Restricted permission on subfolder

M

Magnus Blomberg

Hello!

I have a intranet website with one unrestricted part (root) and one part in a subfolder which only could be used by some users.
Here is my web.config (almost everything):

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">



<connectionStrings>

..........

</connectionStrings>



<system.web>

<roleManager enabled="true" cacheRolesInCookie="true" >

</roleManager>

<!--<identity impersonate="true"/>-->



<authentication mode="Windows"/>

<authorization>

<allow users="*"/>

</authorization>

</system.web>

<location path="editmode">

<system.web>

<authorization>

<allow roles="pd03\MedarbetareEditors"/>

<deny users="*"/>

</authorization>

</system.web>

</location>

</configuration>


My idea is that everyone should be able to access all pages in my application root. Only those in the MedarbetareEditors group should be able to access pages in my subfolder "editmode".
I got this to work in my development web where I have an older (beta) of DotNet 2.0. Now I'm using the released version of DotNet 2.0.

Looking in IIS I have DotNet version 2.0.50727. For the application root I have anonymous users and Integrated Windows Authentication enabled. For the editmode folder I have only Integrated Windows Authentication enabled.

I use the adress or the client IE sites set up so that the client sees the site as Local Intranet. Everything works when accessing the root pages, but when accessing the subfolder pages I get a logon question, and using an AD account which is a member of the pd03\MedarbetareEditors group doesn't give the access to the pages.

What could be wrong???
Regards Magnus
 
W

Winista

Enabled this line..

<identity impersonate="true"/>
Hello!

I have a intranet website with one unrestricted part (root) and one part in a subfolder which only could be used by some users.
Here is my web.config (almost everything):

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">



<connectionStrings>

.........

</connectionStrings>



<system.web>

<roleManager enabled="true" cacheRolesInCookie="true" >

</roleManager>

<!--<identity impersonate="true"/>-->



<authentication mode="Windows"/>

<authorization>

<allow users="*"/>

</authorization>

</system.web>

<location path="editmode">

<system.web>

<authorization>

<allow roles="pd03\MedarbetareEditors"/>

<deny users="*"/>

</authorization>

</system.web>

</location>

</configuration>


My idea is that everyone should be able to access all pages in my application root. Only those in the MedarbetareEditors group should be able to access pages in my subfolder "editmode".
I got this to work in my development web where I have an older (beta) of DotNet 2.0. Now I'm using the released version of DotNet 2.0.

Looking in IIS I have DotNet version 2.0.50727. For the application root I have anonymous users and Integrated Windows Authentication enabled. For the editmode folder I have only Integrated Windows Authentication enabled.

I use the adress or the client IE sites set up so that the client sees the site as Local Intranet. Everything works when accessing the root pages, but when accessing the subfolder pages I get a logon question, and using an AD account which is a member of the pd03\MedarbetareEditors group doesn't give the access to the pages.

What could be wrong???
Regards Magnus
 
W

Winista

Because if you don't turn impersonation on, then your worker process is
going to run under ASPNET process. the thread will not impersonate as the
windows user.
 
D

Dominick Baier [DevelopMentor]

Hi,

i am not sure - i would check the NTFS acls on the files in the subfolder
-if the group in question has read access.

I was just curious in which way you think impersonation will change the behaviour
of asp.net in regards to authorization?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I guess we all will be more interested in hearing your EXPERT VIEWS on
this topic.

wich has nothing to do with authorization...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Because if you don't turn impersonation on, then your worker process
is going to run under ASPNET process. the thread will not
impersonate as the windows user.

"Dominick Baier [DevelopMentor]"

why?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Enabled this line..

<identity impersonate="true"/>
Hello!
I have a intranet website with one unrestricted part (root) and
one
part in a subfolder which only could be used by some users.
Here is my web.config (almost everything):
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>
.........

</connectionStrings>

<system.web>

<roleManager enabled="true" cacheRolesInCookie="true"

</roleManager>

<!--<identity impersonate="true"/>-->

<authentication mode="Windows"/>

<authorization>

<allow users="*"/>

</authorization>

</system.web>

<location path="editmode">

<system.web>

<authorization>

<allow roles="pd03\MedarbetareEditors"/>

<deny users="*"/>

</authorization>

</system.web>

</location>

</configuration>

My idea is that everyone should be able to access all pages in my
application root. Only those in the MedarbetareEditors group
should
be
able to access pages in my subfolder "editmode".
I got this to work in my development web where I have an older
(beta)
of DotNet 2.0. Now I'm using the released version of DotNet 2.0.
Looking in IIS I have DotNet version 2.0.50727. For the
application
root I have anonymous users and Integrated Windows Authentication
enabled. For the editmode folder I have only Integrated Windows
Authentication enabled.
I use the adress or the client IE sites set up so that the client
sees the site as Local Intranet. Everything works when accessing
the
root pages, but when accessing the subfolder pages I get a logon
question, and using an AD account which is a member of the
pd03\MedarbetareEditors group doesn't give the access to the
pages.
What could be wrong???
Regards Magnu
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top