473,549 Members | 2,680 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Authentication problem for roles based

Hi,

I'm having what should be a minor problem but has turned into a 2 day slug
fest with ASP.Net. I am simply attempting to authenticate my asp.net
application users against users in an AD group set up on our domain. It
seems to me I am missing something very simple and obvious, but none of the
MSDN articles I have read are indicating what this might be.

My setup is ASP.Net running on a Windows 2003/IIS 6 server. IIS security
settings are set to Integrated Windows Authentication only.

My web.config details are:

<authenticati on mode="Windows" />
<authorizatio n>
<allow roles="domainna me\groupname" />
<deny users="*" />
</authorization>
<identity impersonate="tr ue" />

The problem is that:
1) the application is challenging for a login id/password, and
2) will not authenticate the user even though the credentials supplied
coorespond to an existing user in the specified AD group;

BTW: providing an allow users="domainna me\username" works just fine.

Thanks in advance for the help.

Nov 18 '05 #1
4 2178
I've been having the same issue in one of our in-house web application as
well: Yes it shows your proper AD credentials on the application but when
the server passes these credentials to the AD controller, that's where it
gets confused.

From the articles I've found it appears this is a classic double-hop issue
when the iis 6 server tries to pass on your credentials to the ad domain
controller. The only workaround we found was to create a very low-security
AD account that we have encrypted the username and password for, and tossed
these credentials into a text file (in the application's directory) for our
application to use.

If you find another solution please share it as I know there are a few
people who'd like to know.

Note: Even nesting AD impersonation with the following code doesn't seem to
alleviate the double-credential hop/passing.

'Impersonate the windows user running the application
Dim impersonationCo ntext As
System.Security .Principal.Wind owsImpersonatio nContext
Dim currentWindowsI dentity As System.Security .Principal.Wind owsIdentity
currentWindowsI dentity = CType(User.Iden tity,
System.Security .Principal.Wind owsIdentity)
impersonationCo ntext = currentWindowsI dentity.Imperso nate()
Try
'Gather User's username, authentication type and if the user
'is actually authenticated.
Dim p As IPrincipal
Dim i As System.Security .Principal.IIde ntity
Dim isAuthenticated As Boolean
Dim authenticationT ype As String
p = System.Threadin g.Thread.Curren tPrincipal
i = p.Identity
isAuthenticated = CType(p.Identit y.IsAuthenticat ed, String)
authenticationT ype = p.Identity.Auth enticationType
ADUserName = p.Identity.Name .Split("\"c)(1)
'Put code here under the current logged-in user
'...
'...
Catch ex As Exception
Response.Write( ex.Message)
End Try

'End impersonation
impersonationCo ntext.Undo()

"Chris Gatto" <cg****@nbnet.n b.ca@removeme> wrote in message
news:u9******** ******@TK2MSFTN GP12.phx.gbl...
Hi,

I'm having what should be a minor problem but has turned into a 2 day slug
fest with ASP.Net. I am simply attempting to authenticate my asp.net
application users against users in an AD group set up on our domain. It
seems to me I am missing something very simple and obvious, but none of the MSDN articles I have read are indicating what this might be.

My setup is ASP.Net running on a Windows 2003/IIS 6 server. IIS security
settings are set to Integrated Windows Authentication only.

My web.config details are:

<authenticati on mode="Windows" />
<authorizatio n>
<allow roles="domainna me\groupname" />
<deny users="*" />
</authorization>
<identity impersonate="tr ue" />

The problem is that:
1) the application is challenging for a login id/password, and
2) will not authenticate the user even though the credentials supplied
coorespond to an existing user in the specified AD group;

BTW: providing an allow users="domainna me\username" works just fine.

Thanks in advance for the help.

Nov 18 '05 #2
TK
If you simply attempt to secure your web application pages in your intRAnet
envirinment, I recommand you to stick up to file level access control rather
than URL level access control. What my understanding from my past
experiences on authentication and authorization mechanism in ASP.NET, is
that the URL level access control feature is a best way for intERnet
clients with Forms Authentication feature. But for intranet clients with
Windows Authentication, URL level access control feature just makes things
complex. You can simply control user and/or group (role) base access rights
by setting NTFS file access permissions.

