tags:

views:

178

answers:

2
+2  Q: 

asp.net authorization

In my ASP.NET Application, I have an asmx Web Service which is in it's own directory. For this WS I have set the basic authentication under IIS 6.0 and put the separate web.config for that folder, with following nodes:

    <system.web>
      <authorization>
        <allow users="domain\username"/>
        <deny users="*"/>
      </authorization>
    </system.web>

With settings like these I get Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

when webmethod is invoked with SOAPUI or with browser. If I remove the deny node, any valid user in domain can get a web service response.

Any suggesstions how to make it work for one domain user only?

Maybe I should mention also, that authentication in main web.config is set to "Windows".

A: 

Can you post your authentication node? Also can you verify that this is a WCF service? I don't believe active directory auth works on any other service type.

Stephen  2010-01-22 17:35:56
no, it is not a wcf, it's asmx.
the berserker  2010-01-22 17:53:50
A: 

updated:

Oops, I overlooked the fact that you have a parent involved, my fault. Once permission defaults are set on the parent, you can just setup per-user access to the child web service/app.

The tightest configuration I could setup was the following.

For the parent, I used this barebones setup (nobody is allowed in):

<?xml version="1.0"?>
<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <compilation debug="true" />
    <authentication mode="Windows" />
    <identity impersonate="true" />
    <authorization>
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

Then for the child (web service, in your case), I used this setup (only the DOMAIN\username principal is allowed in):

<?xml version="1.0"?>
<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <authorization>
      <allow users="DOMAIN\username" />
    </authorization>
  </system.web>
</configuration>

This resulted in no access at the parent level, but only the given user at the child (web service) level. Also, as you mentioned, setting the authentication mode doesn't work on the child web.config.

Without setting up at least one allow entry at the child web.config, though, nobody can get in, as the parent's deny entry takes precedence.

original

Your settings work for me, but I believe you are missing a few elements.

Try including the impersonation element, make sure the authentication mode is set to Windows, and if deploying for IIS, make sure the IIS location has anonymous access off.

Try the following barebones config, with debug on or off as needed:

<?xml version="1.0"?>
<configuration>
    <appSettings />
    <connectionStrings />
    <system.web>
      <compilation debug="true" />
      <authentication mode="Windows" />
      <identity impersonate="true" />
      <authorization>
        <allow users="DOMAIN\username" />
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>
meklarian  2010-01-22 18:03:20
<authentication mode="Windows" /> will make it crash in my case, because it's machine/top level web.config property only. Anyways, I had Annonymous acces set on directory level, but i've fixed it... still not working, though
the berserker  2010-01-22 18:16:10
yur updated post wouldn't solve my problem also, since parent stuff is the public end-user application. thanx for the effort anyways
the berserker  2010-01-23 20:55:09

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps