M
Mike Swift
Hello all
I wonder if the great and the good of this esteemed forum might shed
some light on a problem of mine...
Three servers in a domain: one Active Directory server, one SQL Server
and one IIS. IIS hosts an ASP.NET Web Application which requires that
users log on through a web form, are authenticated against their
Active Directory account and then acquire the permissions on the SQL
Server objects that their Active Directory group membership bestows.
In the following code authentication through LDAP works and authTicket
appears to be generated correctly. At this stage User.Identity is
empty, but by loading the page a second time User.Identity contains
the correct details. This is presumably as a result of reading the
cookie, but how can I get the correct User.Identity from the
authTicket without letting the cookie reader do it for me
automagically?
Anyway, even on the refresh when we have...
User.Identity.Name=myuser
User.Identity.IsAuthenticated=True
User.Identity.AuthenticationType=Forms
....the code still fails on
(System.Security.Principal.WindowsIdentity)User.Identity, producing
'specified cast is invalid'. Is this because its authentication type
is Forms? If so, and given that form based login is a requirement, how
can I "Impersonate the Authenticating User in Code".
string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com";
LdapAuthentication adAuth = new LdapAuthentication(adPath);
if(true == adAuth.IsAuthenticated(txtDomainName.Text,
txtUserName.Text, txtPassword.Text))
{
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1,
txtUserName.Text,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false, "");
string encryptedTicket =
FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
}
As you may recognise, this code has been cribbed from
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158 and it
may help diagnosis to know that the code from the "Impersonate a
Specific User in Code" section is working fine, but presumably this
approach would require me to carry the username and password around,
in the session say, and re-authenticate on every page_load.
Once the user has logged I want every page to be executed in the
context of their AD account, so should perhaps there's some altogether
better way of achieving this that I'm missing.
Cheers,
Mike.
I wonder if the great and the good of this esteemed forum might shed
some light on a problem of mine...
Three servers in a domain: one Active Directory server, one SQL Server
and one IIS. IIS hosts an ASP.NET Web Application which requires that
users log on through a web form, are authenticated against their
Active Directory account and then acquire the permissions on the SQL
Server objects that their Active Directory group membership bestows.
In the following code authentication through LDAP works and authTicket
appears to be generated correctly. At this stage User.Identity is
empty, but by loading the page a second time User.Identity contains
the correct details. This is presumably as a result of reading the
cookie, but how can I get the correct User.Identity from the
authTicket without letting the cookie reader do it for me
automagically?
Anyway, even on the refresh when we have...
User.Identity.Name=myuser
User.Identity.IsAuthenticated=True
User.Identity.AuthenticationType=Forms
....the code still fails on
(System.Security.Principal.WindowsIdentity)User.Identity, producing
'specified cast is invalid'. Is this because its authentication type
is Forms? If so, and given that form based login is a requirement, how
can I "Impersonate the Authenticating User in Code".
string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com";
LdapAuthentication adAuth = new LdapAuthentication(adPath);
if(true == adAuth.IsAuthenticated(txtDomainName.Text,
txtUserName.Text, txtPassword.Text))
{
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1,
txtUserName.Text,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false, "");
string encryptedTicket =
FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
}
As you may recognise, this code has been cribbed from
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158 and it
may help diagnosis to know that the code from the "Impersonate a
Specific User in Code" section is working fine, but presumably this
approach would require me to carry the username and password around,
in the session say, and re-authenticate on every page_load.
Once the user has logged I want every page to be executed in the
context of their AD account, so should perhaps there's some altogether
better way of achieving this that I'm missing.
Cheers,
Mike.