Allow allow AD Group access

Question

I have an ASP.NET website and I would like to only allow users in an AD group access to the site. I am using a web.config snippet as below, but this does not seem to work:

<authorization>
        <deny users="*" />
             <add accessType="Allow" roles="DOMAIN\GroupTest" />

        </authorization>

Any advice how to implement this is much appreciated!

Answer 1

You need to change your configuration as follows:

<configuration>
  <system.web>
    <!-- ... -->
    <authorization>
      <allow roles="DOMAIN\GroupTest" />
      <deny users="*" />
    </authorization>
    <!-- ... -->
  </system.web>
</configuration>

As described in this article, ASP.NET looks for a matching allow or deny rule when granting access. If a matching allow rule is encountered first, access is granted.