To use file level access control feature, change your web.config as
following.

<authenticati on mode="Windows" />
<authorizatio n>
<deny users="?" />
</authorization>
<identity impersonate="tr ue" />

Then change some settings for your web application in IIS admin tool as
followings.

1. Disable "Anonymous Access".
2. Choose only "Windows integrated authentication" .

hth
TK

"Chris Gatto" <cg****@nbnet.n b.ca@removeme> wrote in message
news:u9******** ******@TK2MSFTN GP12.phx.gbl...
Hi,

I'm having what should be a minor problem but has turned into a 2 day slug
fest with ASP.Net. I am simply attempting to authenticate my asp.net
application users against users in an AD group set up on our domain. It
seems to me I am missing something very simple and obvious, but none of the MSDN articles I have read are indicating what this might be.

My setup is ASP.Net running on a Windows 2003/IIS 6 server. IIS security
settings are set to Integrated Windows Authentication only.

My web.config details are:

<authenticati on mode="Windows" />
<authorizatio n>
<allow roles="domainna me\groupname" />
<deny users="*" />
</authorization>
<identity impersonate="tr ue" />

The problem is that:
1) the application is challenging for a login id/password, and
2) will not authenticate the user even though the credentials supplied
coorespond to an existing user in the specified AD group;

BTW: providing an allow users="domainna me\username" works just fine.

Thanks in advance for the help.


Nov 18 '05 #3
Jason,

Thanks for the reply. After reading your post I began carrying out my own
research on the double-hop issue and eventually came across this KB article
(http://support.microsoft.com/default...;en-us;810572). It
appeared that the issue may have been one of simple deligation permissions
on the client and on the IIS/App server. Seems like even though the client
was being authenticated via Windows Authentication (kerberos) on the IIS
server, the IIS server in turn was not permitted to pass on the user's
credentials to the AD controller server for authentication. As a result the
asp.net worker process using its own identity when attempting to get user
credentials from the AD server and was being rejected (thats more our
therory then actual hard fact). According to the KB article the solution is
to enable delegation permissions on both the client and IIS/App server.
This was not an attractive solution simple due to the number of clients that
would have to be enabled for delegation (maintenance and security
headaches).

In the end I realized there was a better solution all along simply by
accessing the user's Context.User.Id entity.IsInRole method and verifying
against the desired AD group - the standard forehead-slapping moment :-)
Now I'm working toward a nice security model using a shared class structure
that each aspx page will access up front.

Regards,
Chris

"Jason" <ja***@grossman s.net> wrote in message
news:OG******** *****@TK2MSFTNG P11.phx.gbl...
I've been having the same issue in one of our in-house web application as
well: Yes it shows your proper AD credentials on the application but when
the server passes these credentials to the AD controller, that's where it
gets confused.

From the articles I've found it appears this is a classic double-hop issue
when the iis 6 server tries to pass on your credentials to the ad domain
controller. The only workaround we found was to create a very low-security AD account that we have encrypted the username and password for, and tossed these credentials into a text file (in the application's directory) for our application to use.

If you find another solution please share it as I know there are a few
people who'd like to know.

Note: Even nesting AD impersonation with the following code doesn't seem to alleviate the double-credential hop/passing.

