locked
API Security Authorization RRS feed

  • Question

  • User-1047577731 posted

    how I can restrict the permissions on the Web site Level on IIS.

    Editing of web.config does not work, when I deny the access of "All Users" and allow the access for admins. I tried also using IIS "Authorization Rules". This does not work also, when I change the default rule from "ALLOW to All Users" to  "DENY to All Users",  and create a new rule "ALLOW to Domain Admins". The existing authenticated users on the AD Domain can still access the site.

    As you know, there is also another rule named ".NET Authorization Rules". The default setting ist "ALLOW to All Users" (inherited). If I set this to 'DENY' still can access.

    Stuck on the security issue. Can anyone please advise any other way of having this Authorization/Security set ?

    I tried by setting the below in web.config, but did not help 

    <authorization>
    <remove users="*" roles="" verbs="" />
    <add accessType="Deny" users="*" />
    <add accessType="Allow" roles="Administrators" />
    </authorization>

    Wednesday, February 19, 2020 10:13 PM

All replies

  • User-848649084 posted

    Hi,

    Try to set the below code :

    <!-- web.config -->
    <configuration>
      <system.web>
        <authentication mode="Windows" />
        <authorization>
          <allow roles="MYDOMAIN\MY-AD-GROUP" />
          <deny users="*" />
        </authorization>
      </system.web>
    </configuration>

    Note: do not forget to add the domain name before the role.

    <!-- applicationHost.config -->
    <configuration>
      <location path="YOUR-APP">
        <system.webServer>
          <security>
            <authentication>
              <anonymousAuthentication enabled="false" />
              <windowsAuthentication enabled="true" />
            </authentication>
          </security>
        </system.webServer>
      </location>
    </configuration>

    If you need to grant privileges on the filesystem to the ASP.NET app, use the new “IIS APPPOOL\AppName” special security principal within your NTFS permissions to grant access only to the specific ASP.NET app.

    You could use gui :

    1)Open the ASP.NET Authorization tool for your app / site.

    01_DotNetAuthorization

    2)Use the “Add Allow Rule…” option to start a new authorization rule.

    02_AddAllowRule

    3)Select “Specified roles or user groups and type the full DOMAIN\GroupName then save the changes.

    03_SpecifiedUserGroups

    4)Use the “Add Deny Rule…” option to start a new authorization rule. Deny “All users” and save the changes. The order of these rules matters, the allow user group must appear in the list above the deny all rule.

    04_DenyAllUsers

    5)Open the IIS Authentication tool for your app / site.

    05_IISAuthentication

    6)Disable all of the options other than “Windows Authentication” (Enabled).

    06_AuthenticationSettings

    7)Open the “Configuration Editor” for your app / site.

    07_MgmtConfigEditor

    8)Navigate to the “system.web/authentication” the section in Configuration Editor.

    08_system.web_authentication

    9)Set the authentication “mode” to “Windows” and save your changes.

    09_auth_mode_Windows

    10)Restart IIS to make sure your changes are applied.

    Regards,

    Jalpa

    Thursday, February 20, 2020 2:55 AM
  • User-1047577731 posted

    Hi Jalpa, thanks for your response.

    1) I followed your screenshots accordingly and made changes to Web.Config and applicationHost.config file. I made sure I am using AD group with Domain Name in the front.

    Restarted IIS and when I am trying to browse I receive following error :

    <div id="content"> <div class="content-container">

    HTTP Error 401.2 - Unauthorized

    You are not authorized to view this page due to invalid authentication headers.

    </div> <div class="content-container">

    <fieldset>

    Most likely causes:

    No authentication protocol (including anonymous) is selected in IIS.

    Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.

    Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.

    The Web server is not configured for anonymous access and a required authorization header was not received.

    The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.

    </fieldset>

    2) Do I need to enable Windows Authentication ? If so, if required how will external user send payload to this API(webservice) like if we want to send via POSTMAN/SOAP UI ?

    3) Instead of Windows, can we set Basic Authentication ? Is this possible ?

    Please advise

    Thursday, February 20, 2020 3:56 AM
  • User-1047577731 posted

    Actually, if I am passing any Domain\User-Group Name it is able to authorize my API (service).

    <authentication mode="Windows" />
      <authorization>
          <allow roles="mycorp\corp Admin Accounts" />
    </authorization>

    ---------

    </authentication>

    If I am trying to restrict certain groups or everyone apart from above roles, my complete service (API) doesnt respond

    <authentication mode="Windows" />
      <authorization>
          <allow roles="mycorp\corp Admin Accounts" />

          <deny users="*" />
    </authorization>

    Is there anyway to restrict from web.config of IIS ? Please advise

    Thursday, February 20, 2020 7:16 AM
  • User-848649084 posted

    You could try to set   <deny users="?" /> 

    deny = * means deny everyone

    deny = ? means deny unauthenticated users

    Thursday, February 20, 2020 7:20 AM
  • User-1047577731 posted

    well as suggested I tried below : I am not a member of 'mycorp\corp Admin Accounts' group but I am able to access the service.

    Still Authorization doesnt seems to work

    <authentication mode="Windows" />
    <authorization>
    <allow roles="mycorp\corp Admin Accounts" />
    <deny users="?" />
    </authorization>

    Thursday, February 20, 2020 7:25 AM
  • User-848649084 posted

    could you please share you authentication setting snapshot? 

