Issue in Authentication using AD Group

Question

User777923107 posted

Hi All,

I am facing a strange issue in Authentication using an AD group.

We have configured  Active Directory group Authentication on one of our portal  such that,  users only in a particular AD group will be able to access the portal.

The authentication scenario is working fine on the development site, but authentication fails on the stage  & Production site.

Users in that group are not able to access the stage & production portal.

The AD group name is configured in the respective Web.Config  for the sites , with the exact entry  as follows :

<authorization>

<allow roles="Domain\GroupName"/> 

 <deny users="*" />        

</authorization>

Same issue comes up if we try accessing the group using code,  it works on the Dev site but not on stage & production:

GlobalFilters.Filters.Add(new System.Web.Mvc.AuthorizeAttribute() { Roles = System.Web.Configuration.WebConfigurationManager.AppSettings["LDAPAuthorizeRole"] });

Web.config entry

<add key="LDAPAuthorizeRole" value="Domain\GroupName" />

Can someone help on this , to pin point the exact reason why such a strange issue is coming up.

Thanks &  Regards

gc_new

Answer 1

User1508394307 posted

What is the difference between dev site and others? Is it your local box where you run all processes under an admin account?

Also, what happens if you remove 

<allow roles="Domain\GroupName"/>
<deny users="*" />

Are you able to authenticate?

Answer 2

User777923107 posted

Hi Smirnov,

Thanks for reply..

We have  total access on the Dev. environment but  stage site is on a different box & is handled by a different team so we are not  sure of permission settings.Can lack of permission be a cause of this? . Also what kind of permission should be given?

Also if we remove the :

<allow roles="Domain\GroupName"/>
<deny users="*" />

then every user(within our intranet domain)  is able to access the site.

Thanks & regards

gc_new

Answer 3

User777923107 posted

Hi ,

Any body can help us on this?

Quick points on which we need info:

1. Can some IIS settings block the AG group Authentication (port used to access the site etc..)

2. Do we need to provide some kind of access to the AD group

Any help on this will be really appreciated

Regards

GC_new

Answer 4

User1508394307 posted

The issue is clear. What unclear is how your setup has been done  

• Since it is working on a dev box, I believe you know all the configuration settings on IIS and web.config. So it must be something different between dev box and your server. Usually if "something works on dev box but does not work on a server" - it is an issue with a process account (on dev box you run everything as an administrator). If this is not the case it might be more complex problem - e.g. your server is at different network, etc. In any case - you can check your dev box if you access it from another location as http://devboxname/ and see if access is working as expected
• If nothing helps. Start from the beginning. Check MSDN http://support.microsoft.com/kb/315736 or this forum (e.g. http://forums.asp.net/t/1979572.aspx) and see if you have the same setup.

P.S.

If I were you I would try to see if server box "sees" the groups. E.g. make some test script like here http://weblogs.asp.net/scottgu/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application and see if aspx on server could see a proper identity name and user groups.