1

I had this issue for about a week ago. I managed making all the Active directory users to login to the website but now I want to restrict it to a particular group only lets say "Group1". Actually, I tried to use the following in web.config but it always asks fro credentials and even if I supply the valid users, it didn't accept it.

   <authentication mode="Windows" />
  <authorization>
    <allow users="DomainName\Group1" />
    <deny users="*" />
  </authorization>
</system.web>

I tried most of the solutions suggested online like:

  1. Enabling windows authentication in both IIS and web site
  2. Disable anonymous authentication
  3. if I changed the deny to ?, it will again enable all users to login without restricting to member of group1

the C# code

   string dominName = string.Empty;
        string adPath = string.Empty;
        string userName = TextBox1.Text.Trim().ToUpper();
        string strError = string.Empty;

        try
        {
            foreach (string key in ConfigurationSettings.AppSettings.Keys)
            {
                dominName = key.Contains("DirectoryDomain") ? ConfigurationSettings.AppSettings[key] : dominName;
                adPath = key.Contains("DirectoryPath") ? ConfigurationSettings.AppSettings[key] : adPath;

                if (!String.IsNullOrEmpty(dominName) && !String.IsNullOrEmpty(adPath))
                {
                        if (true == AuthenticateUser(dominName, userName, TextBox2.Text, adPath, out strError))
                        {

                            Response.Redirect("default.aspx");// Authenticated user redirects to default.aspx    
                         }
                    dominName = string.Empty;
                    adPath = string.Empty;

                    if (String.IsNullOrEmpty(strError)) break;
                }
            }

            if (!string.IsNullOrEmpty(strError))
            {
                Label3.Visible = true;
                Label3.Text = "Wrong username or password";
            }
        }
        catch
        {

        }

        finally
        {

        }
    }

    public bool AuthenticateUser(string domain, string username, string password, string LdapPath, out string Errmsg)
    {

        Errmsg = "";

        string domainAndUsername = domain + @"\"  + username;

        DirectoryEntry entry = new DirectoryEntry(LdapPath, domainAndUsername, password);

        try
        {
            Object obj = entry.NativeObject;
            DirectorySearcher search = new DirectorySearcher(entry);
            search.Filter = "(SAMAccountName=" + username + ")";
            search.Filter = "(Group1=" + username + ")";
            search.PropertiesToLoad.Add("memberOf");
            search.PropertiesToLoad.Add("cn");

            SearchResult result = search.FindOne();

                if (null == result)
                {
                    return false;
                }

                // Update the new path to the user in the directory

                LdapPath = result.Path;
                string _filterAttribute = (String)result.Properties["cn"][0];
            }

           catch (Exception ex)
          {
            Errmsg = ex.Message;
            return false;
            throw new Exception("Error authenticating user." + ex.Message);
        }

        return true;
    }

Hope to help me to solve this issue.

Saif
  • 21
  • 2
  • Your web.config looks correct to me; probably there is some other problem. Also, about your 3 steps, you're going in wring direction probably; try sticking to your actual web.config rue. – Am_I_Helpful Aug 27 '17 at 20:03
  • I tried most of the possible solutions but it didn't restrict to the given group name. It just keep allowing all user to login in case, I changed from the group to one user only in allow tags. – Saif Aug 28 '17 at 04:02
  • I used also User.IsInRole("Domain\Group1); but before authenticating user to login the page but it didn't accept both username and password – Saif Aug 28 '17 at 04:06

0 Answers0