Search code examples
sharepointauthorizationiis-7.5

How to secure the application pages in SharePoint 2013 with Claims authentication

I want to secure the application pages in SharePoint 2013 with Claims authentication, it does not seem to be working.

<configuration>
   <location path="_layouts/15/settings">
      <system.web>
         <authorization>
            <allow users="demo\user1"/>
            <deny users="*" />
         </authorization>
      </system.web>
   </location>
</configuration>

however it works on Windows based authentication.

Update: 21-May-15:

I have fixed this

<configuration>
   <location path="_layouts/15/settings">
      <system.web>
         <authorization>
            <allow users="0#.w|demo\user1"/>
            <deny users="*" />
         </authorization>
      </system.web>
   </location>

however It is not authorizing the AD group, have tried as mentioned below.

<allow users="c:0+.w|demo\group1"/>
<allow roles="c:0+.w|demo\group1"/>
<allow users="0+.w|demo\group1"/>
<allow roles="0+.w|demo\group1"/>
<allow users="demo\group1"/>
<allow roles="demo\group1"/>
<allow users="c:0+.w|sid"/>
<allow roles="c:0+.w|sid"/>
<allow users="0+.w|sid"/>
<allow roles="0+.w|sid"/>
<allow users="sid"/>
<allow roles="sid"/>

How do I authorize both the individual user and AD groups?

update : 22-May-2015

  <location path="_layouts/15/viewlsts.aspx">
    <system.web>
      <authorization>
        <allow users="Group1" />
        <allow users="Domain\Group1" />
        <allow users="0#.w|Domain\Group1" />
        <allow users="c:0+.w|Domain\Group1" />
        <allow users="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
        <allow users="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
        <allow users="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
        <allow roles="Group1" />
        <allow roles="Domain\Group1" />
        <allow roles="0#.w|Domain\Group1" />
        <allow roles="c:0+.w|Domain\Group1" />
        <allow roles="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
        <allow roles="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
        <allow roles="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Still it is not working.

Solution

  • The prefix is different for groups.

    Have you tried ? 

    <allow users="c:0+.w|demo\group1"/>

    If it works, you can then authorize groups and users like this

    <allow users="c:0+.w|demo\group1,0#.w|demo\user1"/>