authentication: deny users=* problem

D

Dan

hi ng.

i have a strange behaviour when i want to control who can access a web
application by setting web.config like:
<authorization>
<allow users="DOMAIN\ACCOUNT,..." />
<deny users="*" />

the authorization is working fine, but the user receives the standard
"The page cannot be displayed"
error page.
whereas when the authorization check is disabled, everything is working
fine.

my iis settings are:
allow anonymous access
integrated windows authentication enabled

i have no idea about what could be wrong.
thanks a lot,
dan
 
N

Norman Yuan

it look to me that your <allow... /> and <deny.../> in web.config does not
make sense: first you want to allow access for users in a domain, then you
deny access to ALL USERS, so that your ASP.NET app cannot be accessed to by
anyone. If you want to block anonymous user, it should be <deny users="?"
/>. But the better way to deny anonymous access is simple uncheck "Anonymous
access" in IIS setting for the ASP.NET application.
 
J

Jos

Norman said:
it look to me that your <allow... /> and <deny.../> in web.config
does not make sense: first you want to allow access for users in a
domain, then you deny access to ALL USERS, so that your ASP.NET app
cannot be accessed to by anyone. If you want to block anonymous user,
it should be <deny users="?" />. But the better way to deny anonymous
access is simple uncheck "Anonymous access" in IIS setting for the
ASP.NET application.

I'll have to disagree here Norman.
Dan's configuration is 100% OK. See also:
http://msdn.microsoft.com/library/en-us/dnbda/html/authaspdotnet.asp

The rule here is that the authorization block is checked
from top to bottom, and the first match is the one that counts.

But I agree with you that disabling "Anonymous access" would
solve Dan's problem.

Dan, you're using the ASPNET account for anonymous
access, which subsequently will be refused access.
Disabling anonymous access will solve this problem.
 
S

Steven Spits

Norman said:
it look to me that your <allow... /> and <deny.../> in web.config does not
make sense: first you want to allow access for users in a domain, then you
deny access to ALL USERS, so that your ASP.NET app cannot be
accessed to by anyone.

This is not true, his web.config does make sense!

From MSDN:

"At run time, the authorization module iterates through the <allow> and
<deny> tags until it finds the first access rule that fits a particular
user. It then grants or denies access to a URL resource depending on whether
the first access rule found is an <allow> or a <deny> rule."

If a user cannot log in, his account doesn't match the one you specified in
your <allow> block.

Steven

- - -
 
D

Dan

Thanks for your support, but the problem was that my domainsettings were
wrong.
the settings do make sense: i can control which domain user gets access
to the application
deny=? would mean that every user authenticated by active directory gets
access.

Dan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top