0

I wrote a custom authorization method for a simple C#.net (VS 2008 web application project). The method will redirect current user to friendly AccessDenied page when they are not authorized. (Using Windows auth). There are 6 users who will be allowed to view this page. The problem is that 1 of the 6 users, user2 is being redirected to the AccessDenied page every time, when they are in fact authorized. I have ruled out spelling and punctuation errors -that is not the issue.

It’s a simple 2 page app, main Default page and the redirect to AccessDenied page. The app works for this one user if I comment out the AuthenticateCurrentUser() method. It works either way for all the other users. Why would only one user be affected? I had this user log on to another computer and try – same result. I then moved the code with the commented out AuthenticateCurrentUser () method into the folder on server and it worked for them.

Should I be authenticating in another way? I’ve seen some examples but they seem overkill for this simple app. There is a no global.asax file - but maybe I should use one and authenticate there instead?

web.config:

<authentication mode="Windows"/>
    <authorization>
      <allow users="domain\user1, domain\user2, domain\user3, domain\user4, domain\user5, domain\user6" />
      <deny users ="*"/> 
    </authorization>

code:

protected void Page_Load(object sender, EventArgs e)
        {
            if (!Page.IsPostBack)
            {              
                //Code to load GridViews
            }            

            AuthenticateCurrentUser();
        }
protected void AuthenticateCurrentUser()
        {
            System.Security.Principal.WindowsIdentity Ident = System.Security.Principal.WindowsIdentity.GetCurrent();

string strUser = Ident.Name.Substring(4);

if ( !(strUser == "user2" || strUser == "user4" || strUser == "user1" || strUser == "user3" || strUser == "user5" || strUser == "user6") )

{
                Response.Redirect("AccessDenied.aspx");     
            }
            else
            {
                Label1.Text = "Access Granted";
            }
        }

UPDATE: Based on comments I have replaced these 2 lines of code:

    System.Security.Principal.WindowsIdentity Ident =                
System.Security.Principal.WindowsIdentity.GetCurrent();

    string strUser = Ident.Name.Substring(4);

with this single line of code:

string strUser =  Environment.UserName;

I will not get to test it on user2 until Monday 4/27/15. Will report back!

FOLLOW UP 4/27/15: The code change made no difference. user2 still cannot access the application deployed on server. I even went so far as to have user2 log on to my local dev machine (where VS 2008 is installed) and ran the debugger as user2. The application correctly allowed user2 access to home page of web app in this scenario. I also had user2 access (remote) server files from my local and she was not allowed access to home page of app. I then had user2 log on from another machine and she still could not access. The server has the exact same code files as the local machine. And this only happens for this user - other users can access just fine, so I am stumped as to why this would occur for this one user when others have no issue. It should happen for all if this were a server configuration and/or permissions issue, shouldn't it?

Doreen
  • 714
  • 2
  • 14
  • 36
  • I think `` is overriding `` settings. If I'm correct, the correct setting is `` so users have the change to present credentials – Claudio Redi Apr 24 '15 at 17:03
  • why don't you authenticate based on their IP address? it's not that complicated. – Technovation Apr 24 '15 at 17:13
  • @Technovation can you give me an example. I am not sure that is a good idea when Windows authentication should be sufficient. – Doreen Apr 24 '15 at 17:23
  • @doreen, take a look at here http://stackoverflow.com/questions/19285957/how-to-get-public-ip-address-of-a-user-in-c-sharp you can just get your user IPs and check them with your trusted IPs which you listed them in your web.config (its better not to be hard coded and be dynamic in your config file).albeit if you think windows athentication is better, use that method, because you your self know your application purpose better. – Technovation Apr 24 '15 at 17:47
  • The substring on the name property, is there no better way of doing that? Could the credentials for user2 be formatted a bit different so the resulting substring isn't user2? Perhaps there is a credential splitter or something that will always return the actual user name. Checking by IP address seems very strange if you have a windows domain present. – pyrocumulus Apr 24 '15 at 17:48
  • @Claudio, according to this article:[http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config] , my webconfig setup is correct to allow certain users and deny everyone else – Doreen Apr 24 '15 at 17:48
  • @pyrocumulus - what do you mean? "tehere"??? – Doreen Apr 24 '15 at 17:50
  • @Doreen sorry pressed Enter accidentally before post was ready :P working on a tablet. I edited my comment. – pyrocumulus Apr 24 '15 at 17:52
  • @pyrocumulus - Thanks for the tip I think you are on to something. I have extracted the domain portion of username out in other ways before. Let me check in my ball of tricks. – Doreen Apr 24 '15 at 17:55
  • I noticed the link I provided goes to no page and I can't edit my comment. Correct link to @Claudio: is http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config – Doreen Apr 24 '15 at 17:57
  • Why not use `Ident.Name.Split('\')` and pick the second item in the array, which would be the username, rather than substring? – scheien Apr 24 '15 at 18:51
  • 2
    Just want to post a WARNING regarding other comments: Authenticating users based on IP addresses is limited, vulnerable, and generally wrong. IP addresses can be spoofed easily, can be changed along the way in the network (if there's any kind of NAT or proxying). The IP address merely specifies where the return packets should be routed, not the identity of the sender. – Iravanchi Apr 24 '15 at 19:03
  • @Doreen: although your source is a very authorative voice I have to admit it's the first time I hear about that. It could be correct but in any case I'd research a little more to be sure that's still valid, year 2008 is very long ago. – Claudio Redi Apr 27 '15 at 12:02
  • @Claudio - I understand your point - my thought is the technology I am using (is a bit outdated too 3.5 framework/VS2008) and aligns with the reference I chose. – Doreen Apr 27 '15 at 16:25
  • I updated my question with follow up of my update. Still troubleshooting this. – Doreen Apr 27 '15 at 19:26
  • I'm not sure how any of the ident matching is working since you take `Substring(4)` but all your `==` checks have five character names in them – Steve Mitcham Apr 27 '15 at 19:40
  • @SteveMitcham substring(4) is stripping out the first 5 characters of the AD name: domain\username. So for example the currently logged in user would read as "ABC\\user2" in debug mode, substring 4 strips out the ABC\\ part. I can and have used Environment.UserName to get the username directly, and I have used the split('\\') method then called the 2nd index [1] of the array to read the username part. They all return the correct username, it's just this particular username is being rejected and I cannot figure out why. – Doreen Apr 27 '15 at 20:52
  • Yeah sorry, go the direction on substring backwards. – Steve Mitcham Apr 28 '15 at 02:37
  • I posted a similar question a couple years later with an answer which I believe this question relates to so I'm referencing the question here in case it helps someone https://stackoverflow.com/questions/29853258/custom-method-to-authenticate-user-is-ignoring-one-of-6-users-allowed-to-access This was a case of AD user names being typed in with caps instead of all lower case after 2000 cause the authentication process to ignore the user as existing. – Doreen Jul 09 '18 at 22:18

0 Answers0