RoleProvider for AD Group membership

[Olivier Matrot]

Hello,
I'm in the process of writing my own Active Directory RoleProvider to be
able to check if a user is member of a given group. But maybe it already
exists somewhere in the community ? I do not want to use AzMan. Basically,
it should provide the same functionnality as the WindowsTokenRoleProvider
and should work with form authentification (and ActiveDirectoryMembership
Provider).
Any help appreciated.
TIA.

 

[Luke Zhang [MSFT]]

Hello Olivier,

In .NET framework 2.0, there is a new role provider class
"AuthorizationStoreRoleProvider" Class:

http://msdn2.microsoft.com/en-us/library/system.web.security.authorizationst
oreroleprovider(VS.80).aspx

You can use AuthorizationStoreRoleProvider for role membership checks. The
benefit of using AuthorizationStoreRoleProvider is that it provides a
consistent set of APIs for role authorization

Here are also an article about it:

How To: Use Role Manager in ASP.NET 2.0
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
/PAGHT000013.asp?_r=1

Hope this help,

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dominick Baier]

Ryan Dunn and me (and also Joe Kaplan) worked on an AD role provider.

mail me - and i send you the code (it is not final - but chances are high
it will work for you)

 

[Olivier Matrot]

Hello Luke,
Membership check is done via the AspNetActiveDirectoryMembershipProvider
I'm trying to use AuthorizationStoreRoleProvider, but it seems to be
difficult to use :
1) What is the format of the connection string ? I'm using the following :
MSLDAP://rtetest.private/CN=AzMan,OU=FaxBox,DC=rtetest,DC=private

But the following exception is thrown :
The service did not respond to the start or control request in a timely
fashion. (Exception from HRESULT: 0x8007041D)

Please note that I'm accessing a domain that is located in another forest.
This is working just fine with the membership provider.

Here is the content of my web.config file :
<connectionStrings>

<add name="MemberShipProvider"
connectionString="LDAP://rtetest.private/OU=FaxBox,DC=rtetest,dc=private"/>

<add name="AzmanRoleProvider"
connectionString="MSLDAP://rtetest.private/CN=AzMan,OU=FaxBox,DC=rtetest,DC=private"/>

</connectionStrings>



<roleManager

enabled="true"

cacheRolesInCookie="true" defaultProvider="AuthorizationStoreRoleProvider">

<providers>

<!-- Only on Windows 2003 by default !-->

<add

name="AuthorizationStoreRoleProvider"

type="System.Web.Security.AuthorizationStoreRoleProvider"

connectionStringName="AzmanRoleProvider"

cacheRefreshInterval="60"

/>

</providers>

</roleManager>

<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>

<add name="AspNetActiveDirectoryMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider,

System.Web, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="MemberShipProvider"/>

</providers>

</membership>

TIA.

 

[Joe Kaplan]

Yes, I just gave it to someone else and it seemed to work pretty well for
them. I think Ryan and I will try to finish it up and publish it on our
book's website once he gets back from vacation.

Joe K.

 

[Luke Zhang [MSFT]]

The general format for the Connection string is as follows:

msldap://ServerNameort//DistinguishedNameForTheStore

The server name and the port are optional. If a server name is not
provided, the default domain controller is used. If a port is not
specified, the default LDAP port (LDAP_PORT, 389) is used. The
distinguished name (DN) for the store begins with the relative
distinguished name (RDN) of the AzAuthorizationStore object. For example,
if the RDN of the AzAuthorizationStore object is MyStore and MyStore is in
an organizational unit (OU) named AzMan, a possible connction string for
the Active Directory store is as follows:

msldap://MyServer/CN=MyStore,OU=AzMan,DC=MyDomain,DC=Fabrikam,DC=Com

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Olivier Matrot]

Luke,
Is this provider working in an out of domain scenario, which is accessing a
domain in another forest ? In this case, we must probably give proper
credentials to make it work.

 

[Luke Zhang [MSFT]]

Hello Olivier,

This provider will work between trusted domains.

Sincerely,

Luke Zhang

Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.