Users who are explicitly denied access to an ASP.NET Web application are still allowed access (910610)


The information in this article applies to:

  • Microsoft .NET Framework 1.1

SYMPTOMS

When you try to configure role-based permissions in a Microsoft ASP.NET Web application, users who are explicitly denied access to the ASP.NET Web application are still allowed access.

For example, you configure role-based permissions in the Web.config file for the ASP.NET Web application as follows. 
<authentication mode="Windows" />
<authorization>
    <allow users="DOMAIN\UserA" />
    <deny users="DOMAIN\UserB" /> 
</authorization>
However, the ASP.NET Web application allows access for UserB even though you explicitly denied access for UserB in the Web.config file for the ASP.NET Web application.

CAUSE

This problem occurs when Microsoft Windows SharePoint Services is installed on the computer. The Windows SharePoint Services installation adds and removes some HTTP modules from the Web.config file in the top-level content root folder (\Inetpub\wwwroot). These HTTP modules affect user permissions.

WORKAROUND

To work around this problem, include the missing HTTP modules in the Web.config file for the ASP.NET Web application. To do this, add the following lines of code to the Web.config file for the ASP.NET Web application. 
<httpModules>
    <clear />
    <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule"/>
    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"/>
    <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule"/>
    <add name="ErrorHandlerModule" type="System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
    <add name="OutputCache" type="System.Web.Caching.OutputCacheModule"/>
    <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
    <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>
    <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule"/>
</httpModules>
Modification Type:MajorLast Reviewed:2/21/2006
Keywords:kbprb KB910610 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.