web.config authorization roles character escaping

Question

I've got a web.config file for an ASP.NET app that allows users in the "DOMAIN\#All Blub Users" access. However, they get prompted for credentials and ultimately get an access is denied message.

However, if I add a user to a test group "DOMAIN\Blub Users" and change web.config, the user is able to access the site.

Do I need to escape that leading hash symbol in the group name? I know you do in Active Directory when it comes to the Distinguished Name (with a slash or its hex value in parens).

Example web.config

<configuration>
    <system.web>
        <authorization>
            <allow roles="DOMAIN\#All Blub Users,DOMAIN\Blub Users" />
        </authorization>
...

Thanks.

jcarpio jcarpio · Accepted Answer · 2014-09-24T16:17:15

This isn't a particularly satisfying answer but here goes.

I created a new AD security group called "DOMAIN\Blub Webapp Users", then added "DOMAIN\#All Blub Users" to it. Now the relevant line in web.config looks like:

<allow roles="DOMAIN\Blub WebApp Users" />

Now, users in the "DOMAIN\#All Blub Users" can access the app.

Lesson: Don't add AD groups with hashes in the Name (or Distinguished Name) to web.config roles.

Hope this helps someone.

web.config authorization roles character escaping

1 Answers