DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 815151 - Last Review: July 15, 2004 - Revision: 3.4

On This Page

SUMMARY

This step-by-step article describes how to restrict specific users from gaining access to specified Web resources.

Web applications that are based on ASP.NET provide many ways for users to be authenticated and authorized to gain access to resources. The way that you restrict access to resources varies, depending on the authentication method that you use. For example, for an application where you use Microsoft Windows authentication and you enable impersonation, you can use NTFS file permissions for access control. However, for an application where you use forms authentication, you must modify the Web.config file to restrict access. This article describes how to control authorization for both of these ASP.NET authentication methods.

Control Authorization by Using File Permissions

For ASP.NET Web applications where you use Windows authentication and you enable impersonation, you can use standard NTFS file permissions to require authentication and to restrict access to the files and folders:
  • To require authentication, remove the ASPNET user account’s access permissions for the file or folder.
  • To restrict access to specific Windows user accounts or group accounts, grant or deny Read NTFS file permissions to files or folders.


For additional information about how to use NTFS permissions to control authentication and authorization, click the following article number to view the article in the Microsoft Knowledge Base:
300985  (http://support.microsoft.com/kb/300985/EN-US/ ) How To Configure User and Group Access on an Intranet in Windows NT 4.0 or Windows 2000

Control Authorization by Modifying the Web.config File

To restrict access to ASP.NET applications that use forms authentication, edit the <authorization> element in the application’s Web.config file. To do this, follow these steps:
  1. Start a text editor, such as Notepad, and then open the Web.config file that is located in the application’s root folder.

    Note If the Web.config file does not exist, create a Web.config file for the ASP.NET application.
  2. If you want to control authorization for the whole application, add the <authorization> configuration element to the <system.web> element in the Web.config file.
  3. In the <authorization> element, add the <allow> configuration element and the <deny> configuration element. Use the users attribute to specify a comma-delimited list of user names. You can use a question mark (?) as a wildcard character that matches any user name. For example, the following code denies access to all users except user1 and user2:
    <authorization>
        <allow users="user1, user2"/>
        <deny users=”?”/>
    </authorization>
  4. Save the Web.config file.

    Note For more information about configuring directory-specific and file-specific settings, see the References section of this article.

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
315736  (http://support.microsoft.com/kb/315736/ ) How To Secure an ASP.NET Application by Using Windows Security
315588  (http://support.microsoft.com/kb/315588/ ) How To Secure an ASP.NET Application Using Client-Side Certificates
815178  (http://support.microsoft.com/kb/815178/ ) How To Edit the Configuration of an ASP.NET Application
815179  (http://support.microsoft.com/kb/815179/ ) How To Create the Web.config File for an ASP.NET Application
815174  (http://support.microsoft.com/kb/815174/ ) How To Make Application and Directory-Specific Configuration Settings in an ASP.NET Application
818014  (http://support.microsoft.com/kb/818014/ ) How To Secure Applications That Are Built on the .NET Framework

APPLIES TO
  • Microsoft ASP.NET 1.0
  • Microsoft ASP.NET 1.1
Keywords: 
kbweb kbacl kbvalidation kbconfig kbuser kbhowtomaster KB815151
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support