locked
IIS Authorization issue RRS feed

  • Question

  • User-1286535781 posted

    Hi, I set up my Authorization with AD group and Deny access in Authorization section and if I hit the service from IIS ( under Default Web Site), it is behaving as is with Basic Authentication. If I am part of that AD group then only from IIS iam able to get authenticated and browse the service. Or else 401- Unauthorized

    In the web.config file

    <authorization>
        <allow users="corp\UserName" />
        <deny users="*" />
    </authorization>

    BUT if I am browsing the Url on Internet Explorer, it asks for UserName and Password...if I am part of the AD group or not its getting authenticated and I am able to get into the contents of the wsdl. Why is it getting authenticated from Internet Explorer easily ? Is there anything to set to keep this secured ?

    Anyone experienced this and resolved ? Any idea please

    Sunday, February 23, 2020 6:23 PM

All replies

  • User475983607 posted

    reason101

    Why is it getting authenticated from Internet Explorer easily ?

    Because you've defined a login on the server that matches the credentials entered in the login prompt.  If you entered invalid credentials but still authenticate there are bugs elsewhere in your code that we cannot see. 

    Are you sure the WSDL is secured?

    Sunday, February 23, 2020 6:30 PM
  • User-1286535781 posted

    well I have tried actually giving my AD group like roles in web.config file. So there are set of users in this group

    <authorization>
        <allow roles="corp\GroupName" />
        <deny users="*" />
    </authorization>

    I am trying to use POSTMAN and in Authorization -> Type -> Basic Authentication.

    When I am doing a post method with a member of that particular AD group or not, still it is doing a POST and sending the message.

    I am not understanding, why if the member is not in that Group they should be getting 401 - Unauthorized BUT that is not happening.

    Sunday, February 23, 2020 6:37 PM
  • User475983607 posted

    Windows authentication works as written.  Basic authentication is completely different authentication scheme than Windows.  Maybe you also have anonymous authentication enabled?  At this point it is not clear how you've configured the SOAP (ASMX or WCF) service.

    https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication

    Sunday, February 23, 2020 6:48 PM
  • User-1286535781 posted

    I have disabled Anonymous Auth everywhere (from Header and service level).

    On the service level -> Just set Basic Authentication and disabled all others.

    On the service -> .Net Authorization Rules -> set Allow and Deny rules in there which looks in web.config file as and restarted App Pool binded to that service :

    <authorization>
        <allow roles="corp\GroupName" />
        <deny users="*" />
    </authorization>

    Now, when I browse the service from IIS, the service behaves accordingly. The user who is part of the group gets Authenticated, and users who are not part of the group  gets denied to access the service.

    But the same behaviour is not happening when I do from POSTMAN. If any user is part of the Group or not, if they enter credentials correctly it is able to trigger the message and do a POST.

    I am not sure what am I doing differently, that is making the POSTMAN to authenticated for every user. I have been struggling with this from past 3 days.

    Sunday, February 23, 2020 6:57 PM
  • User288213138 posted

    Hi reason101,

    I have disabled Anonymous Auth everywhere (from Header and service level).

    On the service level -> Just set Basic Authentication and disabled all others.

    On the service -> .Net Authorization Rules -> set Allow and Deny rules in there which looks in web.config file as and restarted App Pool binded to that service :

    <authorization>
        <allow roles="corp\GroupName" />
        <deny users="*" />
    </authorization>

    Now, when I browse the service from IIS, the service behaves accordingly. The user who is part of the group gets Authenticated, and users who are not part of the group  gets denied to access the service.

    But the same behaviour is not happening when I do from POSTMAN. If any user is part of the Group or not, if they enter credentials correctly it is able to trigger the message and do a POST.

    According to your description, I need more information to analyze your problem.

    Can you post your IIS web.config setting? and what is the content of your Authentication setting?

    Best regards,

    Sam

    Tuesday, February 25, 2020 9:44 AM