RE: Are domain/machine names required when specifying roles
From: Mark Walker (markwalker42@hotmail.com)
Date: 03/30/03
- Next message: aaapaul: "database login script with secure save variable"
- Previous message: iMonkey: "Re: Forms-Based protecting too much"
- In reply to: Bassel Tabbara [MSFT]: "RE: Are domain/machine names required when specifying roles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark Walker" <markwalker42@hotmail.com> Date: Sat, 29 Mar 2003 16:18:55 -0800
Dispite the documentation I still have this problem. I've
reproduced it following the steps below:
- create a group called testGroup (don't associate any
users yet).
- create a user called testUser.
- create a default webService project and uncomment
helloworld method in service1.asmx.
- build and test (works like a champ!)
- modify the web.config file to include the following just
under the authentication tag:
<authorization>
<allow users="?"/>
<deny users="*"/>
</authorization>
- test (access allowed)
- change IIS directory security to disable anonymous
access and allow windows integrated and basic
authentication.
- access web service. Now you are prompted to enter a name
(use testUser). Access will still be denied at this point.
- modify the web.config authorization section to the
following:
<authorization>
<allow users="testUser"/>
<deny users="*"/>
</authorization>
- now access is denied even though testUser is a valid
user on my machine. But wait there's more...
- prepend the machine name to the user (in my case my
machine name is GECKO) so the authorization section reads
as follows:
<authorization>
<allow users="GECKO\testUser"/>
<deny users="*"/>
</authorization>
- now I have access.
- just to make sure I remove GECKO from the configuration
and I'm denied again.
While my original problem centered around prepending
roles, this user example shows the same behavior.
If there is a way to remove the machine name dependancy,
I'm all ears.
Thanks,
Mark
>-----Original Message-----
>Hello Mark,
>For Windows Defined Roles you can use the
WindowsBuiltInRole Enumeration.
>These roles represent the local Windows groups common to
most installations
>of Windows NT, Windows 2000 and Windows XP.
>
>Members
>AccountOperator: Account operators manage the user
accounts on a computer
>or domain.
>Administrator: Administrators have complete and
unrestricted access to the
>computer or domain.
>BackupOperator: Backup operators can override security
restrictions for the
>sole purpose of backing up or restoring files.
>Guest: Guests are more restricted than users.
>PowerUser: Power users possess most administrative
permissions with some
>restrictions. Thus, power users can run legacy
applications, in addition to
>certified applications.
>PrintOperator: Print operators can take control of a
printer.
>Replicator: Replicators support file replication in a
domain.
>SystemOperator: System operators manage a particular
computer.
>
>When you are refering to domain roles
(contoso\PowerUser), you must include
>both the domain and user name combination.
>Otherwise as the documentation blow is referring you can
just use the role
>name:
>http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/cpguide/htm
>l/cpconaspnetauthorization.asp.
>
>Please let me know if you have further questions on this.
>
>
>Thanks,
>Bassel Tabbara
>Microsoft, ASP.NET
>
>This posting is provided "AS IS", with no warranties, and
confers no rights.
>
>
>--------------------
>| Content-Class: urn:content-classes:message
>| From: "Mark Walker" <markwalker42@hotmail.com>
>| Sender: "Mark Walker" <markwalker42@hotmail.com>
>| Subject: Are domain/machine names required when
specifying roles
>| Date: Thu, 27 Mar 2003 12:21:26 -0800
>| Lines: 12
>| Message-ID: <008701c2f49e$719e6010$a601280a@phx.gbl>
>| MIME-Version: 1.0
>| Content-Type: text/plain;
>| charset="iso-8859-1"
>| Content-Transfer-Encoding: 7bit
>| X-Newsreader: Microsoft CDO for Windows 2000
>| Thread-Index: AcL0nnGbaRHDaqisSF+53cCu4Hdt/g==
>| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>| Newsgroups:
microsoft.public.dotnet.framework.aspnet.security
>| Path: cpmsftngxa06
>| Xref: cpmsftngxa06
microsoft.public.dotnet.framework.aspnet.security:4583
>| NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
>| X-Tomcat-NG:
microsoft.public.dotnet.framework.aspnet.security
>|
>| Is the domain/machine name always required when
specifying
>| roles? I can't get it to work without the full
>| specification even though most references imply
otherwise.
>|
>| Which way is it supposed to work?
>|
>| How can this be resolved?
>|
>| I would really like to create a standard web.config
file
>| using a generic role (other than the builtin\roles) soI
>| don't have to edit to edit the specific machine or
domain
>| in the web.config file.
>|
>
>.
>
- Next message: aaapaul: "database login script with secure save variable"
- Previous message: iMonkey: "Re: Forms-Based protecting too much"
- In reply to: Bassel Tabbara [MSFT]: "RE: Are domain/machine names required when specifying roles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
