IIS - Block Access to ASPX Page via AD Group Membership

Hi Experts,

QUESTION

How can we ensure that ONLY people who are part of the ExecutiveWeb group can load ASPX pages from /DotNet/Executive folder when prompted via Basic Authentication?


BACKGROUND INFO

This is an INTRANET site being migrated from a 2003 server to 2012 R2
It is 99% working properly - but one security piece is not
The site contains a mixture of classic ASP and ASP.net pages
This question is specific to the ASP.net portion of the site
Application Pool runs under a domain user account (e.g. CorpWebID)
The CLR is .NET 4.0
DotNet folder is an application housing all aspx files
Under DotNet folder, there is a folder called Executive with restricted access pages - entire Executive folder is locked by custom ACL (e.g. domain users group removed)
Example directory structure is as follows:

Default WebSite
default.asp
executivemenu.asp
- DotNet Folder   (the Application folder - contains all the aspx files)
--Executive Folder    (locked down by ACL - group membership)
---execstats.aspx

Entire site uses SSL (again this is internal only)

Anonymous authentication is disabled on the /DotNet/Executive folder - only thing enabled is "Basic Authentication" to force logon

The Executive folder is locked down by ACL so only people in a "ExecutiveWeb" AD group should be able to access files

The CorpWebID is also on the Executive folder's ACL list - we found it doesn't work properly otherwise because Application Pool's Identity ID is CorpWebID.  No one authenticates with this ID - it is basically a service account.

Access to the executive folder's pages is largely handled via a main menu that is classic ASP (executivemenu.asp) and hyperlinks for executive ASP.net pages point to the /DotNet/Executive folder.

When prompted to log into the ExecutiveMenu - if you are not in the ExecutiveWeb group - it stops you like it should.  Most people would back off if they fail authentication for the ExecutiveMenu.asp page.  

However, internal testing prior to migration has detected that if someone were to type in the exact URL of a page under /DotNet/Executive - for example, executivestats.aspx - they get prompted for authentication - and as long as they type in ANY valid domain user ID and password - the page loads.

This is a problem - I know the Application Pool works under the identity ID which has been specified in settings (e.g. CorpWebID), and that is likely why the page can load.  However, I don't understand why it gets this far since the Basic Authentication of the page should determine that the random domain user we are authenticating with as a test does NOT have ACL permissions to ExecutiveStats.aspx because his ID is not in the ExecutiveWeb group.
dpmoneyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpmoneyAuthor Commented:
Well, no one responded to this question and I did a ton of trial and error testing to figure it out over the weekend.  Here is the solution that worked.  

The DotNet folder is an application with identity set to run under the service account mentioned above (CorpWebID)

The /Executive folder under the DotNet folder needed to ALSO be converted to an application as well.  I had to change identity to impersonate vs. letting it work under the service account.  By doing so, I was able to remove the service account from the ACL list of the /Executive folder in the file system and only keep the 'ExecutiveWeb' AD group.  

Finally, I had to do some updating to the Web.Config file in the /Executive folder to make this all work.  Here is what I did in case it helps anyone in the future:

Original Web.Config:

      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <system.web>
              <identity impersonate="false" />
          </system.web>
      </configuration>


New Web.Config with names changed for anonymity:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
            <authentication mode="Windows"/>
            <identity impersonate="true"/>
            <authorization>
                  <allow roles="FAKEDOMAIN\ExecutiveWeb" />
                  <deny users="*" />
            </authorization>
    </system.web>
</configuration>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.