AD groups in ASP.NET project

[Daniel G]

Hello,

I am working at a ASP.NET project that uses
authenticate/authorize via Active Directory. There are
many groups with different roles.
I am unable to 'see' a solution for this kind of error :

- for a specific user X ( that belongs to group G1 and G2) this call :

DirectoryEntry.Invoke("Groups")
returns an empty object.


- but if I try with my username to be member of the
same two groups G1 and G2 , the same method invocation

DirectoryEntry.Invoke("Groups")
returns an object with 2 groups (G1 and G2).

Where is the error ? How can I debug to see the real error ?
It is an error of Active Directory/LDAP or in the ASP.NET or ....?

The user X is assumed to be the tester ... and I just
want to 'copy' his context and environment in order to fix it.


Thank you for your support,
DanielG

 

[Joe Kaplan \(MVP - ADSI\)]

Hi Daniel,

It is a much better idea to use the standard .NET IPrincipal object for
doing authorization in .NET applications. All of the .NET infrastructure
already supports this including ASP.NET. In fact, the WindowsPrincipal
class that comes with the .NET Framework already knows how to calculate the
groups for a given user right out of the box. It's only limitation is that
it requires Windows authentication to initialize it.

It is also possible (but very much not recommended) to look up the groups
for a user and build your own custom IPrincipal class. In some cases this
may be necessary, such as when the web server is not a member of the domain
and there is no way to use Windows authentication. In that case, querying
AD for the user's tokenGroups object is an acceptable way to figure out what
groups a user is in.

If you do a Google groups search for tokenGroups, I believe you'll find lots
of sample code that shows you how to use this.

If you need more help on ASP.NET security in general, I'd suggest trying the
aspnet.security newsgroup as well.

Joe K.