Windows Authentication question

[JoeCDaMan]

here is the scenario: I have two users for my pc: Administrator and restricted, the latter of which is just a regular user with restricted capabilities. I have two folders on my C drive that I want to work with. accounting and private. The file structure is like this C:\accounting\private so the private dir resides within the accounting folder. I have a .net web app that allows me to browse my file structure. On the IIS virtual directory pointing to my web app I have changed security settings to require a windows login to authenticate a windows user before allowing access to my web app.

What I want to do is restrict access to the private folder for the restricted user. So I did, I went into the security settings for the folder and added the user and denied all access for that user. Next I started the web app logged in as the restricted user and tried browsing the file structure and viewing the folder. I was able to get through unfortunately.

Here's the weird part, on the private folder if I go in a restrict access for the users role and deny them read, write, execution then it works. I am unable to browse that directory from the web app. Unfortunately I am also restricting access for the administrator which I don't want to do.

My thought is that I need to mess with the machine.config file and restrict user roles, however I am not sure if that is right.

If anyone has any thoughts or comments they would be much appreciated.

Thanks in advance.

 

[mikecel79]

I would do this instead. Do not use the Deny rights. It can get messy and it's a pain to troubleshoot later.

Instead set the NTFS rights on the accounting folder however you want them. Now go to the private folder and just remove the restricted account from the list. You will probably have to turn off inheritence on this folder but when it asks just make a copy of the permissions that are there already and then remove the restricted account from the list. You should not be able to get into that folder by browsing the file system now.

In IIS do you still have anonymous access setup in addition to Windows Authentication? What user account it IIS using for anonymous access? if it's enabled.

 

[JoeCDaMan]

Ok here's the deal now:

In IIS I am using basic windows authentication only, using the credentials of the restricted user only.

I set the accounting folder with the permissions that all users are able to access it with read/write access. But all I did was allow the role of administrators and users I never specify specific users.

Now in the private folder by default the user: restrict doesn't show up. What shows up is the Administrator role and the Users role. What I want to do is allow all users except for a specific user to access this folder. That's why I included the restricted user and denied him access to the folder. I was under the impression that if I deny access for a specific user it over-rides any inherited permissions. It seems though that because the restricted user is a member of the group Users that for whatever reason the deny permissions are being over-ridden and the only way that I can remove access for that user is to remove the Users group permissions.

I really was looking for the granularity of setting permissions for specific users.

Again any thoughts would be appreciated.

 

[JoeCDaMan]

any thoughts?

 

[Woodie]

You are correct to think that the NTFS permission being set to DENY will over-ride any other permissions. It's not working in your case...so I would suspect that something is causing IIS to think that you are NOT that user.

So....
Let's test some things.
Assumptions: This is a stand-alone computer, no domain membership.
Folder Permissions:
Accounting: NTFS ACL shows USERS - Full Control, Administrators - Full Control
Accounting\Private: NTFS ACL shows USERS - Full Control, Administrators - Full Control, RestUser - DENY Full Control

Now, test it. Logon as the RestUser and attempt to view the Accounting and Accounting\Private folders. This is just to see if the permissions are being correctly set and implemented.

If that works as expected (RestUser can't view the \Private\ folder) then it must be something in the IIS config.
As posted above...check to see if Anonymous is enabled. Make sure NTLM *is* configured.
If still fails...try this ACL:
Accounting\Private: NTFS ACL shows USERS - Full Control, Administrators - Full Control, RestUser - DENY Full Control, IWAM_servername - DENY Full Control, IUSER_servername - DENY Full Control

Now try IIS again.

 

[UCJefe]

You have to remember that your ASP.NET worker process will (by default) always run using the credentials of the local ASPNET account. This is dictated via the username and password attributes in the <processModel> section of machine.config (setting them to "machine" and "AutoGenerate" respectrively means you'll use the ASPNET account. What you want to do is use impersonation so that the ASP.NET process runs using the credentials of the user who authenticated. Then all your ACL's will work.

So in your web.config file you need to add (or change) the impersonation element to <identity impersonate="true" />

If you don't use impersonation, the worker process will always run under ASPNET and only the ACL's applying to ASPNET will take effect. Which is why restricting "Users" worked but restricting the individual accounts did not.

 

[UCJefe]

Oh and you should probably read up on ASP.NET impersonation. Here's a quick little MSDn link which talks about what I was trying to explain. Text

 

[JoeCDaMan]

wow, ok thanks... I'm gonna be working on the .net app in some fashion this weekend, so I'm gonna take sat and sun to have all this soak in and read the msdn article as well. I'll let you know how things work out on monday, thanks for the help though.

 

[UCJefe]

Originally posted by: JoeCDaMan
wow, ok thanks... I'm gonna be working on the .net app in some fashion this weekend, so I'm gonna take sat and sun to have all this soak in and read the msdn article as well. I'll let you know how things work out on monday, thanks for the help though.

Cool. The important thing to keep in mind is just because IIS authenticated you as a particular user, if you're not using impersonation the process that actually access the files runs under the ASPNET account. The IS authentication just ensures that you can access the site in the first place. In order to propagate the IIS credentials to the aspnet_wp you need to use impersonation.

Post back if you have any questions.

 

[JoeCDaMan]

Ok UCjefe, what you said made sense and so did the msdn article, now my question is that on the msdn article it says to configure the web.config and turn on impersonation as follows

<identity impersonate="true"
userName="domain\user"
password="password" />


my question is that I don't have an active directory domain that I am authenticating with. I just have local user accounts. what do I put in the userName tag instead of "domain" ?

Thanks for all your help

 

[UCJefe]

Originally posted by: JoeCDaMan
Ok UCjefe, what you said made sense and so did the msdn article, now my question is that on the msdn article it says to configure the web.config and turn on impersonation as follows

<identity impersonate="true"
userName="domain\user"
password="password" />


my question is that I don't have an active directory domain that I am authenticating with. I just have local user accounts. what do I put in the userName tag instead of "domain" ?

Thanks for all your help

You only need the username and password if you always want to run the worker process as one particular user. You don't want to do that. You want to run as whatever user authenticated with IIS. So you don't need to use the username and password attributes. Just a note, you don't have to use the domain anyway. If you specify the username and password of a local user, that will work just fine.

Edit: Another good KB article

 

[JoeCDaMan]

Thanks UCjefe,

That did the trick, I removed the userName and password attributes, and that did it.

Thanks again!