P
Paul Bryant
I have a subweb secured with Windows authentication. IIS has anonymous
access disabled & basic auth enabled. The sub folder has acls set to allow
access to a single non-admin user as well as administrators. Upon browsing
to the home of the secured subweb users are prompted to log-in once, and
assuming correct credentials are entered can access the site. When then
non-admin user then follows a link to browse to an aspx page within the
subweb another log-in prompt is displayed.
WEIRD:
If the user enters their username/password the log-in dialog re-appears 3
times then the page is displayed. HOWEVER if they click cancel/press escape
the page IS STILL DISPLAYED.
This only happens from a win2k client, accessing the page from XP works as
expected.
Also, I found that when setting unique permissions on the subweb using the
FPSE admin web pages I lost the ASPNET account permissions, breaking the
application, and had to manually re-add them. This doesn't seem very clever.
As if security wasn't complicated enough with ASP I now have to check ACLs,
IIS settings, FPSE settings AND web.configs, any or all of which can break
the security.
TIA,
Paul Bryant
access disabled & basic auth enabled. The sub folder has acls set to allow
access to a single non-admin user as well as administrators. Upon browsing
to the home of the secured subweb users are prompted to log-in once, and
assuming correct credentials are entered can access the site. When then
non-admin user then follows a link to browse to an aspx page within the
subweb another log-in prompt is displayed.
WEIRD:
If the user enters their username/password the log-in dialog re-appears 3
times then the page is displayed. HOWEVER if they click cancel/press escape
the page IS STILL DISPLAYED.
This only happens from a win2k client, accessing the page from XP works as
expected.
Also, I found that when setting unique permissions on the subweb using the
FPSE admin web pages I lost the ASPNET account permissions, breaking the
application, and had to manually re-add them. This doesn't seem very clever.
As if security wasn't complicated enough with ASP I now have to check ACLs,
IIS settings, FPSE settings AND web.configs, any or all of which can break
the security.
TIA,
Paul Bryant