Authorization using Windows Authentication

[DK]

I have an intranet application I've built using asp.net 3.5 / running on
IIS6

I want to use BUILTIN groups on the server that contain domain users. So I
set up my web.config like so for example:
<authorization>
<allow roles="BUILTIN\Intranet_Admin"/>
<!--<allow roles="GNB\archivesemp"/> works-->
<!--<allow users="GNB\dking"/> works-->
<deny users="*"/>
......

Using BUILTIN roles, when accessing the app, a windows pop-up appears asking
for a user name and password? Why and how can I get around this?

Using domain users or groups works fine.

Thanks.

 

[Usenet User]

I have an intranet application I've built using asp.net 3.5 / running on
IIS6

I want to use BUILTIN groups on the server that contain domain users. So I
set up my web.config like so for example:
<authorization>
<allow roles="BUILTIN\Intranet_Admin"/>
<!--<allow roles="GNB\archivesemp"/> works-->
<!--<allow users="GNB\dking"/> works-->
<deny users="*"/>
.....

Using BUILTIN roles, when accessing the app, a windows pop-up appears asking
for a user name and password? Why and how can I get around this?

Using domain users or groups works fine.

Thanks.

When a app requires Windows authentication, IIS sends a challenge to
the browser asking for credentials. If your remote client is logged in
to the domain and the app is located on the local intranet/trusted
site, the browser (IE specifically, others do not do that) sends back
client's NT authentication token. The IIS accepts and verifies it
against the domain, and then lets the user in without asking for
logon.

In your case you're only letting BUILTIN\Intranet_Admin group in. That
group is local to the server where IIS is located. While your client
user may be a part of this group, the IIS does not perform
authentication against the domain for this group, therefore your
client's domain token is no good.

Perhaps, I am not quite correct about the semantics here, but that's I
believe what happens.