ASP.NET with ADirectory role based authentication

  • Thread starter naijacoder naijacoder
  • Start date
N

naijacoder naijacoder

Hi Everyone,
I have some Questions relating to Active Directory and
Asp.net.
1)I have created a role based authorisation using SQL Server but i want
to use
Active Directory as a datastore now?
2)Now if i want to allow the user to login credentials against the
Active directory and then
implementing the roles i have in my Database would i need to have roles
in my Active Directory?
3)What i really want to do is FOR my users to login using their
username(windows logon) authenticate them against Active Directory after
authentication ..then authorization depending on their ROLES and then
redirecting them to the resources they are allowed to browse on.
4)Now i'm authenticating against my database with username and pwd.And i
created some Roles in the Database for my authorisation.But i want to
authenticate using Active Directory and then Authorisation..
But if i have to use Active Directory for authorisation wil i have to
have ROLES in my active Directory?

Thanks in advance and waiting for all ideas,arcticlea and resources...
 
N

naijacoder naijacoder

Thanks very much for the reply and for the article but
i have made a form authentication already with ADirectory and its
working FINE!
But what i want to do now is to authenticate against a particular GROUP
for example Security in Active Directory.
For example a USER A logs in and he is not in the group called security
he shouldn't have access and if he is in the GROUP Security then he
should be authenticated.
I was thinking about using ROLES in Active Directory but my Question is
that can i have roles created in Windows 2000 server Active
Directory?And if i can can i use form authentication directly to the
ROLES in Actice Directory!!.
Thnaks in advance and all ideas are welcome.
 
J

Joe Kaplan \(MVP - ADSI\)

This is easiest to do if you use Windows authentication in IIS against AD.
When you do that, ASP.NET will create a WindowsPrincipal object in the
Context.User property that is used for providing identity and authorization
services to your application. The IsInRole method in WindowsPrincipal will
return true or false based on the user's AD group membership. You supply
the group names in the form "domain\group name".

If you don't use Windows authentication and decide to use Form
Authentication against AD (which I don't recommend), then you need to
compute the user's group membership programmatically and create the
appropriate IPrincipal object.

Joe K.
 
P

Paul Clement

¤ Thanks very much for the reply and for the article but
¤ i have made a form authentication already with ADirectory and its
¤ working FINE!
¤ But what i want to do now is to authenticate against a particular GROUP
¤ for example Security in Active Directory.
¤ For example a USER A logs in and he is not in the group called security
¤ he shouldn't have access and if he is in the GROUP Security then he
¤ should be authenticated.
¤ I was thinking about using ROLES in Active Directory but my Question is
¤ that can i have roles created in Windows 2000 server Active
¤ Directory?And if i can can i use form authentication directly to the
¤ ROLES in Actice Directory!!.
¤ Thnaks in advance and all ideas are welcome.
¤

The link posted by Mohamed has a subtopic link (in the Contents section) to a function that
enumerates the user's group membership:

Develop LDAP Group Retrieval Code to Look Up the User's Group Membership
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod16.asp


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)
 
J

Joe Kaplan \(MVP - ADSI\)

Additionally, you can use Google groups to find some other examples of doing
the group lookup properly. The example in the article provided by Paul is
okay, but it has a few flaws in it that could cause you trouble. I've
written about it here pretty extensively. Until I am successful at getting
the PAG guys to update the article with better code, you'll have to find it
via other sources. TokenGroups is the keyword.

Joe K.

 
N

naijacoder naijacoder

I have used the article below thx for the link.
But when i want to see the list of groups the authenticated user is a
member of,and my adding the code
"Response.Write("Groups: " + authTicket.UserData + "<br>");
at theApplication_AuthenticateRequest event handler in the
global.aspx.cs file.
I don't see any GROUPS listed.
And when i paste it into my Default.aspx it says error:-
Name 'authTicket' is not declared.
Any help for this from you GUYS.
And by the way i looking for an article :-
How To Use Windows Authentication with Active Directory(incuding Role
based authorization for users depending on their security groups in the
Active Directory).
Thanks in Advance


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/
html/secmod16.asp
 
M

Mohamed Sharaf

Hi,
You need to do two things
1) Write a function to retrieve the groups of the user
(you can find a sample here
http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx)

2)In the Application_AuthenticateRequest, you need to build your user data
by adding the groups you got from the previous step to the principal object.
All the steps you can find it in this MSDN article.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/act
ive_directory_authentication_from_asp__net.asp

I hope that helps
Mohamed Sharaf
MEA Developer Support Center
ITWorx on behalf Microsoft EMEA GTSC
 
N

naijacoder naijacoder

Thanks Mohamed for the link and info.
Are u advicing to add my GROUPS to the code
below(Application_AuthenticateRequest)?
I have retrieved the list of the GROUPS i want to use but where and how
below should i add the GROUP name?
Thanks in Advance!

void Application_AuthenticateRequest(Object sender, EventArgs e)
{
String cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

if(null == authCookie)
{
//There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
//Write the exception to the Event Log.
return;
}
if(null == authTicket)
{
//Cookie failed to decrypt.
return;
}
//When the ticket was created, the UserData property was assigned a
//pipe-delimited string of group names.
String[] groups = authTicket.UserData.Split(new char[]{'|'});
//Create an Identity.
GenericIdentity id = new GenericIdentity(authTicket.Name,
"LdapAuthentication");
//This principal flows throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, groups);
Context.User = principal;
}
 
M

Mohamed Sharaf

Yes, you need to add the groups names to the principal to give your code
the ability to use IsInRole method of the GenericPrincipal class

Best regards,
Mohamed Sharaf
MEA Developer Support Center
ITWorx on behalf Microsoft EMEA GTSC
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ASP.NET with ADirectory authentication 1
Role-based authentication from active directory 2
Role based Forms Authentication 0
Role-based authentication and Forms and System.UnauthorizedAccessException 5
securing directories with role-based forms authentication 0
AzMan Role provider 1
How to: Active Directory password BUT ASP.NET SQL role Security 0
window based authentication with members defined in a distribution list. 2

Members online

No members online now.
Total: 62 (members: 0, guests: 62)
Robots: 523

Forum statistics

Threads
473,989
Messages
2,570,207
Members
46,782
Latest member
ThomasGex

Latest Threads

Top