Windows Authorization

I am trying to set up an intranet at work that will use our Active directory
to authorize our users. We also want them to access the site from the
outside (such as at home) and also be authenticated by our Active Directory.
We don't want to set up a separate Sql setup.
I tried to set up my Web.config file like so:
****************************************
******************
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<!-- DYNAMIC DEBUG COMPILATION
Set compilation debug="true" to insert debugging symbols (.pdb
information)
into the compiled page. Because this creates a larger file that
executes
more slowly, you should set this value to true only when debugging
and to
false at all other times. For more information, refer to the
documentation about
debugging ASP.NET files.
-->
<compilation defaultLanguage="vb" debug="true" />
<!-- CUSTOM ERROR MESSAGES
Set customErrors mode="On" or "RemoteOnly" to enable custom error
messages, "Off" to disable.
Add <error> tags for each of the errors you want to handle.
-->
<customErrors mode="Off" />
<!-- AUTHENTICATION
This section sets the authentication policies of the application.
Possible modes are "Windows",
"Forms", "Passport" and "None"
-->
<authentication mode="Windows"/>
<!-- AUTHORIZATION
This section sets the authorization policies of the application.
You can allow or deny access
to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
(unauthenticated) users.
-->
<authorization>
allow users="*" />
</authorization>
<!-- APPLICATION-LEVEL TRACE LOGGING
Application-level tracing enables trace log output for every page
within an application.
Set trace enabled="true" to enable application trace logging. If
pageOutput="true", the
trace information will be displayed at the bottom of each page.
Otherwise, you can view the
application trace log by browsing the "trace.axd" page from your
web application
root.
-->
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<!-- SESSION STATE SETTINGS
By default ASP.NET uses cookies to identify which requests belong
to a particular session.
If cookies are not available, a session can be tracked by adding a
session identifier to the URL.
To disable cookies, set sessionState cookieless="true".
-->
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=sa;password="
cookieless="false"
timeout="20"
/>
<!-- GLOBALIZATION
This section sets the globalization settings of the application.
-->
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</configuration>
****************************************
*******************
I also set the Web Application to Integrated Windows security.
But when I try to access first page, it lets me without asking my
credentials.
What else do I need to do to get this to work?
Thanks,
Tom<authorization>
allow users="*" />
</authorization>
This means: access to all users.
Change it to:
<authorization>
allow users="*" />
deny users="?" />
</authorization>
Riki
tshad wrote:
> I am trying to set up an intranet at work that will use our Active
> directory to authorize our users. We also want them to access the
> site from the outside (such as at home) and also be authenticated by
> our Active Directory.
> We don't want to set up a separate Sql setup.
> I tried to set up my Web.config file like so:
> ****************************************
******************
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
> <!-- DYNAMIC DEBUG COMPILATION
> Set compilation debug="true" to insert debugging symbols
> (.pdb information)
> into the compiled page. Because this creates a larger file
> that executes
> more slowly, you should set this value to true only when
> debugging and to
> false at all other times. For more information, refer to the
> documentation about
> debugging ASP.NET files.
> -->
> <compilation defaultLanguage="vb" debug="true" />
> <!-- CUSTOM ERROR MESSAGES
> Set customErrors mode="On" or "RemoteOnly" to enable custom
> error messages, "Off" to disable.
> Add <error> tags for each of the errors you want to handle.
> -->
> <customErrors mode="Off" />
> <!-- AUTHENTICATION
> This section sets the authentication policies of the
> application. Possible modes are "Windows",
> "Forms", "Passport" and "None"
> -->
> <authentication mode="Windows"/>
>
> <!-- AUTHORIZATION
> This section sets the authorization policies of the
> application. You can allow or deny access
> to application resources by user or role. Wildcards: "*" mean
> everyone, "?" means anonymous
> (unauthenticated) users.
> -->
> <authorization>
> allow users="*" />
> </authorization>
> <!-- APPLICATION-LEVEL TRACE LOGGING
> Application-level tracing enables trace log output for every
> page within an application.
> Set trace enabled="true" to enable application trace
> logging. If pageOutput="true", the
> trace information will be displayed at the bottom of each
> page. Otherwise, you can view the
> application trace log by browsing the "trace.axd" page from
> your web application
> root.
