asp.net windows authentication

  • Thread starter Thread starter DK
  • Start date Start date
D

DK

I have an intranet application I've built using asp.net 3.5 / running on
IIS6.

The problem: when a user trys to access a page that they do not have access
to, they are given the annoying windows authentication popup, which is
useless because they are denied in the web.config file. After 3 tries or
hitting cancel, they are then directed to the Access Denied page.

How can I get rid of that popup ???

In my main web.config I have this:
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>

other web.configs would look like this:
<system.web>
<authorization>
<allow roles="MyDomain\AllowedRoles"/>
<deny users="*"/>
</authorization>

In IIS6 under Directory Security > Authentication Methods everything is
cleared except Integrated Windows Authentication.

There's another app on another server in our domain that is set up the exact
same way (as far as I can tell) and you go directly to the Access Denied
page. There must be something stupid that I'm missing.

It's not the end of the world but I'd like to solve this.....Thanks.
 
There's another app on another server in our domain that is set up the exact
same way (as far as I can tell) and you go directly to the Access Denied

For the same user? Check if user has no stored password for that site
in Control Panel - User Accounts. If there's nothing, check IE
settings, under Security, "Prompt for logon" or similar. If "Access
Denied" page is a custom page, check if non-authorized users have
access to it.
 
Hello DK,

And check Truster site either, becase as Alexey noted your site can be in
one of those group with the "automatic logon" settings

---
WBR,
Michael Nemtsev [Microsoft MVP] :: blog: http://spaces.live.com/laflour
:: http://twitter.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo


D> I have an intranet application I've built using asp.net 3.5 / running
D> on IIS6.
D>
D> The problem: when a user trys to access a page that they do not have
D> access to, they are given the annoying windows authentication popup,
D> which is useless because they are denied in the web.config file.
D> After 3 tries or hitting cancel, they are then directed to the Access
D> Denied page.
D>
D> How can I get rid of that popup ???
D>
D> In my main web.config I have this:
D> <authentication mode="Windows"/>
D> <authorization>
D> <deny users="?"/>
D> </authorization>
D> other web.configs would look like this:
D> <system.web>
D> <authorization>
D> <allow roles="MyDomain\AllowedRoles"/>
D> <deny users="*"/>
D> </authorization>
D> In IIS6 under Directory Security > Authentication Methods everything
D> is cleared except Integrated Windows Authentication.
D>
D> There's another app on another server in our domain that is set up
D> the exact same way (as far as I can tell) and you go directly to the
D> Access Denied page. There must be something stupid that I'm missing.
D>
D> It's not the end of the world but I'd like to solve this.....Thanks.
D>
 
this is normal. if the browser requests a resource and get a 401 (access
denied), the browser asks a new login. you could write a handler that
checked for the 401 and if the user had sent a valid login, redirect to
an access denied page instead of responding with a 401.

-- bruce (sqlwork.com)
 
Back
Top