5

I have an ASP.NET website and I would like to only allow users in an AD group access to the site. I am using a web.config snippet as below, but this does not seem to work:

<authorization>
        <deny users="*" />
             <add accessType="Allow" roles="DOMAIN\GroupTest" />

        </authorization>

Any advice how to implement this is much appreciated!

Jiri Tousek
  • 12,211
  • 5
  • 29
  • 43
Blade1
  • 53
  • 1
  • 2
  • 4

1 Answers1

9

You need to change your configuration as follows:

<configuration>
  <system.web>
    <!-- ... -->
    <authorization>
      <allow roles="DOMAIN\GroupTest" />
      <deny users="*" />
    </authorization>
    <!-- ... -->
  </system.web>
</configuration>

As described in this article, ASP.NET looks for a matching allow or deny rule when granting access. If a matching allow rule is encountered first, access is granted.

Markus
  • 20,838
  • 4
  • 31
  • 55
  • Hmmm I get an error stating the related configuration data is not valid: – Blade1 Dec 03 '15 at 15:18
  • The documentation shows that the `authorization` element needs to be placed unter `system.web` can you try this? See this part of the documentation: https://msdn.microsoft.com/en-us/library/acsd09b0(v=vs.100).aspx#Anchor_2 – Markus Dec 03 '15 at 15:28
  • this works for me. I had to switch the allow to go first before the deny. – Wen W Sep 21 '17 at 15:45