> -->
> <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>
> <!-- SESSION STATE SETTINGS
> By default ASP.NET uses cookies to identify which requests
> belong to a particular session.
> If cookies are not available, a session can be tracked by
> adding a session identifier to the URL.
> To disable cookies, set sessionState cookieless="true".
> -->
> <sessionState
> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data source=127.0.0.1;user
> id=sa;password=" cookieless="false"
> timeout="20"
> />
> <!-- GLOBALIZATION
> This section sets the globalization settings of the
> application. -->
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
> </system.web>
> </configuration>
> ****************************************
*******************
> I also set the Web Application to Integrated Windows security.
> But when I try to access first page, it lets me without asking my
> credentials.
> What else do I need to do to get this to work?
> Thanks,
> Tom
On Sun, 18 Jun 2006 09:49:57 +0200, Riki wrote:

> <authorization>
> allow users="*" />
> </authorization>
> This means: access to all users.
> Change it to:
> <authorization>
> allow users="*" />
> deny users="?" />
> </authorization>
> Riki
Actually, the deny should be first. The way ASP.NET does things is that it
only processes rules until it reaches one that succeeds. Since you list
allow users="*", which means allow everybody, that rule will be evaluated
first, and since this will succeed, it will not evaluate the second rule to
deny unauthenticated users.
"Erik Funkenbusch" <erik@.despam-funkenbusch.com> wrote in message
news:12s2jeygntc8c.dlg@.funkenbusch.com...
> On Sun, 18 Jun 2006 09:49:57 +0200, Riki wrote:
>
> Actually, the deny should be first. The way ASP.NET does things is that
it
> only processes rules until it reaches one that succeeds. Since you list
> allow users="*", which means allow everybody, that rule will be evaluated
> first, and since this will succeed, it will not evaluate the second rule
to
> deny unauthenticated users.
I did make the change (there was a small error where is was missing the left
angle bracket) but I am still able to get to the home page with out any
logon screen from windows.
Is there something else I need to do?
Remember, I am at home and trying to log on, so it should be asking be for a
logon.
Thanks,
Tom
On Sun, 18 Jun 2006 21:02:22 -0700, tshad wrote:

> I did make the change (there was a small error where is was missing the le
ft
> angle bracket) but I am still able to get to the home page with out any
> logon screen from windows.
> Is there something else I need to do?
> Remember, I am at home and trying to log on, so it should be asking be for
a
> logon.
Your web.config you posted is not valid. For example, you have a closing
</system.web> but no opening one.
It's hard to say what your problems are with incomplete information.
How are you testing, with IIS or with the Cassini webserver from VS2005?
The latter will use the credentials of the logged on user for running
ASP.NET.
Riki
"tshad" <tfs@.dslextreme.com> wrote in message
news:eallafqkGHA.3936@.TK2MSFTNGP05.phx.gbl...
>I am trying to set up an intranet at work that will use our Active
>directory
> to authorize our users. We also want them to access the site from the
> outside (such as at home) and also be authenticated by our Active
> Directory.
> We don't want to set up a separate Sql setup.
> I tried to set up my Web.config file like so:
> ****************************************
******************
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
> <!-- DYNAMIC DEBUG COMPILATION
> Set compilation debug="true" to insert debugging symbols (.pdb
> information)
> into the compiled page. Because this creates a larger file that
> executes
> more slowly, you should set this value to true only when
> debugging
> and to
> false at all other times. For more information, refer to the
> documentation about
> debugging ASP.NET files.
> -->
> <compilation defaultLanguage="vb" debug="true" />
> <!-- CUSTOM ERROR MESSAGES
> Set customErrors mode="On" or "RemoteOnly" to enable custom error
> messages, "Off" to disable.
> Add <error> tags for each of the errors you want to handle.
> -->
> <customErrors mode="Off" />
> <!-- AUTHENTICATION
> This section sets the authentication policies of the application.
> Possible modes are "Windows",
> "Forms", "Passport" and "None"
> -->
> <authentication mode="Windows"/>
>
> <!-- AUTHORIZATION
> This section sets the authorization policies of the application.
