Help with IIS Security
-
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
-
View from what application? SSMS? SSRS? Some custom thing?
-
@momurda Ineternet Browser viewing custom IIS hosted website.
-
You certainly can do this. SSRS/CRM/NAV all do this. I dont really have any specific answers other than yes.
Your post is still a bit vague.
What authentication is the IIS using? What view are they presented with when logging in?
What permissions do users have by default to the sql server? What is the view currently?
https://stackoverflow.com/questions/8971128/restrict-access-to-a-wpf-view-based-on-ad-group-membership -
@momurda said in Help with IIS Security:
You certainly can do this. SSRS/CRM/NAV all do this. I dont really have any specific answers other than yes.
Your post is still a bit vague.
What authentication is the IIS using? What view are they presented with when logging in?
What permissions do users have by default to the sql server? What is the view currently?
https://stackoverflow.com/questions/8971128/restrict-access-to-a-wpf-view-based-on-ad-group-membershipI know I am being a bit vague, but my company has a somewhat strict policy about seeking help online. I am using Windows Authentication on the site. What I am looking for is a setting in IIS that I can say this AD group can get to X page, and this group can get to Y page but not X page. I know I can do it in my application, I was just hoping I could do it in IIS. It works if I use passthrough security and edit file security permissions, but I need the Application Pool to run as a specific user, so this doesn't work because to the OS all users read the files as the same user.
-
@s-hackleman said in Help with IIS Security:
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
Yes, but this would be a part of the application and not related to IIS or SQL Server.
-
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
Yes, but this would be a part of the application and not related to IIS or SQL Server.
I know IIS can filter by AD user in some instances, and I was hoping for a quick fix for an obscure problem.
-
@s-hackleman said in Help with IIS Security:
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
Yes, but this would be a part of the application and not related to IIS or SQL Server.
I know IIS can filter by AD user in some instances, and I was hoping for a quick fix for an obscure problem.
Yes, IIS can, but IIS would be filtering to the application, not to SQL Server. Remember IIS is just a container for the application. IIS doesn't talk to SQL Server, the app does.
-
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
Yes, but this would be a part of the application and not related to IIS or SQL Server.
I know IIS can filter by AD user in some instances, and I was hoping for a quick fix for an obscure problem.
Yes, IIS can, but IIS would be filtering to the application, not to SQL Server. Remember IIS is just a container for the application. IIS doesn't talk to SQL Server, the app does.
I only need it to filter to the application.
-
@s-hackleman said in Help with IIS Security:
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
@scottalanmiller said in Help with IIS Security:
@s-hackleman said in Help with IIS Security:
I have a website that is running as a Service Account in IIS. It is then connecting on to a SQL server on a remote server. Is there a way to control access to a specific view based on the Active Directory Group membership of the user visiting the site?
Yes, but this would be a part of the application and not related to IIS or SQL Server.
I know IIS can filter by AD user in some instances, and I was hoping for a quick fix for an obscure problem.
Yes, IIS can, but IIS would be filtering to the application, not to SQL Server. Remember IIS is just a container for the application. IIS doesn't talk to SQL Server, the app does.
I only need it to filter to the application.
You had mentioned SQL Server and "specific view". You don't want to determine application behaviour based on AD membership?
-
@scottalanmiller View is referring to a Web page. So the Application Pool is running as a service account, that account has access to the database. The user does not have access to the database. I just need to be able to say users in X group are denied access to X.html or http://test.com/Action/Index.html
-
@s-hackleman said in Help with IIS Security:
@scottalanmiller View is referring to a Web page. So the Application Pool is running as a service account, that account has access to the database. The user does not have access to the database. I just need to be able to say users in X group are denied access to X.html or http://test.com/Action/Index.html
Oh, that's just access vs. no access, nothing like a 'view'. So you just want basic IIS access controls?
-
For IIS Access Controls by AD Group...
Edit web.config
<configuration> <location path="MyPage.aspx/php/html"> <system.web> <authorization> <allow users="DOMAIN\Domain Admins"/> <deny users="DOMAIN\Domain Users"/> </authorization> </system.web> </location> </configuration> -
The full directory is C:\folder\site\views\admin\Index.cshtml and the webpath is http://hostComputer:8080/Admin/Index. From what I have read the system.web was deprecated in IIS 6, and it is now system.webserver. I have tried this, but it isn't working.
<location path="Admin"> <system.webServer> <security> <authorization> <allow roles="GRP_Admins" /> <deny roles="*" /> </authorization> </security> </system.webServer> </location> -
I believe the syntax in the system.webserver namespace is a bit different and as follows:
<system.webServer>
<security>
<authorization>
<add accessType="Allow" roles="WHATEVER" />
<add accessType="Deny" users="WHATEVER" />
</authorization>
</security>
</system.webServer> -
@kimberlin said in Help with IIS Security:
I believe the syntax in the system.webserver namespace is a bit different and as follows:
<system.webServer>
<security>
<authorization>
<add accessType="Allow" roles="WHATEVER" />
<add accessType="Deny" users="WHATEVER" />
</authorization>
</security>
</system.webServer>Where do I put the localization to a single action or file?
-
For anyone who stumbles across this in the future, I could never get this to work more granular than the entire site security IIS. I have edited my web application to grab the local user account from the browser and preform an Active Directly lookup manually. It works, so moving on. Thanks for the advice either way.
-
Sorry that we could not narrow it down more.
-
@scottalanmiller said in Help with IIS Security:
Sorry that we could not narrow it down more.
It is an obscure issue that is hard to troubleshoot with out seeing it. The application is probably the better fix, I just wanted a easier workaround and was hoping someone had seen it before.
