I have a Web.config file which authenticates a user logging into a webpage, based on his role.
The current implementation is as follows:
<authorization>
<allow roles = "BUILTIN\Administrators" />
<allow roles = "PRIVILEGED" />
<allow roles = "NON_PRIVILEGED" />
<deny users = "*" />
</authorization>
From my understanding, the above implementation should allow users who are Administrators, or those who belong to either of the roles 'PRIVILEGED' or 'NON_PRIVILEGED'. The remaining users, who do not possess any of the above roles should be denied access, the behavior of which is implented by the tag <deny users = "*" />
But, I found that the authorized users (who possess the required roles of Administrators/Privileged/Non_privileged) are being denied access to the web page with the message "404-Unauthorized: Access is denied due to invalid credentials"
When I remove the tag <deny users = "*" /> from the config file, I could see that the authorized users are able to access the webpage without any problems.The config file looks as follows after removing the <deny users = "*" />
<authorization>
<allow roles = "BUILTIN\Administrators" />
<allow roles = "PRIVILEGED" />
<allow roles = "NON_PRIVILEGED" />
</authorization>
So, the issue is with the tag <deny users = "*" /> , which seems to be denying access to all users, irrespective of the roles they possess.
From the very basic knowledge I have of web configuration and IIS, I can say <deny users = "*" /> is not incorrectly used in the config file. So,I don't have a clue as to why it is denying access to all users.
Currently, we are using IIS version 7.
