This project has moved. For the latest updates, please go here.

AD Security

Jul 24, 2008 at 6:41 AM
Hello,

This is my first time using AD users. From debugging, it seems like the TicketDesk system is not recognizing the groups a user belongs to. I have created three groups in AD, Submitter, HelpDesk, HelpDeskAdmin and they match with the key values in the web config.

The reason I think it's not recognizing the groups is, when I change authorization in web config to allow all authenticated user it works fine. When I change it back to only allow users in one of these groups I get an error saying access denied.

Where can start looking for the problem?
Coordinator
Jul 24, 2008 at 5:44 PM
I suppose the first thing is to make sure that users are assigned to the AD groups that you have created.  I'd need more details about your error message and configuration to know more. I would try something a little more telling. Does the system work if you set the authorization to allow roles="domain\domain users" ?
Jul 31, 2008 at 2:13 AM
Edited Jul 31, 2008 at 5:24 AM
This is error I get,  I am temporarily using our administrator account to read from AD.

Access is denied.

Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration.  Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.  Contact the Web server's administrator for additional assistance.


But if I change this section in web.config

<authorization>

 

<

allow roles="Submitter"/>

 

 

<

allow roles="HelpDesk"/>

 

 

<

allow roles="HelpDeskAdmin"/>

 

 

<

deny users="*"/>

 

 

</

authorization>

 

to this, it works fine with AD.  But the appropriate group is not recognized

 

 

<authorization>

 

<

allow roles="Submitter"/>

 

 

<

allow roles="HelpDesk"/>

 

 

<

allow roles="HelpDeskAdmin"/>

 

 

<

deny users="?"/>

 

 

</

authorization>

 

 

 

 

 

 

 

Coordinator
Jul 31, 2008 at 4:40 AM
Edited Aug 6, 2008 at 4:22 AM
Well, the good news is that the problem has nothing to do with TicketDesk specifically, nor with the way the TicketDesk code accesses AD. Your problem appears to be with the asp.net authorization module. This means you will get the same error in any application that you setup with windows authentication and tried to use these roles in the authorization section of web.config. It also means you can troubleshoot without having to worry about TicketDesk's specific configuration.

Generally this kind of problem is one of these:

1) The client browser's user is not a member of the groups you specified for allow roles.
2) The server computer isn't a member of the domain where these accounts and groups reside
3) The configuration in IIS on the server doesn't allow integrated security (for testing, turn off all other authentication for the site or virtual directory)
4) The client system does not recognize the URL as being on the local intranet zone. It may not be passing credentials to the server.
5) The client or server is conected to the internet via a proxy server that isn't passing your authentication
6) It is a stretch, but also check to ensure that the asp.net user account (usually "network service") has read access to the folder where the TicketDesk web site is pointed.

There are plenty of causes. I suggest a google search on the error message "Unauthorized: Logon failed due to server configuration".

These are two popular links for this kind of problem:

     http://support.microsoft.com/kb/253667

     http://windowsitpro.com/article/articleid/74301/jsi-tip-2982-http-4012---unauthorized-logon-failed-due-to-server-configuration-on-your-intranet.html

In troubleshooting this one, I would recommend setting up the bare minimum site you can... a single Default.aspx page with no code and a stock web.config file with just the minimum stuff necessary. Then add in the authentication and authorization settings. In otherwords, eliminate ticketdesk itself then treat the problem as a general IIS/ASP.NET/Windows issue.