2

We have a web application which is hosted in IIS and it is publicly available to access by anybody who has an account in our active directory (We authenticate the users with AD).

There is one aspx form which should not be accessible from public internet. If the users computer is connected to our domain, then that user should be able to access that particular form. Otherwise, user will be prompted a unauthorized access page.

How can I achieve this?

Improve this question
2
  • You can read the incoming IP address and verify it's from one of your local subnets Commented May 25, 2016 at 19:10
  • Can you give some clue how to do it?? Commented May 26, 2016 at 4:26

1 Answer 1

Reset to default
1

So to make sure I understand you right, you have a website where the ONLY way to access anything is verified via windows security (active directory in your case). You're not using explicitly defined users & roles in a web.config nor database. So I'll assume it's safe to say you got your auth figured out, and it's applied to all pages.

Now, you have a particular .aspx page where you want to restrict access to people who are physically in your corporate office(s). These are the same people who already have an AD account and get to your site from their company issued laptops while working in the field and connecting via VPN, so AD still can do its thing. But you want these aforementioned people to be IN THE OFFICE for this one particular page.

If the above is true, then from the code-behind file in your .aspx (if using webforms) you can read the IP address via:

Console.WriteLine(Request.UserHostAddress);

If you're using MVC with the aspx style rendering engine, same thing applies.

If you read the address and it follows one of these patterns, it is an internal address:

10.x.x.x
172.16.x.x
192.168.x.x

It's on you to figure out which subnet is appropriate.

Now, lets say your problem is that you happen to be using Active Directory to store all your application users whether or not they are actually employed by your company. In that scenario I would imagine that your users punch in some creds, and you feed these into AD via System.DirectoryServices (or whatever you want), but you have one particular page that should only work for actual employees and not the larger user base that happens to coexist within AD. In this scenario, you could fire up a DirectorySearcher for the logged in user and check if they're part of your Employees security group (you have one, right?), or you can still use the IP based filter as per the previous scenario.

It doesn't smell right to restrict by internal IP. Would you be better off by splitting this one page into a separate website in IIS on a particular server that is only route-able internally?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks a lot. I will try this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.