ASP.NET + IIS6: whitelisted users via authorization section in web.config

Question

ASP.NET + IIS6: whitelisted users via authorization section in web.config

Consider an IIS6 application on a website:

Windows Authentication is enabled.
anonymous disabled

It's an ASP.NET MVC app with scopes. The root web.config has authentication and authorization nodes as follows:

<authentication mode="Windows"></authentication>

<authorization> 
    <allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>   
</authorization>

My identity is NOT on the list of allowed users. Entering the url in the browser, I can view and navigate all pages inside. I know I am being properly authorized as my Active Directory name appears on the site.

Problem: I have been granted access to a site.

Question: Using web.config, how can I restrict users based on their Windows credentials for this IIS6 application?

+2

security authorization asp.net web-config iis-6

p.campbell Sep 18 09 at 18:51

source to share

2 answers

How to add adding a ban section after permission?

<deny users="*" />

+2

Heiko Hatzfeld Sep 18 '09 at 18:57

source to share

rick schott · Accepted Answer · 2009-09-18T18:55:06+0000

Try the following:

<authorization> 
    <allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>   
    <deny users="*"/>
</authorization>

ASP.NET + IIS6: whitelisted users via authorization section in web.config

More articles: