setting web site permissions

1 Jul 2005 7:37 PM

Bob Weiner

I'm going nuts trying to set the permissions on an ASP.Net web site. This
is my first application and I need to make it available to our help desk but
want to limit access to only this group of people. I hate to post such a
straight-forward academic question but I have looked in the help files,
google, technet and can't figure out what I'm doing wrong. I start a
vacation in one hour (I hope) so i'm rushing like mad trying to figure this
out.

Basically, the question is just how? If I authenticate with a domain admin
account everything works fine but when I try to grant permissions to anyone
else, it fails. Currently

* the directory security is set to basic authentication with a domain
name set,
* the permissions on the web site are the default plus one test user to
which I granted full control. These were propagated to the NTFS permissions
on the home directory folder,
* The web.config is default which has
<authentication mode="Windows">
<authorization> <allow users="*" /> </authorization>

I've been monkeying with the settings for a while now and nothing helps.
What is the right approach? Should I be focusing on the web site or the
web.config? Even a simple howto paper would be great.

thanks,
bob

4 Jul 2005 6:01 AM

Ken Schaefer

There's a couple of steps involved, and a two part process:

a) authentication
b) impersonation <- affects authorization

In your web.config, you are not impersonating, so ASP.NET does not assume
the identity of the user account supplied by the end user. Instead, ASP.NET
continues to use it's own account for actual file system access. So, NTFS
permissions need to be granted to whatever process ASP.NET is using (e.g.
default are: Machine\ASPNET on IIS5/5.1 and NT Authority\Network Service on
IIS6).

So:
a) you are telling ASP.NET to use Windows Authentication (which means user
has to supply valid Windows credentials)

b) in IIS you choose the mechanism that credentials should be carried from
client to server (so, disable "Allow ANonymous Access", and enable Basic
and/or Digest and/or Integrated Windows Authentication)

c) In web.config choose either to enable impersonation (in which case you
need to configure NTFS permissions for each user/group that's allowed
-or-
In web.config choose which users/groups should be allowed access (e.g. via
<allow users=""> tag). Grant the default ASP.NET account NTFS permissiosn to
the file.

If that doesn't work, please post the exact error you are running into

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com

Show quoteHide quote

"Bob Weiner" <b**@engr.uconn.edu> wrote in message
news:uL3TiRnfFHA.3656@TK2MSFTNGP09.phx.gbl...
: I'm going nuts trying to set the permissions on an ASP.Net web site. This
: is my first application and I need to make it available to our help desk
but
: want to limit access to only this group of people. I hate to post such a
: straight-forward academic question but I have looked in the help files,
: google, technet and can't figure out what I'm doing wrong. I start a
: vacation in one hour (I hope) so i'm rushing like mad trying to figure
this
: out.
:
: Basically, the question is just how? If I authenticate with a domain
admin
: account everything works fine but when I try to grant permissions to
anyone
: else, it fails. Currently
:
: * the directory security is set to basic authentication with a domain
: name set,
: * the permissions on the web site are the default plus one test user to
: which I granted full control. These were propagated to the NTFS
permissions
: on the home directory folder,
: * The web.config is default which has
: <authentication mode="Windows">
: <authorization> <allow users="*" /> </authorization>
:
: I've been monkeying with the settings for a while now and nothing helps.
: What is the right approach? Should I be focusing on the web site or the
: web.config? Even a simple howto paper would be great.
:
: thanks,
: bob
:
: