Re: .Net Authorization and NTFS permissions
From: Yunus Emre ALPÖZEN [MCSD.NET] (yemre_at_msakademik.net)
Date: 05/29/05
- Next message: ChuckD_Duncan: "Re: error passing byte[] of encrypted data to Web Service"
- Previous message: Yunus Emre ALPÖZEN [MCSD.NET]: "Re: error passing byte[] of encrypted data to Web Service"
- In reply to: Wade Mebed: ".Net Authorization and NTFS permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 May 2005 20:44:56 +0300
If i clearly understand what u mean, u would like to log requests. And you
want be aware of if user is authenticated or not ?
My advice u, to handle Application AuthenticateRequest event. Because of
using Windows authentication, the request authentication is done
automatically. You should handle authentication attempy at
AuthenticateRequest stage. At this stage User property is set to null. After
this stage, user property is set. U can log client ip or any relevant
information at this stage without using user property.....
Hope i cleary understood what u mean and what u need....
--
Thanks,
Yunus Emre ALPÖZEN
BSc, MCSD.NET
"Wade Mebed" <WadeMebed@discussions.microsoft.com> wrote in message
news:B859D30A-B54F-455F-B7CF-9910DDD08346@microsoft.com...
> We get inconsistent application behavior on Authorization based on NTFS
> ACL
> Permissions.
>
> We implemented an ASP.NET 1.1 web application using NTFS ACL
> Authorization,
> and implemented a security audit logging call in the
> Application_AuthorizeRequest event of the Global.asax:
> protected void Application_AuthorizeRequest(Object sender, EventArgs e)
> {
> AuditLog.LogAccessAttempt();
> }
>
> The audit logging is designed to log access attempts - both authorized and
> unauthorized. For the web application we use integrated windows
> authentication (this is an intranet application). On the web application
> directory NTFS permissions, we add the roles which are authorized to the
> application. In the web.config we configure the authentication and
> authorization as follows:
>
> <authentication mode="Windows" />
>
> <authorization>
> <allow users="*" />
> </authorization>
>
> On the development servers upon which we intitially tested the
> unauthenticated users received 403 HTTP response codes, and their access
> was
> logged by our audit logging mechanism (the call embedded in the
> Application_AuthorizeRequest).
>
> Then we found that on the QA servers, although the unauthenticated users
> received a 401.3 HTTP response code, the audit logging for unauthorized
> access was not executed. Debugging showed that IIS never passed control
> to
> the Application_AuthorizeRequest event. The requests of users who are not
> authorized via NTFS ACL's (yet are authenticated) do not get to the
> Application_AuthorizeRequest event.
>
> We checked that IIS and the NTFS ACL's were configured the same on all
> machines, and that they all ran the same OS and IIS versions: Windows
> Server
> 2000 SP4 and IIS 5.00.
>
> NTFS ACL's included group that needed access with read, read & execute,
> and
> list file contents.
>
> Why do we see this inconsistent behavior?
- Next message: ChuckD_Duncan: "Re: error passing byte[] of encrypted data to Web Service"
- Previous message: Yunus Emre ALPÖZEN [MCSD.NET]: "Re: error passing byte[] of encrypted data to Web Service"
- In reply to: Wade Mebed: ".Net Authorization and NTFS permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