> You can allow or deny access
> to application resources by user or role. Wildcards: "*" mean
> everyone, "?" means anonymous
> (unauthenticated) users.
> -->
> <authorization>
> allow users="*" />
> </authorization>
> <!-- APPLICATION-LEVEL TRACE LOGGING
> Application-level tracing enables trace log output for every page
> within an application.
> Set trace enabled="true" to enable application trace logging. If
> pageOutput="true", the
> trace information will be displayed at the bottom of each page.
> Otherwise, you can view the
> application trace log by browsing the "trace.axd" page from your
> web application
> root.
> -->
> <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>
> <!-- SESSION STATE SETTINGS
> By default ASP.NET uses cookies to identify which requests belong
> to a particular session.
> If cookies are not available, a session can be tracked by adding
> a
> session identifier to the URL.
> To disable cookies, set sessionState cookieless="true".
> -->
> <sessionState
> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data source=127.0.0.1;user
> id=sa;password="
> cookieless="false"
> timeout="20"
> />
> <!-- GLOBALIZATION
> This section sets the globalization settings of the application.
> -->
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
> </system.web>
> </configuration>
> ****************************************
*******************
> I also set the Web Application to Integrated Windows security.
> But when I try to access first page, it lets me without asking my
> credentials.
> What else do I need to do to get this to work?
> Thanks,
> Tom
>
"Riki" <riki@.dontnagme.com> wrote in message
news:%23q9djB3kGHA.1664@.TK2MSFTNGP03.phx.gbl...
> How are you testing, with IIS or with the Cassini webserver from VS2005?
> The latter will use the credentials of the logged on user for running
> ASP.NET.
I am running from IIS on the Windows 2003 Web Server Edition.
Tom
> --
> Riki
> "tshad" <tfs@.dslextreme.com> wrote in message
> news:eallafqkGHA.3936@.TK2MSFTNGP05.phx.gbl...
error
application.
application.
page
If
your
belong
adding
application.
>
On Mon, 19 Jun 2006 06:32:46 -0700, tshad wrote:

> "Riki" <riki@.dontnagme.com> wrote in message
> news:%23q9djB3kGHA.1664@.TK2MSFTNGP03.phx.gbl...
> I am running from IIS on the Windows 2003 Web Server Edition.
Is the web server a member of the domain?
"Erik Funkenbusch" <erik@.despam-funkenbusch.com> wrote in message
news:1m7ock7oskczg$.dlg@.funkenbusch.com...
> On Sun, 18 Jun 2006 21:02:22 -0700, tshad wrote:
>
> Your web.config you posted is not valid. For example, you have a closing
> </system.web> but no opening one.
> It's hard to say what your problems are with incomplete information.
You're right.
Not sure why I missed that.
It now asks for authentication outside and inside. But there are a couple
of anomalies.
One is that it doesn't ask for the logon on the home page, but it does for
all the other pages. They are all in the same root folder. The home page
is index.htm and not index.aspx - is this the reason?
On the inside (at work) we are already logged onto the network, but it still
asks us to log on.
The other problem is that I and a couple others only have to put in our
logon names and others have to put in the Domain/logon.
Not sure why that is. I can log in outside and inside without the Domain.
Also, for those that try to login and cannot, they get back the website name
as the Domain (which I assume is why their logon fails -
intranet.ft.com/jfranks). But if they put in the actual domain
(ft0/jfranks), it works fine.
Thanks,
Tom
"Erik Funkenbusch" <erik@.despam-funkenbusch.com> wrote in message
news:klcfdn38o5kr.dlg@.funkenbusch.com...
> On Mon, 19 Jun 2006 06:32:46 -0700, tshad wrote:
>
> Is the web server a member of the domain?
Yes.
As I mentioned in my other post a couple of minutes ago, I was missing the
<system.web>, which fixed that problem.
It is part of the Domain. And some can connect without putting in the
domain name and some people have to put the domain name in.
The Domain is (either ft0 or ft.com) and both allow users to logon. But if
a person is not able to logon, it redisplays as intranet.ft.com\jfranks
(which is intranet domain\logon). They then need to put in ft.com\jfranks
or ft0\jfranks to log on.
Tom