allow groups with Forms Authentication

[rmac]

I am testing forms authentication against Active
Directory. I want to limit access to the site based on
Windows groups. The app is working but it allows anyone
with a domain account access which is undesirable. I
followed the Microsoft KB article 326340. Here is the
entry in my web.config:

<authorization>
<allow roles="domainname\group" />
<deny users="?" />
</authorization>

Does anyone know how to accomplish this?

Thanks
rmac

 

[Brad]

You would want to change the <deny users="?"> to <deny users="*">
Role checks are top down. If the first check passes they're in. In your
example any authenticated user would also pass the next test <deny
users="?"> just deny's unauthenticated users.
By changing to <deny users="*">, if they don't pass the first test they
won't get in because the * says deny everyone. They will get a network
login dialog box but no matter what they enter into the login dialog it will
fail with an access denied....well, this is unless they enter a login that
is a member of the group you allow in.

Also - If you wanted to provide a "polite" access denied result, i.e. send
them somewhere else such as your own error page you could alternately just
set <deny users="?"> (removing your current allow test) and then in your
global.asax code do a test if the user is in a permitted role else send them
somewhere else.

Example
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
If Request.IsAuthenticated AndAlso
Context.User.IsInRole("domainname\group") = false then
If Request.Url.ToString.IndexOf("mynoaccesspage") > 0 Then
Response.Redirect("mynoaccesspage")
End If
End If
End Sub


Hope this helps some

Brad

 

[rmac]

Thank you for your response. It was very helpful.

 

[rmac]

Brad,

I have tried the method you mentioned. I am not able to
check the roles. If I put in code on the requested page to
check for the group I come up empty. Ex:

If context.User.IsInRole("domainname\group") = True Then
lblName.Text = "Hello " +
Context.User.Identity.Name & "."
End IF

The label text is empty.

If I do this and deny unathenticated users in the
web.config:

If Request.IsAuthenticated = True Then
lblName.Text = "Hello " + Context.User.Identity.Name
& "."
End If

the label shows the user name.

In my web.config file if I do this:

<allow users="domain\group"
<deny users="*" />

I cannot login no matter what account I use.

Am I missing something?

Thanks
rmac

 

[Brad]

Your example of
<allow users="domain\group">
<deny users="*" />
Should be
<allow roles="domain\group">
<deny users="*" />


FYI - You can also look at "Configure ASP.NET Settings" of the following
MSDN topic
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
It's from the book "Building Secure Microsoft ASP.NET Applications", which I
highly reccomend.

Brad