    Thursday, February 20, 2020 7:31 AM
  • User-1047577731 posted

    Actually for some reason it is not allowing me to attach images.

    Well, my Authentication setting is : everything is set to disabled, except Basic Authentication. I want it to have Basic Auth 

    Thursday, February 20, 2020 7:43 AM
  • User-1047577731 posted

     <location path="Default Web Site/TestSvc">
       <system.webServer>
         <security>
          <authentication>
           <digestAuthentication enabled="false" />
          <basicAuthentication enabled="true" />
          <anonymousAuthentication enabled="false" />
         <windowsAuthentication enabled="false" />
       </authentication>
    </security>
    </system.webServer>
    </location>

    Thursday, February 20, 2020 7:48 AM
  • User-848649084 posted

    could you share which kind of application you are using (HTML, asp.net)? from which group you are. do you have administrator rights? 

    Thursday, February 20, 2020 8:05 AM
  • User-1047577731 posted

    it is a .net API service, hosted on my IIS.

    Thursday, February 20, 2020 8:07 AM
  • User-1047577731 posted

    Actually, if I pass any known or unknown value in web.config under authorization section, it is allowing to access the service

    <authorization>
          <allow roles="TESTDOMAIN\MY-AD-GROUPTEST" />  
    <deny users ="?" />
    </authorization>

    the above is not a valid group, but still with my user it can access the service. This is where I was facing problem from beginning, unable to restrict users

    Thursday, February 20, 2020 8:28 AM
  • User-848649084 posted

    Hi,

    I made a test with the .net web form application and iis authorization rule. which is working well.

    please make sure you added rule in authorization rule, not .net authorization rule.

    first, remove all the rule and then try to add your rule:

    after doing all the changes your security section will look like below:

    Thursday, February 20, 2020 8:53 AM
  • User-1047577731 posted

    well I did exactly as you showed in the screenshots. Its working fine 

    BUT the thing is if I give any DOMAIN\UsergroupName also  with basic Auth entering my windows credentials, its allowing me to access the service.

    I tried with below role (Domain\AD Group) and asked for my Windows creds and if I entered correctly I am able to access the service. You can try it on yourside too.

    <authorization>
    <add accessType="Allow" roles="TestUsers" />

    <add accessType="Deny" users="?" />

    Thursday, February 20, 2020 9:09 AM
  • User-2064283741 posted

    I think there has been some confusion here.

    <add accessType="Deny" users="?" />

    will allow user that are authenticated to access your site.

    You need by the sounds of it the more common  <add accessType="Deny" users="*" />

    https://forums.asp.net/t/1948129.aspx?what+is+difference+between+deny+users+and+deny+users+

    I know you used this before but II think the issue earlier was the ordering of your allow and deny statements.

    you had

    <add accessType="Deny" users="*" />
    <add accessType="Allow" roles="Administrators" />

    (When it should have been


    <add accessType="Allow" roles="Administrators" />

    <add accessType="Deny" users="*" />

    I believe it will use the first term it comes across it implements so you said deny everyone and it did just that.

    See if that works.

    If not go through failed request tracing that will tell you in much more detail what is being approved and why.

    Also for this I would probably ask on our sister site about htps://forums.asp.net about this issue too. It is one of the borderline asp or IIS issue. You might find more info about it there.

    Thursday, February 20, 2020 3:56 PM
  • User-1047577731 posted

    You are not understanding my scenario clearly... if I give roles as Administrators, or my Domain\AD Group or even Test....as its basic Authentication when I enter my windows credentials correctly I am able to access the web site.

    if I am using Authorization, no matter what only that particular Domain\AD Group should only have access to the web site.

    For below, if Administrators is provided, only that group administrators should have access not others. Hope my question make sense

    <add accessType="Allow" roles="Administrators" />

    <add accessType="Deny" users="*" />

    Thursday, February 20, 2020 6:00 PM
  • User-2064283741 posted
    I think I understand. Like I said before maybe the other scenerio of
    <add accessType="Deny" users="? " />
    I think will still allow any user to view (but they have to be a user)
    Anyway the failed request tracing will tell you more.
    Thursday, February 20, 2020 7:04 PM
  • User-1047577731 posted

    Hi Jalpa, I set up my Authorization with AD group and Deny access in Authorization section and if I hit the service from IIS ( under Default Web Site), it is behaving as is with Basic Authentication. If I am part of that AD group then only from IIS iam able to get authenticated and browse the service.

    BUT if I am browsing the Url on Internet Explorer, it asks for UserName and Password...if I am part of the AD group or not its getting authenticated and I am able to get into the contents of the wsdl. Why is it not getting authenticated from Internet Explorer ? Is there anything to set to keep this secured ?

    Sunday, February 23, 2020 12:49 AM
  • User-848649084 posted

    you could try to access by another user which you restricted.this is the only setting you need to do to strict some user or group.

    Monday, February 24, 2020 8:52 AM
  • User-1047577731 posted
    Yes other user who is not part of the group, I asked him to browse the url and he is able to access it.
    Is there some bug on iis 10 ? It is not able to restrict users.

    Is there any other solution as the above doesnt work ?

    Monday, February 24, 2020 3:06 PM