Help with IIS Security
-
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
Yes, but this would be a part of the application and not related to IIS or SQL Server.
I know IIS can filter by AD user in some instances, and I was hoping for a quick fix for an obscure problem.
Yes, IIS can, but IIS would be filtering to the application, not to SQL Server. Remember IIS is just a container for the application. IIS doesn't talk to SQL Server, the app does.
I only need it to filter to the application.
-
@s-hackleman said in Help with IIS Security:
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
Yes, but this would be a part of the application and not related to IIS or SQL Server.
I know IIS can filter by AD user in some instances, and I was hoping for a quick fix for an obscure problem.
Yes, IIS can, but IIS would be filtering to the application, not to SQL Server. Remember IIS is just a container for the application. IIS doesn't talk to SQL Server, the app does.
I only need it to filter to the application.
You had mentioned SQL Server and "specific view". You don't want to determine application behaviour based on AD membership?
-
@scottalanmiller View is referring to a Web page. So the Application Pool is running as a service account, that account has access to the database. The user does not have access to the database. I just need to be able to say users in X group are denied access to X.html or http://test.com/Action/Index.html
-
@s-hackleman said in Help with IIS Security:
@scottalanmiller View is referring to a Web page. So the Application Pool is running as a service account, that account has access to the database. The user does not have access to the database. I just need to be able to say users in X group are denied access to X.html or http://test.com/Action/Index.html
Oh, that's just access vs. no access, nothing like a 'view'. So you just want basic IIS access controls?
-
For IIS Access Controls by AD Group...
Edit web.config
<configuration> <location path="MyPage.aspx/php/html"> <system.web> <authorization> <allow users="DOMAIN\Domain Admins"/> <deny users="DOMAIN\Domain Users"/> </authorization> </system.web> </location> </configuration> -
The full directory is C:\folder\site\views\admin\Index.cshtml and the webpath is http://hostComputer:8080/Admin/Index. From what I have read the system.web was deprecated in IIS 6, and it is now system.webserver. I have tried this, but it isn't working.
<location path="Admin"> <system.webServer> <security> <authorization> <allow roles="GRP_Admins" /> <deny roles="*" /> </authorization> </security> </system.webServer> </location> -
I believe the syntax in the system.webserver namespace is a bit different and as follows:
<system.webServer>
<security>
<authorization>
<add accessType="Allow" roles="WHATEVER" />
<add accessType="Deny" users="WHATEVER" />
</authorization>
</security>
</system.webServer> -
@kimberlin said in Help with IIS Security:
I believe the syntax in the system.webserver namespace is a bit different and as follows:
<system.webServer>
<security>
<authorization>
<add accessType="Allow" roles="WHATEVER" />
<add accessType="Deny" users="WHATEVER" />
</authorization>
</security>
</system.webServer>Where do I put the localization to a single action or file?
-
For anyone who stumbles across this in the future, I could never get this to work more granular than the entire site security IIS. I have edited my web application to grab the local user account from the browser and preform an Active Directly lookup manually. It works, so moving on. Thanks for the advice either way.
-
Sorry that we could not narrow it down more.
-
@scottalanmiller said in Help with IIS Security:
Sorry that we could not narrow it down more.
It is an obscure issue that is hard to troubleshoot with out seeing it. The application is probably the better fix, I just wanted a easier workaround and was hoping someone had seen it before.
