Re: Portal Starter Kit authentication

• Previous message: Cowboy \(Gregory A. Beamer\): "Re: 3des encryption question"
• In reply to: .net user: "Portal Starter Kit authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Dec 2003 18:09:17 -0600

".net user" <msnews.microsoft.com> wrote in message
news:OzbZUHnxDHA.1736@TK2MSFTNGP09.phx.gbl...
>
> can some one point me what i'm doing wrong? I have spent half a day
figuring
> out and totally stuck now.
>
> Here's what I'm trying to accomplish: I am writing a web appl - an
intranet
> portal site (based on the portal starter kit) and I want to apply role
based
> security to the site. - When the users type in the intranet URL, a windows
> logon window would pop up and then users login with their NT credentials.
> Based upon theie level of security they see the tabs on the portal.
> Here's what I have accomplished so far:
> 1. Created new groups on the domain.

Good for windows authentication.

> 2. Turned on the authentication to "windows" in the web.config file of the
> portal site.

Also good for windows authentication.

> 3. Added
> <authorization>
> <allow roles = "doaminname\role1,doaminname\role4" />
> <deny users="*">
> </authorization>
> in the web.config.

Looks fine so far.

> 4. Added the LogOnID to the users table and the exact domain roles to the
> Roles table.

This sounds more like forms based authentication.

> However the wuthentication is not working correctly, the windows logon
> prompt keeps poping.. and the app redirects to the AccessDenied page.
>
> Your kind help is greatly appreciated.

Here are the steps for windows.

1. Add the group in question (either to machine or domain).
2. Add users to group
3. Make sure the user is logging onto the domain
    This is most likely where you problem is

Three options to fix:
1. Have user add domain name before user, like
    USER BOX: DomainName\Username
    PASSWORD BOX: Password

2. Set up the app to use the domain. This a dual edged sword.
   a. Open Internet Services Manager
   b. Goto Directory Security tab
   c. Click the top edit button: Enable Anonymous Access ....
   d. Use Basic authentication (the edge of the sword)
    e. Cllick edit and add the domain name
>Now, try logging on again with the name.
>For the dual edge part. A person logging in can have their logon
compromised.

3. Make a local group(s) on the web server and use it.
    a. Add domain group(s) to local group(s)
    b. Change authentication to use the local group(s), not the domain (in
web.config)

This is standard windows. You add domain users to domain groups and then add
domain groups to local groups for access to the local machine. The rules can
be played a bit different in Active Directory, of course, but this will
still work.

NOTE: You can also add users to the local group and bypass the domain group
addition, if you feel you can manage it there. IN general, I would not
advise this.

I am sure there are others who can come up with even more options.

-- 
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
**********************************************************************
Think Outside the Box!
**********************************************************************

• Previous message: Cowboy \(Gregory A. Beamer\): "Re: 3des encryption question"
• In reply to: .net user: "Portal Starter Kit authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]