'Impersonate the windows user running the application
Dim impersonationCo ntext As
System.Security .Principal.Wind owsImpersonatio nContext
Dim currentWindowsI dentity As System.Security .Principal.Wind owsIdentity
currentWindowsI dentity = CType(User.Iden tity,
System.Security .Principal.Wind owsIdentity)
impersonationCo ntext = currentWindowsI dentity.Imperso nate()
Try
'Gather User's username, authentication type and if the user
'is actually authenticated.
Dim p As IPrincipal
Dim i As System.Security .Principal.IIde ntity
Dim isAuthenticated As Boolean
Dim authenticationT ype As String
p = System.Threadin g.Thread.Curren tPrincipal
i = p.Identity
isAuthenticated = CType(p.Identit y.IsAuthenticat ed, String)
authenticationT ype = p.Identity.Auth enticationType
ADUserName = p.Identity.Name .Split("\"c)(1)
'Put code here under the current logged-in user
'...
'...
Catch ex As Exception
Response.Write( ex.Message)
End Try

'End impersonation
impersonationCo ntext.Undo()

"Chris Gatto" <cg****@nbnet.n b.ca@removeme> wrote in message
news:u9******** ******@TK2MSFTN GP12.phx.gbl...
Hi,

I'm having what should be a minor problem but has turned into a 2 day slug fest with ASP.Net. I am simply attempting to authenticate my asp.net
application users against users in an AD group set up on our domain. It
seems to me I am missing something very simple and obvious, but none of

the
MSDN articles I have read are indicating what this might be.

My setup is ASP.Net running on a Windows 2003/IIS 6 server. IIS security settings are set to Integrated Windows Authentication only.

My web.config details are:

<authenticati on mode="Windows" />
<authorizatio n>
<allow roles="domainna me\groupname" />
<deny users="*" />
</authorization>
<identity impersonate="tr ue" />

The problem is that:
1) the application is challenging for a login id/password, and
2) will not authenticate the user even though the credentials supplied
coorespond to an existing user in the specified AD group;

BTW: providing an allow users="domainna me\username" works just fine.

Thanks in advance for the help.


Nov 18 '05 #4
Sure Chris,

But I have to add that code to my page/pages...the bugger I have had is that
THIS USED TO WORK! I just had an application break on me so it has to be tied
to some Windows Update or service pack.

I built the app a long time ago and it has been running. I "allow" a
specified user list, but "my" access is controlled through a role/NT Security
group. They called me with a bug/feature to add and when I hit the site...I
was challenged for security. After an MS support call we figured out how to
grant me acess again (I forgot about the web.config entries) but we could not
explain the change.

I'm confused that this change has not been more clearly noted - or fixed.

Best Regards all,

Mark B

"Chris Gatto" wrote:
Jason,
....
In the end I realized there was a better solution all along simply by
accessing the user's Context.User.Id entity.IsInRole method and verifying
against the desired AD group - the standard forehead-slapping moment :-)
Now I'm working toward a nice security model using a shared class structure
that each aspx page will access up front.

Regards,
Chris

"Jason" <ja***@grossman s.net> wrote in message
news:OG******** *****@TK2MSFTNG P11.phx.gbl...
I've been having the same issue in one of our in-house web application as
well: Yes it shows your proper AD credentials on the application but when
the server passes these credentials to the AD controller, that's where it
gets confused.

From the articles I've found it appears this is a classic double-hop issue
when the iis 6 server tries to pass on your credentials to the ad domain
controller. The only workaround we found was to create a very

low-security
AD account that we have encrypted the username and password for, and

tossed
these credentials into a text file (in the application's directory) for

our
application to use.

If you find another solution please share it as I know there are a few
people who'd like to know.

Note: Even nesting AD impersonation with the following code doesn't seem

to
alleviate the double-credential hop/passing.

'Impersonate the windows user running the application
Dim impersonationCo ntext As
System.Security .Principal.Wind owsImpersonatio nContext
Dim currentWindowsI dentity As System.Security .Principal.Wind owsIdentity
currentWindowsI dentity = CType(User.Iden tity,
System.Security .Principal.Wind owsIdentity)
impersonationCo ntext = currentWindowsI dentity.Imperso nate()
Try
'Gather User's username, authentication type and if the user
'is actually authenticated.
Dim p As IPrincipal
Dim i As System.Security .Principal.IIde ntity
Dim isAuthenticated As Boolean
Dim authenticationT ype As String
p = System.Threadin g.Thread.Curren tPrincipal
i = p.Identity
isAuthenticated = CType(p.Identit y.IsAuthenticat ed, String)
authenticationT ype = p.Identity.Auth enticationType
ADUserName = p.Identity.Name .Split("\"c)(1)
'Put code here under the current logged-in user
'...
'...
Catch ex As Exception
Response.Write( ex.Message)
End Try

