H
Howard Hoffman
I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
I've configured the web-site (following directions at
http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
Negotiate access, and the site itself is using Integrated Windows
Authentication and allow-anonymous.
I've added an entry to my local HOSTS file, since there is no real
domain-name (yet) for the web-site DNS. So, my urls look like
http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
(127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I put
it there) as http://*.mysite.com.
I have a local group on the server computer (W2K3) named "Local PAIS
Admins". I have added myself to that group, and logged out of Windows and
logged back in (to the local machine -- the same computer that is hosting
the web site).
In web.config, I have a <location> element for the Admin.aspx page:
<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>
obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"
cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even though
I am in that group. I am prompted 3 times for the my credentials, and I
enter them correctly. Finally, I get the Access is Denied default error
page, with a 401.2 error.
If I run with the RoleManager element commented out, it works, and I can see
the page.
If I add myself to a BUILTIN group (say, Power Users), and change the above
<location> element to allow only that BUILTIN group, with RoleManager
enalbed for the WindowsTokenRoleProvider, it works. Only BUILTIN groups
work though.
I've not ever edited any of the
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
Can someone explain what is happening? Is this a known ASP.NET
WindowsTokenRoleProvider limitation? Am I doing something wrong?
I've a production deployment going on a similarly configured site, and we
need to use local-machine groups.
Thanks in advance,
Howard Hoffman
I've configured the web-site (following directions at
http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
Negotiate access, and the site itself is using Integrated Windows
Authentication and allow-anonymous.
I've added an entry to my local HOSTS file, since there is no real
domain-name (yet) for the web-site DNS. So, my urls look like
http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
(127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I put
it there) as http://*.mysite.com.
I have a local group on the server computer (W2K3) named "Local PAIS
Admins". I have added myself to that group, and logged out of Windows and
logged back in (to the local machine -- the same computer that is hosting
the web site).
In web.config, I have a <location> element for the Admin.aspx page:
<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>
obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"
cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even though
I am in that group. I am prompted 3 times for the my credentials, and I
enter them correctly. Finally, I get the Access is Denied default error
page, with a 401.2 error.
If I run with the RoleManager element commented out, it works, and I can see
the page.
If I add myself to a BUILTIN group (say, Power Users), and change the above
<location> element to allow only that BUILTIN group, with RoleManager
enalbed for the WindowsTokenRoleProvider, it works. Only BUILTIN groups
work though.
I've not ever edited any of the
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
Can someone explain what is happening? Is this a known ASP.NET
WindowsTokenRoleProvider limitation? Am I doing something wrong?
I've a production deployment going on a similarly configured site, and we
need to use local-machine groups.
Thanks in advance,
Howard Hoffman