"Wade Mebed" <WadeMebed@discussions.microsoft.com> wrote in message
news:B859D30A-B54F-455F-B7CF-9910DDD08346@microsoft.com...
> We get inconsistent application behavior on Authorization based on NTFS
> ACL
> Permissions.
>
> We implemented an ASP.NET 1.1 web application using NTFS ACL
> Authorization,
> and implemented a security audit logging call in the
> Application_AuthorizeRequest event of the Global.asax:
> protected void Application_AuthorizeRequest(Object sender, EventArgs e)
> {
> AuditLog.LogAccessAttempt();
> }
>
> The audit logging is designed to log access attempts - both authorized and
> unauthorized. For the web application we use integrated windows
> authentication (this is an intranet application). On the web application
> directory NTFS permissions, we add the roles which are authorized to the
> application. In the web.config we configure the authentication and
> authorization as follows:
>
> <authentication mode="Windows" />
>
> <authorization>
> <allow users="*" />
> </authorization>
>
> On the development servers upon which we intitially tested the
> unauthenticated users received 403 HTTP response codes, and their access
> was
> logged by our audit logging mechanism (the call embedded in the
> Application_AuthorizeRequest).
>
> Then we found that on the QA servers, although the unauthenticated users
> received a 401.3 HTTP response code, the audit logging for unauthorized
> access was not executed. Debugging showed that IIS never passed control
> to
> the Application_AuthorizeRequest event. The requests of users who are not
> authorized via NTFS ACL's (yet are authenticated) do not get to the
> Application_AuthorizeRequest event.
>
> We checked that IIS and the NTFS ACL's were configured the same on all
> machines, and that they all ran the same OS and IIS versions: Windows
> Server
> 2000 SP4 and IIS 5.00.
>
> NTFS ACL's included group that needed access with read, read & execute,
> and
> list file contents.
>
> Why do we see this inconsistent behavior?