HAP - unathorised access

[gaz003]

I have setup HAP on server 2008 with IIS7. If i log on as administrator I am able to see the mapped drives setup and browse the folders. logging on as a student or myself I get the error: unauthorised access you have attempted to access a restricted resource

I have messed around with the basic permissions in IIS, added server-ts1 with full control to the mapped drive folders. As a user I have full control to the mapped drives, and so struggling as to why I am unable to access them in HAP.

Has anyone had the same issue where they could talk me through a solution to this?

[nickbro]

The server should be impersonating the user, and as such running as it to connect to network resources. You need to ensure interactive logons are enabled on your server.

[gianzack]

The server should be impersonating the user, and as such running as it to connect to network resources. You need to ensure interactive logons are enabled on your server.

dear Nick, I have been looking for a web app like with for 10 years. thanks. thanks. thank.
here is my problems:

backgrounds)
environment win 2003r2 and win2008r2 domain controlled. hap installed in win2008r2. on the same server but different site installed sharepoint.
everything installed following video instructions. hap runs if login as a member of domain admins. version installed HAP.Web v7.7.1122.1650 downloaded from this forum

1) setup page Active directory browsing shows only 2 organizational units out of apprix. 20.

2) if login as a studente (member of students) I have "invalid login". please note that "studente" does log on the HAP server. I think this mean logon locally works.
wwwroot/hap directory has "system" "apppool" and "domain admins" only. do I need to add "students"?

many thanks for yout superb and terrific work !!!!

Gian

[nickbro]

The students group does not need adding as HAP+ runs as the apppool for anything requiring access to the local server. Check that you can logon as a student on the server. As this may be what's stopping it working properly, as HAP+ will attempt to log on as the user logged in to process it's requests, but if the server isn't set to allow interactive logons this won't be able to happen.

One option may be to try the Basic Authentication Mode which will be in the delayed v7.7 release

[gianzack]

Check that you can logon as a student on the server.

thanks for the quick reply.
I tried and I confirm that I can log on the HAP server as a student.

Could it be an LDAP issue?

many thanks again
gian

[CHiLL]

The students group does not need adding as HAP+ runs as the apppool for anything requiring access to the local server. Check that you can logon as a student on the server. As this may be what's stopping it working properly, as HAP+ will attempt to log on as the user logged in to process it's requests, but if the server isn't set to allow interactive logons this won't be able to happen.

One option may be to try the Basic Authentication Mode which will be in the delayed v7.7 release

I'm somewhat confused by this.

By default, only domain admins can log on our servers. Does this mean teaching staff will not be able to use HAP once it's loaded onto a server? (As its now running on my local machine for test purposes)

[nickbro]

When do you get the not authorised message? After they have logged in. When they try and access a drive.

If the first, check the ~/web.config file, look for authorisation groups

[gianzack]

should I edit <deny users="?" />

in the following part of web.config?

<system.web>
...
<authorization>
<deny users="?" />
</authorization>
<customErrors mode="Off" />
</system.web>

[gianzack]

When do you get the not authorised message? After they have logged in. When they try and access a drive.

If the first, check the ~/web.config file, look for authorisation groups

I have the error on the form itself
sorry for my ignorance, which part of the web.config should I change?

thanks again

[nickbro]

Ok, just wanted to check the config was still generic. What page are you trying to access when it gives you the unauthorised error, can you post a screenshot of the error

[gianzack]

dear nick
here is the page:


please note that
1)I CAN logon as a member of domain admins
2) in the sepup.aspx page after I enter "domain UPN" and "admin" and "pass" the active directory browser gives me only a small part of the active directory structure


a) do you think the 2 problems are connected?
b) I did these test on the release 7.7.1128
c) could you please drive me on how to enable basic authentication?

many thanks again for your help and work

[nickbro]

Ok, one thing you can do, is set HAP+ to run as a Domain User instead of the IISAppPool\HAP user, see if that fixes some things?

[gianzack]

Ok, one thing you can do, is set HAP+ to run as a Domain User instead of the IISAppPool\HAP user, see if that fixes some things?

dear nick I have some news:
1) I tried to run as a Domain User or domain admins but still same problem.
2) I setup basic authentication: if I access the default.aspx as student it sees me as a student and viceversa if I login as an admin.
3) but if load login.aspx (with basic authentication) and try to login as a student it still tells me invalid login.
4) I still have the problem (with all the settings I tried) that I can see only a very small part of Active directory with the AD browser but I can bypass it with hapconfig.xml

do you think the problem is with login.aspx?

thanks again

[nickbro]

Under basic authentication, login.aspx is redundant