
<identity impersonate="false" />

I am being prompted for user credentials, however, it is not letting me
in with a valid account. If I change the config section to limit to an
Active Directory user only, example: <allow users
="domainname\username" />, this setting works just fine. It's very
frustrating and I'm hoping I won't need to open a Microsoft Support
ticket. Any suggestions are greatly appreciated.

David

 

[Joe Kaplan \(MVP - ADSI\)]

Just out of curiosity, does the group-based authorization work if you enable
impersonation?

I've heard of situations where impersonation needed to be enabled in order
for the SIDs in the user's token to get resolved into friendly names at
runtime, but I have no idea what causes this. That might be the problem
though.

It is also possible you are spelling the group name wrong, but hopefully
that isn't it.

Joe K.

 

[Patrick.O.Ige]

Davis as Joe adviced i think you have to enable impersonation
I have done a simlar solution for a company and i had to use impersonation
unless i am wrong.
I was redirecting users after login in an intranet based Windows Auth to
perform authorisation.
Hope that helps
Patrick

 

[Dominick Baier [DevelopMentor]]

Hello david,

the users additionally need read ACLs on the .aspx pages...

 

[David]

Thanks for all your help. By setting read rights on the root web folder
to the AD group fixed the problem.

 

[David]

I was a little hasty in saying that the problem was fixed. As Dominick
mentioned I needed to give the users themselves read permissions on the
web pages. Granting these permissions on the AD groups did nothing.
This does not seem right in my mind as it goes against the advantages
of using groups in the first place. I might just as well add the users
to the web.config directly and not use groups at all.

 

[Joe Kaplan \(MVP - ADSI\)]

Back to my original suggestion then: does enabling impersonation fix the
group problem? Is it possible that the users are not actually members of
the group you are using? You might try logging on to the server as one of
the users and trying the whoami command.

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

impersonation SHOULD not be the problem - the FileAuthorizationModule takes
the token that was produced by IIS authentication to do the ACL check (regardless
of any other settings in ASP.NET)

you can check this identity using the new Request.LogonUserIdentity (2.0
only)

i have written a small page for troubleshooting (2.0 only too)
http://www.leastprivilege.com/ShowContextsUpdatedAgainAndAgain.aspx

 

[David]

Yup, as you mentioned turning on impersonation does not resolve the
problem. I guess for now I will just suggest adding the users directly
to the web.config (aren't that many anyway) and will put in a better
solution when we upgrade to 2.0 which we are in the process of doing
now. I'll look into the new Request.LogonUserIdentity feature.

Thanks again for all your help
David

 

[Joe Kaplan \(MVP - ADSI\)]

Sorry I missed that. There must be something wrong then that is preventing
groups from working correctly.

I definitely recommend checking out Dominick's troubleshooting tools and
perhaps doing whatever else you can to figure out why the user's token
doesn't contain the groups in question or their names aren't resolving.

Is it possible that the groups are domain local and the domain is still 2000
mixed mode? Could they be domain local groups from a different domain?

Joe K.

 

[evian_spring]

We had this problem. We solved it in two steps (impersonation is not
the solution).

Step 1: asp.net account needs read and execute to the folder.

Step 2: make sure you **DENY** all other roles.

EXAMPLE:
<allow roles="domain\group" /> <!-- limit to this role -->
<deny roles="*" />

I haven't figured it out why the "deny" but if you do not deny all
other, it does not work.

 

[Dominick Baier [DevelopMentor]]

Hello (e-mail address removed),

in global web.config there is a implicit <allow users="*" />

otherwise no asp.net app would work by default.

because your local web.config inherits the global one - you have to set the
deny manually.

 

[Dominick Baier [DevelopMentor]]

Hello david,

you should definitely log on as the user in question and do a whoami /groups
to double check if the user is indeed in this group (at least from the point
of view of that machine).

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

yeah - i should add "whoami /groups" functionality to my test page. good
idea

 

[Patrick.O.Ige]

I would try removing some ACL read on some files and try it.
I didn't really think of that becos the folder in which the aspx files
contained had read,write permmisons
Thx for the info guys
Patrick