T
Timothy H. Schilbach
I have been working on some sample applications to proof new security
enhancements as far as roles based and authorization based security. I am
using a trest active directory, forms based authentication with the form
control, and the AzMan.msc tool to create my roles and policy XML file I am
accessing. SO far everything is going great...
Now my issue is this, maybe someone can shed some light on this. My
AuthUsers.xml file is laid out like so:
<?xml version="1.0" encoding="utf-8" ?>
- <AzAdminManager MajorVersion="1" MinorVersion="0"
Description="Authorization Store for the AuthUser Application">
- <AzApplicationGroup Guid="7037a5f2-178d-4056-8dad-342f9d5c6c95"
Name="Administrator" Description="Datacenter Organizer Administrators"
GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1111</Member>
</AzApplicationGroup>
- <AzApplicationGroup Guid="e8109261-2b4a-4c67-ab22-400f72b9db2a"
Name="SecurityAdmin" Description="Datacenter Organizer Security
Administrators" GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1110</Member>
</AzApplicationGroup>
- <AzApplicationGroup Guid="a5de19aa-bbfb-4b2e-8bd0-635fcd7c7193"
Name="Auditors" Description="Datacenter Organizer Auditors"
GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1108</Member>
</AzApplicationGroup>
- <AzApplication Guid="16e7da53-4973-40b5-a2d0-2e2e95afcccb" Name="AuthUser"
Description="" ApplicationVersion="">
- <AzApplicationGroup Guid="8cd3d253-c302-4875-912e-5a179ba9ad93"
Name="Users" Description="" GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1112</Member>
</AzApplicationGroup>
</AzApplication>
</AzAdminManager>
Now as you cane see I have create dan Application called: AuthUser and
assigned a Group called 'Users'. The Users group is linked to the Active
Directory Group 'DCO_User'. So far everything works like a charm.
I have 2 users:
1. Tim
2. TestMan
Tim belongs to the DCO_User group, while TestMan does not belong to any
groups. Now I have set my authorization section in my web.config file to be:
<authorization>
<deny users="?"/>
<!-- Deny anonymous access to website -->
<allow roles="Users"/>
<!-- Allow all users -->
</authorization>
As you cane see, the only ROLE allowed is USERS which links to the DCO_User
AD group. Whenever I authenticate, both users are let and and see the
default.aspx page. While this si nice now that there are no errors, I didnt
want TestMan to get in at all!
So me delima is thatr TestMan is not supposed to be able to access this
application. Any suggestions?
enhancements as far as roles based and authorization based security. I am
using a trest active directory, forms based authentication with the form
control, and the AzMan.msc tool to create my roles and policy XML file I am
accessing. SO far everything is going great...
Now my issue is this, maybe someone can shed some light on this. My
AuthUsers.xml file is laid out like so:
<?xml version="1.0" encoding="utf-8" ?>
- <AzAdminManager MajorVersion="1" MinorVersion="0"
Description="Authorization Store for the AuthUser Application">
- <AzApplicationGroup Guid="7037a5f2-178d-4056-8dad-342f9d5c6c95"
Name="Administrator" Description="Datacenter Organizer Administrators"
GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1111</Member>
</AzApplicationGroup>
- <AzApplicationGroup Guid="e8109261-2b4a-4c67-ab22-400f72b9db2a"
Name="SecurityAdmin" Description="Datacenter Organizer Security
Administrators" GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1110</Member>
</AzApplicationGroup>
- <AzApplicationGroup Guid="a5de19aa-bbfb-4b2e-8bd0-635fcd7c7193"
Name="Auditors" Description="Datacenter Organizer Auditors"
GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1108</Member>
</AzApplicationGroup>
- <AzApplication Guid="16e7da53-4973-40b5-a2d0-2e2e95afcccb" Name="AuthUser"
Description="" ApplicationVersion="">
- <AzApplicationGroup Guid="8cd3d253-c302-4875-912e-5a179ba9ad93"
Name="Users" Description="" GroupType="Basic">
<Member>S-1-5-21-3137277063-3307450293-2828318362-1112</Member>
</AzApplicationGroup>
</AzApplication>
</AzAdminManager>
Now as you cane see I have create dan Application called: AuthUser and
assigned a Group called 'Users'. The Users group is linked to the Active
Directory Group 'DCO_User'. So far everything works like a charm.
I have 2 users:
1. Tim
2. TestMan
Tim belongs to the DCO_User group, while TestMan does not belong to any
groups. Now I have set my authorization section in my web.config file to be:
<authorization>
<deny users="?"/>
<!-- Deny anonymous access to website -->
<allow roles="Users"/>
<!-- Allow all users -->
</authorization>
As you cane see, the only ROLE allowed is USERS which links to the DCO_User
AD group. Whenever I authenticate, both users are let and and see the
default.aspx page. While this si nice now that there are no errors, I didnt
want TestMan to get in at all!
So me delima is thatr TestMan is not supposed to be able to access this
application. Any suggestions?