I setup a intranet application based on windows integrated
authentication .
windows integrated authentication checked in IIS
and anonymous access unchecked.
i have used impersonation in my web config file
<identity impersonate="true" >
<authorization>
<allow roles="mydomain\group_a"/>
<deny users="*/>
</authorization>
a User A belongs to group_a but not to group_b
group_b is a group that i have added to SQL server in order to set
permissions on data.
i'm using a trusted connection to the SQL database throught a
webservice.
when i try to access the application in my browser with user A , as A
is member of the group_a , his access is granted to the page but he can
also access data in the database although he doesn't belong to group_b
configured in SQL server to access data.this user A doesn't belong to
any other group and has no login in SQL as well.
Why does this user have access to data although he has neither login
nor belongs to any groups that have access to sql server?
if we are using impersonation=true without any username and login
specified it's normally the authenticated user token that is used to
check the access to SQL server or did i missunderstood the mecanism?
if some could tell me what i did wrong , i would be very grateful.
Thank in advance for any help.
Eric
Similar Threads