'End impersonation
impersonationCo ntext.Undo()

"Chris Gatto" <cg****@nbnet.n b.ca@removeme> wrote in message
news:u9******** ******@TK2MSFTN GP12.phx.gbl...
Hi,

I'm having what should be a minor problem but has turned into a 2 day slug fest with ASP.Net. I am simply attempting to authenticate my asp.net
application users against users in an AD group set up on our domain. It
seems to me I am missing something very simple and obvious, but none of

the
MSDN articles I have read are indicating what this might be.

My setup is ASP.Net running on a Windows 2003/IIS 6 server. IIS security settings are set to Integrated Windows Authentication only.

My web.config details are:

<authenticati on mode="Windows" />
<authorizatio n>
<allow roles="domainna me\groupname" />
<deny users="*" />
</authorization>
<identity impersonate="tr ue" />

The problem is that:
1) the application is challenging for a login id/password, and
2) will not authenticate the user even though the credentials supplied
coorespond to an existing user in the specified AD group;

BTW: providing an allow users="domainna me\username" works just fine.

Thanks in advance for the help.



Nov 18 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
2937
by: Konrad | last post by:
Hi All users should authenticate to reach some page. How to avoid this for some users. Thanks Konrad
4
2270
by: Marty Underwood | last post by:
Okay the subject line explains a scenario I just had to tackle but I am looking for a better way. The current way: 1) Use forms authentication. 2) Query Active Directory and bind to a user object if no exception create custom authentication ticket. 3) But I also needed Role based security within the app. So I used SQL server 2k DTS...
1
1643
by: .net user | last post by:
can some one point me what i'm doing wrong? I have spent half a day figuring out and totally stuck now. Here's what I'm trying to accomplish: I am writing a web appl - an intranet portal site (based on the portal starter kit) and I want to apply role based security to the site. - When the users type in the intranet URL, a windows logon...
2
1435
by: Ed | last post by:
Hi I currently have an asp.NET project. I'm using Access 2003 and forms authentication to authenticate users. Can anyone tell me how to set the roles in asp.NET so that it recognizes them? The logging in portion of my code works...What I need to know is how to allow access to certain pages to users with an administrator role while blocking...
2
259
by: Brian Shannon | last post by:
I have an intranet site I created when I first began .NET and it is very basic. Now that I have developed my skills I am looking to revamp the old with something new. I really like the idea of using forms authentication. My problem is with assigning roles. The documents I have read talks about assigning roles in the web.config file. This...
4
2810
by: nicholas | last post by:
Hi, Got an asp.net application and I use the "forms" authentication mode defined in the web.config file. Everything works fine. But now I would like to add a second, different login page for the users that go in a specific folder. How can I do this?
2
4702
by: lucd | last post by:
Hello, I am currently playing with form authentication & role based security on a web application. As seen in the starter kit Time tracker, I setup a custom identity class (CustomPrincipal) because i wanted some extra info about the current user, i need this extra information to be available in pages without having
5
1914
by: Archer | last post by:
I was making a role-based authentication but it does't login with correct password. the HttpContext.Current.User recieved in Global.asax is always null. Request.IsAuthenticated is always false. in the cs files, i write the code below protected void SubmitBtn_Click(Object sender, EventArgs e) {
1
1885
by: Eric | last post by:
I trying to setup an intranet based on windows NT groups or roles. I have used windows integrated authentication with impersonation first but this include to use a user to access the database. I would prefer to use windows security based on groups or roles . If i set the impersonate attribute to false or simply remove the identity tag from my...
1
7731
by: Joe | last post by:
What I want to do is make only one page require a login. The application itself works fine. I'm getting the following error: Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an...
0
7462
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7730
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
7975
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7492
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
7823
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
1
5381
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3491
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1069
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
777
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.