CODEWITHSUNDEEP
asp.netiisactive-directory
bsquared
bsquared

Reputation: 137

IIS and Active Directory Permissions

I have built an ASP.NET website for my companies intranet. It is utilizing windows authentication, we use active directory. What I want to do is restrict certain pages of this website (add, delete) so only a few people can access it. Any ideas on how to do this? I want to create groups in active directory so I can just add people to them and they automatically can access these restricted pages.

Thanks for any help

Upvotes: 2

Views: 4105

Answers (2)

Domin8urMind
Domin8urMind

Reputation: 1314

You just need to tell ASP.NET what to protect and how. This is done through your web.config settings. For example, if you change your web.config for your ASP.NET application to reflect the following:

<system.web>
     <authentication mode=“Windows“ /> = Windows AD Auth
     <identity impersonate=“true“/> 
     <authorization>
        <allow users=“*“/>  = Only allow authenticated users into the web site
        <deny users=“?“/>  = Deny unauthenticated users         
     </authorization>
</system.web>

Then add location config sections that only allow certain roles to visit certain parts of the application. Roles translate to Active Directory Groups, for instance:

<location path="Admin">
    <system.web>
      <authorization>
        <allow roles=“BUILTIN\Administrators“ /> = only allow users of this AD Group
        <deny users=“*“/> = Deny everyone else
      </authorization>
    </system.web>
  </location>

This tells ASP.NET to only allow users within the Active Directory Group called "Administrators" to get access to the pages within that folder.

Also, the "path" setting of the location node in the web.config file can be set to individual files of your application if they are not separated out into a folder.

If your app is MVC, the location "path" variable corresponds to the path taken to invoke your endpoints. These are usually specified in your RouteConfig.cs file. For instance, if you have an MVC urls "website.com/viewA/show" vs "website.com/AdminView/show". To restrict access to viewA the path would be "viewA" and "AdminView" for restricting access to AdminView urls.

Upvotes: 2

Brandon Spilove
Brandon Spilove

Reputation: 1569

You would use the file/folder permissions to restrict users to those pages. So if you have a folder called HR with some pages in it, you would set the folder permissions on the HR folder to allow Read access to the HR group in Active Directory.

Upvotes: 1

Related Questions