Active Directory Group Authentication

I am trying to lock it down a internal only website so only two Active Directory Security Group in our domain have access, and I cannot understand what I’m doing wrong.   If the Active Directory User account is listed in one of the two Security Group the User gets access to the site and if the user is not listed in the group, they get routed to a custom Access Denied page. (Not the Windows Pop-up authentication box asking for the user ID and password)  I guess I just don’t understand what I’m reading... (main thing is i don't want the windows pop-up)  I'm very new to coding... I'm just a everyday Server/Exchange admin.

Any good examples someone can point me to?  maybe a App_Start file, or something in the Global.asax

 IIS 8 windows 2012 server
Using ASP Master Pages if that helps

Site I have been reading
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian MurphyIT ArchitectCommented:
IIS 8.

Authentication Type "Integrated Logon"

Easy way.  Create a NTFS group that is a Domain Local Group and add those two users.

On the physical virtual directory path remove "Users" and so forth and add your IIS_SiteABC_ALLOW_DLG

Set the NTFS permissions to Read and Execute

You might be getting .NET related ADO / other permissions back to a SQL database or what not.

For typical ASP.NET you setup Integrated on the "Site" in IIS 8 Inet Mgr and take off Anonymous and remove IIS_Anon user and leave Administrators, System, Network Service, and your DLG.

Unless I'm missing something, that is how I have most of my ASP.NET sites configured.

Good example is Citrix Storefront, Citrix Web Interface, and other ASP.NET sites I built in Visual Studio.

You get the Popup because it is trying to use NTLM Authentication, disable that.

Also, big big catch here.  That site, must be in INTRANET ZONES OR INTERNET ZONE and security in that ZONE MUST BE "Use Local Username and Password"

That gets a lot of people.

From the client browser, it sees FQDN and unless you disable it on GPO (almost impossible) that will be Internet, Intranet, or Trusted.

You want that to show up in INTRANET if internal.  Intranet must be set to Security, and screenshot 2

So, screenshot 1 is Internet Options for IE.  The default for Trusted, Intranet and Internet is NOT set to the one highlighted
Automatically logon with username and password

This ONLY applies to domain joined machines.

Otherwise, you get a NTLM Challenge Response.

You want to turn that off and set Integrated on your web server.  Integrated on your browser

1, 2 3....Click Intranet, Add Site, Set Automatically logon

Which is toward the bottom

Sounds simple, but happens a lot.  Not a coding issue.  Windows Integrated Logon permission issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
POOK-101Author Commented:
I'm going to test out the steps above, but I don't have access to change any IE settings. (Company policy locks them down)  Any other way without having to worry about changing IE settings?
Brian MurphyIT ArchitectCommented:
If they use corporate wide GPO then most likely they should have this set because a lot of internal sites use this same authentication.

To find out, open command prompt and type GPRESULT /H C:\TEMP\RESULTS.HTML


That is a verbose output of your GPO Settings.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

POOK-101Author Commented:
Okay... Automatic logon with current username and password (Is Enable) in our policy

Looks to be working  (only testing with one account right now) but I'm still getting the popup.
The Provider is only Negotiate

Any ideas on redirecting users to a Access denied page?
POOK-101Author Commented:
So found out that on the Production Farm, i can't edit the local NTFS permissions.

So i'm looking to a Code way in C# to do this.
Brian MurphyIT ArchitectCommented:
Apologies, on the C# is that for a redirect or you looking for something that will "authenticate" users using LDAP versus Authenticated User?
Big MontyWeb Ninja at largeCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
POOK-101Author Commented:
I ended up reading more about <security> settings with the Web.config in IIS. (took some time to understand it) but it works for me.

                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" roles="Domain\Team A " />
                <add accessType="Allow" roles="Domain\Team A " />

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.