I'm having a nightmare creating my first Window Authenticated app... There is a lot of documentation available on the web but despite trying to follow the most common approaches, I'm still limping along.
My requirements are initially very simple: I have a page for viewing records (in a separate SQL Server), which I want any authenticated user to be able to view - and I have an entry page that I want to restrict to members of a particular Active Directory group.
I have app set-up on my Win 7 development machine, my Server 2008 R2 development server, and the live Server 2003 R2 machine. I've been tinkering with all three installations for a few days so there may be some change or setting that I omit to mention, but as far as I know, this is my current configuration:
- IIS set to IWA, AA disabled
- Authenticated Users group provided Read/Execute NTFS permissions
<authentication mode="Windows" />in Web.config<authorization><deny users="?"/></authorization>in Web.config<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>- I've manually specified a
<machineKey...>in Web.config (to cure a 'Validation of ViewState MAC' error). - The application runs in it's own Application Pool, and uses a generic AD user ('IISDomainUser') as its identity
- IISDomainUser has been added to the local IIS_WPG group on Server 2003 and the local IIS_IUSRs group on Win 7/Server 2008.
I'm using the following code to confirm that the user is in the 'Editors' AD group:
Dim User As System.Security.Principal.IPrincipal = System.Web.HttpContext.Current.User If Not User.IsInRole("HEXADEX\Vacancy Editors") Then Response.Redirect("vacancies.aspx") End If
Currently, it appears that the live server is working OK, as far as I can tell, which is and unusual blessing! Remote users can browse the listing page, and can download files from each listing (word or PDF docs).
However, although the apps for locally on the development machines, I can't access either site from any remote pc - I get a prompt to enter my username and password, which ends up in a 401 Access Denied message. As far as I can tell, the key configuration on each machine is the same...
In some respects, I could just live in ignorance, since the live server is working, and I can continue develop locally on each machine, but I'd rather get to the bottom of this.
Am I missing something with regards to the two non-working installations? Or have I done something extra that I shouldn't have done? Or is it an issue to do with the differences in platform that Win 7 and Server 2008 have in common?