0

I'm trying to set up our websites to only allow access from users in certain AD groups using windows authentication but i can't seem to make it work. I've tried using IIS's authorization and restricting it to those groups only, but i don't have access from users that are in those groups. This seems like something that's supported, but I can't get it to work.

The pages are completely in .net as well, so i've tried specifying

<identity impersonate="true"/>
<authentication mode="Windows" />
<authorization>
  <allow users="Domain\ProgramUsers"/>
  <deny users="?"/>
</authorization>

in the web.config but then it allows people in who aren't part of the Program Users group, which doesn't make a lot of sense to me.

Kravlin
  • 735
  • 1
  • 6
  • 9

2 Answers2

1

I think you need to specify:

Deny users="*"

At the moment you're blocking access only to non-authenticated users, i.e. regardless of group membership.

darth_phoenixx
  • 113
  • 4
0

Try using <allow roles="domain\group"/> instead of <allow users="domain\group"/> like mikrose suggested. It's how we have it setup on some of our internal sites and it seems to be working for us along with the <deny users="*"/> and we do not have impersonate explicitly set.

Th3Cap3
  • 1