This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IIS Authorization Rules for Manager Web

Hello,

I hope someone could help me. I want to deploy the Manger Web App to our HelpDesk team but want them to use a specific account.
I've authorized the application roles to the employees but Helpdesk have 2 AD accounts. One for Primary and a Priv account.

I want to restrict the Manger web so they have to use the priv account.
I was looking into IIS Authorization rule but does not seem to work.

Here is what i've done.

Set the Website to Windows Authentication
Created a local group
Added the AD group to the local group
Created Allow Authorization Rule in IIS for the Local Group

I was thinking maybe i needed to use .net Authorization rules but same result.
If i just add Administrators and I have a membership of a group in Administrators it works.
Although i can't add the HelpDesk team to the Administrators group.

Is there a way to create this type of access to the Web Manager within Designer or some config in Web Mananger?
Thanks in advance for any help.

Parents

0 Markus Weiss-Ehlers over 5 years ago

When you set the authorization rule, did you check the web.config afterward? Ensure that there is only the allow rule present for your group.
Cancel
Up 0 Down

Cancel
0 lrigs over 5 years ago in reply to Markus Weiss-Ehlers

Markus,

Yes here is what i see...

<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="IDMManagerWeb" />
</authorization>

I created the local group IDMManagerWeb.

Thanks, Lu
Cancel
Up 0 Down

Cancel
0 lrigs over 5 years ago in reply to lrigs

Here is the error i get

.
Cancel
Up 0 Down

Cancel
0 Markus Weiss-Ehlers over 5 years ago in reply to lrigs

This error is coming from the Manager Web application itself. The integrated load balancing mechanism is trying to inspect all configured instances of the application to detect the current load. In your case, with the restricted access (Remove users ="*"), the application is unable to do that. You need at least add the configured users for the applications defined for the load balancing or the application pool user to allow them access to the Manager web.

About the load balancing see https://support.oneidentity.com/technical-documents/identity-manager/8.0/installation-guide/32#TOPIC-864281 of the advanced config section for the Manager Web https://support.oneidentity.com/technical-documents/identity-manager/8.0/installation-guide/29#TOPIC-864270
Cancel
Up 0 Down

Cancel

Reply

0 Markus Weiss-Ehlers over 5 years ago in reply to lrigs

This error is coming from the Manager Web application itself. The integrated load balancing mechanism is trying to inspect all configured instances of the application to detect the current load. In your case, with the restricted access (Remove users ="*"), the application is unable to do that. You need at least add the configured users for the applications defined for the load balancing or the application pool user to allow them access to the Manager web.

About the load balancing see https://support.oneidentity.com/technical-documents/identity-manager/8.0/installation-guide/32#TOPIC-864281 of the advanced config section for the Manager Web https://support.oneidentity.com/technical-documents/identity-manager/8.0/installation-guide/29#TOPIC-864270
Cancel
Up 0 Down

Cancel

Children

No Data