Solved

ASP Folder security wont accept anything but "everyone" goup

Posted on 2014-11-07
17
93 Views
Last Modified: 2014-12-07
I have a folder with some asp pages. I want to use folder permissions to control who can view these asp pages. If I go to the folder and just add a few users and try to access the asp pages using a computer logged in as those users I get:

401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.

The only way I am able to access the asp pages is if I add the "everyone" group.

Why?
0
Comment
Question by:princeservice
  • 7
  • 5
  • 5
17 Comments
 
LVL 32

Expert Comment

by:Big Monty
ID: 40428578
what kind of authentication are you using for your site, windows or anonymous?
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40428582
also, what version of iis are you running?
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 500 total points
ID: 40428599
The best thing to do is give access to the everyone group.  

You want to set up security on your pages.

Let's say you have a log in page where you assign a user level and perhaps pick up the level from the database.  Then assign a session named userlevel like this.
<%
session("userlevel") = "level1"

%>

Open in new window

Then at the top of every page that requires "level1" security add the following code.  It will redirect back to another page if they are not allowed.  
<%
if session("userlevel") <> "level1" then
    response.redirect ("Home.asp")
end if
%>

Open in new window

There are many ways to handle security, this was just an ultra simple example.
0
 

Author Comment

by:princeservice
ID: 40428607
iis7 and anonymous for the default website, application, and folder in application.

Capture.JPG
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 500 total points
ID: 40428615
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40428619
disagree 100% with Scott's suggested. why write code for a feature that already exists and just needs a proper configuration in IIS to work??

you need to turn off anonymous access and turn on windows authentication - http://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40428625
after that make sure you have the desired users set to access the folder in the website
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40428635
Well it is a good thing you don't disagree less than 100%, then you would be wishy washy.

It really depends on what you are doing.

I have personally never  used that method and was taught it was not very secure.  Even in that link BM provided
Windows authentication is not appropriate for use in an Internet environment, because that environment does not require or encrypt user credentials.

If this is closed to the outside and only people on an internal network can get to it, probably fine. But there are better ways to deal with this.
0
 

Author Comment

by:princeservice
ID: 40428649
Alright alright, no fighting. lol. Scott, I intend on using your method in the near future. Looking for something kinda quick and ugly now. Need to get a hold of all the pages I have done a make a better plan. Big Monty, I will try that in the next couple of hours. Get back soon.

Experts Exchange is moving fast today
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40428657
Well it is a good thing you don't disagree less than 100%, then you would be wishy washy.

why scott, I think that's the nicest thing you ever said to me! :)

I was assuming it was for an internal app because of the mention of windows apps. I agree if it's for external use it isn't very secure
0
 

Author Comment

by:princeservice
ID: 40428935
I installed windows authentication and set the folder. I gave myself permission, went to the page, it asked for my credentials and then let me in. Great... but it would be nice if it knew who I was logged in as on the computer and did not ask for my credentials.

Asking too much?
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40428946
i guess some more details of your app would be helpful. are you using active directory? is it an external or internal app?
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40428997
All you are doing is setting folder permissions.

That is where having a log in system is really what you need and not windows security.  


You can do this by using a database of login users or you can use the active directory but the idea is still the same.  You put the security on the page.

What I do is create a separate security page and add it to the top of each page as an include file.
<!--#include file="security.asp"-->

Open in new window

My security asp file will read the current page http://classicasp.aspfaq.com/files/directories-fso/how-do-i-get-the-name-of-the-current-url/page.html and the session or cookie of the "logged in" user.

I have a database table of each page and the user group I assigned then.  If they are on a page they are not supposed to be, they get redirected.  But my navigation is also based on the user so it would be hard for the wrong user to end up on a page they shouldn't be on.

If you look at the link about gathering the url information. You can use one of the items below to read if you are currently on the invoice folder just by the url.  Then use that to determine if the user is allowed or not.
    Response.Write Request.ServerVariables("SCRIPT_NAME") & "<br>" 
    Response.Write Request.ServerVariables("PATH_INFO") & "<br>" 
    Response.Write Request.ServerVariables("URL") & "<br>" 

Open in new window


You don't have to use a database.  You can just hard code the data to the security.asp page if you just have a few users.  Doing this via a db will be easier to manage for many users or frequent changes.  

YOu could just create a dictionary as your db on the security page http://www.w3schools.com/asp/asp_ref_dictionary.asp
' assume logged in user  is princeservice and required access level is level_red
session("user") = "princeservice"


Set d=Server.CreateObject("Scripting.Dictionary")
d.Add "padas","Level_red"
d.Add "Big Monty","level_blue"
d.Add "princeservice","level_green"

if d.Item(session("user") ) <> "Level_red" then
   response.redirect "somepage.asp"
end if

Open in new window

Like I said, there are many ways to do this by using the AD, a db or coded on page.  But you do need to have the  page security on the page to make it smooth. More coding for you, but easier on the users.
0
 

Author Comment

by:princeservice
ID: 40429027
I can see using the login page and will. Problem is I am dealing with several people who will be accessing these pages 20-30 times a day and they will get aggravated if they have to log in all the time. That why it seemed so much easier just to allow or deny them when they click a link.

This is an internal app only. I am basically writing reports from data in a sql server database. The data in the database is supplied by a program we use called Jobboss. We find it faster and easier to get the data we want and formatted they way we want with asp pages rather than using the Jobboss builtin reporting (Crystal Reports).

Yes I use active directory.
0
 

Author Comment

by:princeservice
ID: 40429032
Right now I am handling security by only giving the asp link to people who should be accessing the report. Anybody who gets the link can access the data. I would at least like to narrow it down to being able to access the data based on the credentials they used to login to their computer. That is why I don't understand why we are having to put in the credentials again.
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40429076
if you need to get this up and running quickly, you can look into querying active directory using ldap. keep in mind this can be a complicated subject for new users, especially if you're not familiar with the inner workings of AD. Besides several good threads here on EE (just do a search in the Classic ASP zone for "ldap" and you'll get a bunch of results), you can follow this tutorial as well:

http://www.serverwatch.com/tutorials/article.php/1476961/Accessing-Active-Directory-via-Active-Server-Pages-Part-1.htm

if you only have 20-30 people for a small internal app, you may consider just building your own login system. You can always create a cookie on their system that will remember their user info (if you don't want them to keep having to log in), and will probably take you less time to bang out than using ldap, depending on your skills.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40429110
For time out problems, using a cookie solves this issue.  If you use a session, you can set the session time out http://www.w3schools.com/asp/asp_sessions.asp  to whatever you want.
Session.Timeout=30 '30 minutes

Open in new window

The gotcha on this is the idle time out.    You know, the 5 minutes when you are staring at the screen thinking about what to type, then you go to town and spend another 5 minutes typing something into a wysiwyg only to get bonked with not being logged in.   You can't set the idle time out in code as far as I know. You have to set it in iis app pool.  http://technet.microsoft.com/en-us/library/cc771956(v=ws.10).aspx

With cookies you can set it for hours, days, weeks  http://www.w3schools.com/asp/asp_cookies.asp
Response.Cookies("user")="princeservice"
Response.Cookies("user").Expires=dateadd("d",5,date) ' 5 days from now

Open in new window

With an internal function, I wouldn't worry about encrypting the cookies, but if there is even the possibility this can be seen or used outside, you would want to hash or encrypt.
0

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now