Re: Windows Domain Groups in Authorization section sans AD

From: Greg Burns (greg_burns@hotmail.com)
Date: 01/21/03 

From: "Greg Burns" <greg_burns@hotmail.com>
Date: Tue, 21 Jan 2003 10:00:57 -0500

Sorry Mike, I just noticed that too. I should have said something.

BTW, your test:

<allow users="BUILTIN\Administrators" />

should fail. Administrators is a group. Shouldn't this be...

<allow roles="BUILTIN\Administrators" />

Anyways, I am not sure what I did, but everything is working fine now.

Let me tell you the changes I made and see if anything sets off a red flag.
:^)

While trying to solve another problem (connecting to a SQL server on a box
other than the web server), I followed the advice in the article link you
sent
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetch08.asp

Under the section, "Using the ASP.NET Process Identity", I set up a mirror
ASPNET account on my SQL server.

I chose not to create a domain ASPNET account, because when I tried that in
my machine.config nothing would run. The domain user, ASPNET, didn't have
the same rights as the local ASPNET user ("machine"). (I sure there is a
way to deal with this, but seems like a lot of work!)

Surprisingly I can now use Integrated Security=SSPI in my connection
strings. Web apps connect to SQL with the SQL box's own local ASPNET
account, not the web server's local ASPNET account! This really surprised
me, I didn't think this would work this way.

Anyways that solved my connecting to SQL problem. Next, I needed to read a
directory which happened to reside on a DC. Since you cannot create local
accounts on DC, I went ahead and created a domain user called "ASPNET" with
the same password that I set on the Web server and SQL server.

Surprisingly, this worked to. Now I can read files off of my DC.

I just tried deleting the domain ASPNET account I had created, thinking this
had something to do with the groups thing starting to work. But this did
not change anything, using <allow roles="MYDOMAIN\group" /> continues to
work. I guess that is a good thing :^)

I have no idea what specifically made the difference.

Thanks for your time and interest,
Greg

""Mike Moore [Microsoft]"" <michmo@online.microsoft.com> wrote in message
news:O0V1TGQwCHA.648@cpmsftngxa06...
> Hi Greg,
>
> I just noticed that both Luke and I are working on your issue, but in
> different newsgroups.
>
> As I wrote on Friday, I've reproduced your problem here and I'm
> investigating. I thought I would have more for you today, but I will have
> to get back to you tomorrow.
>
> ---
> Here is what I have reproduced:
>
> I tried using User.IsInRole in the code-behind for an ASPX page:
> This returns true: User.IsInRole("BUILTIN\Administrators")
> This returns false: User.IsInRole("MyMachine1\Administrators")
> [MyMachine1 is the machine name for the ASP.NET server I'm using]
>
> Then I set authorization as follows and it failed:
> <allow users="BUILTIN\Administrators" />
>
> Thank you, Mike Moore
> Microsoft, ASP.NET
>
> This posting is provided "AS IS", with no warranties, and confers no
rights.
>
> --------------------
> >X-Tomcat-ID: 292229791
> >References: <#qKgANLvCHA.1636@TK2MSFTNGP12>
> <xugkLsTvCHA.1488@cpmsftngxa06> <eA6O2TWvCHA.2396@TK2MSFTNGP10>
> <#b4iL2WvCHA.2060@TK2MSFTNGP11>
> >MIME-Version: 1.0
> >Content-Type: text/plain
> >Content-Transfer-Encoding: 7bit
> >From: lukezhan@online.microsoft.com (Luke Zhang [MS])
> >Organization: Microsoft
> >Date: Mon, 20 Jan 2003 14:37:49 GMT
> >Subject: Re: Windows Domain Groups in Authorization section sans AD
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
> >Message-ID: <vDKY#FJwCHA.1844@cpmsftngxa09>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet
> >Lines: 11
> >NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
> >Path: cpmsftngxa06!TK2MSFTNGP08!cpmsftngxa09
> >Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet:115505
> >
> >I performed a quick test and I found I get same result. After this, I
> >changed the virtual folder's Directory Security in IIS manager: Disable
> >Anonymous access and only select Basic Authentication, after this it
seems
> >to work in the way. When you test this, it is recommeded to reboot your
> >server after all modification.
> >
> >
> >Luke
> >
> >(This posting is provided "AS IS", with no warranties, and confers no
> >rights.)
> >
> >
>

Relevant Pages

  • Re: Windows Domain Groups in Authorization section sans AD
    ... Hi Greg, ... all the permissions that are initially setup for the ASPNET account. ... >ASPNET account on my SQL server. ... Web apps connect to SQL with the SQL box's own local ASPNET ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • ASPNET account and NT Authentication with SQL Server -Account Locked Out
    ... Windows NT authentication. ... seems that windows is passing the ASPNET account to the SQL server box. ... So what I did was change the password of the ASPNET account. ... and store the password in the connection string. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: integrated security and using NT credentials vs. ASP.NET
    ... What you need to do is to assign permissions for the ASPNET account from the ... > My connection string is set to use integrated security. ... > SQL Server connection" ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Can my ASP.NET dev workstation see remote SQL server?
    ... If you want to use step #1 (ASPNET account) make sure you dont have ... > This domain user has been granted login on the remote SQL server, ... >> account that may be allowed access to the SQL Server ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Can my ASP.NET dev workstation see remote SQL server?
    ... If you want to use step #1 (ASPNET account) make sure you dont have ... > This domain user has been granted login on the remote SQL server, ... >> account that may be allowed access to the SQL Server ...
    (microsoft.public.sqlserver.security)