I'm trying to set up our websites to only allow access from users in certain AD groups using windows authentication but i can't seem to make it work. I've tried using IIS's authorization and restricting it to those groups only, but i don't have access from users that are in those groups. This seems like something that's supported, but I can't get it to work.
The pages are completely in .net as well, so i've tried specifying
<identity impersonate="true"/>
<authentication mode="Windows" />
<authorization>
<allow users="Domain\ProgramUsers"/>
<deny users="?"/>
</authorization>
in the web.config but then it allows people in who aren't part of the Program Users group, which doesn't make a lot of sense to me.
I think you need to specify:
At the moment you're blocking access only to non-authenticated users, i.e. regardless of group membership.
Try using
<allow roles="domain\group"/>instead of<allow users="domain\group"/>like mikrose suggested. It's how we have it setup on some of our internal sites and it seems to be working for us along with the<deny users="*"/>and we do not have impersonate explicitly set.