Article ID: 910610 - Last Review: February 21, 2006 - Revision: 1.2

Users who are explicitly denied access to an ASP.NET Web application are still allowed access

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

SYMPTOMS

When you try to configure role-based permissions in a Microsoft ASP.NET Web application, users who are explicitly denied access to the ASP.NET Web application are still allowed access.

For example, you configure role-based permissions in the Web.config file for the ASP.NET Web application as follows. 
<authentication mode="Windows" />
<authorization>
    <allow users="DOMAIN\UserA" />
    <deny users="DOMAIN\UserB" /> 
</authorization>
However, the ASP.NET Web application allows access for UserB even though you explicitly denied access for UserB in the Web.config file for the ASP.NET Web application.
Back to the top

CAUSE

This problem occurs when Microsoft Windows SharePoint Services is installed on the computer. The Windows SharePoint Services installation adds and removes some HTTP modules from the Web.config file in the top-level content root folder (\Inetpub\wwwroot). These HTTP modules affect user permissions.
Back to the top

WORKAROUND

To work around this problem, include the missing HTTP modules in the Web.config file for the ASP.NET Web application. To do this, add the following lines of code to the Web.config file for the ASP.NET Web application. 
<httpModules>
    <clear />
    <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule"/>
    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"/>
    <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule"/>
    <add name="ErrorHandlerModule" type="System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
    <add name="OutputCache" type="System.Web.Caching.OutputCacheModule"/>
    <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
    <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>
    <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule"/>
</httpModules>
Back to the top
APPLIES TO
  • Microsoft .NET Framework 1.1
Back to the top
Keywords: 
kbprb KB910610
Back to the top