Active Directory - Groups and Permissions
I'm creating an intranet site that uses Forms authentication to validate users against an Active Directory. Users need to be able to login both from work and remotely. Then I want to be able to do two things: (1) Check whether a user is in an AD group and (2) enforce NTFS permissions based on AD username.
First scenario: "Joe" logs in to the web site from home using his domain username and password. Joe should see certain content on the web site based on his AD group membership. Let's say he's in Marketing, so I'd like to be able to check whether User.IsInRole("Marketing"). Right now when I try that, I get a message saying: "Method is only supported if the user name parameter matches the user name in the current Windows Identity." Is this because I've set the app to use the AspNetWindowsTokenRoleProvider? Does that only work if he is physically logged into a computer on the AD domain? Is there a way to emulate the Windows Identity? Or should I be using a different role provider?
Second scenario: Joe has certain permissions to network resources that need to be enforced. For example, a web folder (WebDAV) with financial data allows members in group "Marketing" read access only. It is enforced when he physically logs into the AD domain at work, but it should also be enforced when he logs in from the road. Right now I'm using <identity impersonate="true"/> - hoping it will use his username "Joe" rather than the ASP.NET worker process to access that folder. Is that the right way to approach the problem?
Currently I'm developing the site on a Windows XP machine using VS2005 and the built-in ASP web server. The production web server will be Windows 2003, and the AD domain itself is Windows 2000. Any help is much appreciated. Here are the relevant snippets from my web.config file:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://machine.domain.com/CN=Users,DC=machine,DC=domain,DC=com" />
</connectionStrings>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<identity impersonate="true"/>
<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" connectionUsername="domain\user" connectionPassword="password" attributeMapUsername="sAMAccountName" enableSearchMethods="true" />
</providers>
</membership>
[2865 byte] By [
shanson] at [2007-11-11 8:35:51]
# 1 Re: Active Directory - Groups and Permissions
shanson
hope u find a solution...coz i m facing the same problem. ;-)
# 2 Re: Active Directory - Groups and Permissions
Anyone have any tips on this? Even any general resources about how to harness Active Directory on an ASP.NET 2.0 intranet?
# 3 Re: Active Directory - Groups and Permissions
Do you have to have a logon page or can you use windows integrated logon without anonymous access (set in IIS, will cause a window to popup for the user to supply their username/password)? If that is ok:
For issue #1, try changing the authentication mode to "Windows". I am using User.IsInRole() without issue to essentially do what you want to do. You shouldn't need to use Forms authentication in the scenario you outline.
Issue #2 - If you change the authentication mode to windows, set identity impersonate=true in web.config and have the directory security (in IIS) set as specified above the impersonated user will be domain/username.
Hope this helps...
pee2 at 2007-11-11 23:15:16 >
# 4 Re: Active Directory - Groups and Permissions
OK, I think I see what you're saying. I thought I had to use forms authentication for this. But you're saying if I use windows integrated logon and someone is logging in remotely, their browser will pop up a box to enter their domain username and password to login? If they're at work, will it just use the username and password they already entered?
# 5 Re: Active Directory - Groups and Permissions
Exactly, if they are at work and logged on they will automatically be logged on to your site otherwise they get the popup. Justy uncheck 'enable anonymous access' for that virtual directory/application.
pee2 at 2007-11-11 23:17:14 >
# 6 Re: Active Directory - Groups and Permissions
I'll try that. If this works, I'm really going to kick myself. I've been banging my head against forms authentication for weeks, thinking it was the only way! Thanks for your help.
# 7 Re: Active Directory - Groups and Permissions
No, I just went through this myself. Use Windows authentication, as stated above.
Furthermore, as regards Impersonation; I myself turned it on in Web.Config, but there are reasons why having it on all the time is not so good. For instance, you turn it on because you want to capture the username later in your app. Now you have to properly set up ACLs for the user to have access to every directory the app uses - including write access for the the db if you're using Access. Apparently you can turn it on temporarily in your app when you need it- for instance, to capture the username for logging purposes-- then turn it off again. I had already finished my app, so I didn't pursue it, but this way you can just give access to the required directories for the ASP.NET process. Now you don't need the users to have access to the db directory!
And they can't download the database, take it home, and crack it! ;-) Or you could always use SQL Server, I suppose...if your client can afford it...
At any rate, this page has info on Impersonating the Original Caller Temporarily:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000023.asp?frame=true#paght000023_impersonatingoriginalcallertemp
It's well worth a look, and you should go to the top of the page and read the rest, too.
Does anyone else find MS documentation on ASP.NET 2.0 as frustrating as I do? I never seem to be able to search for and locate information on MSDN until I stumble across it by accident or through Google...for instance, when I was trying to get Windows authentication working, every page I came across on MSDN claimed all I had to do was put this in web.config:
<allow roles="Domain Admins" />
to allow access for an AD group named "Domain Admins". They NEVER MENTIONED
that you have to preface AD groups with the Windows Domain name!! Like this:
<allow roles="MY_DOMAIN\Domain Admins" />
In fact, I came across a page at MSDN that insisted that adding the domain name DID NOTHING!! Good thing I listened to them, right?? Then, after figuring out the answer, I came across this page: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000025.asp
which directly contradicted the previous page. No wonder there's a dent in my head from banging it against the wall! ARRRRRGGGGHHHHH!!
One last thing: those of you still not running Internet Explorer 7.0, the beta is now stable enough that I've been running it on my main dev machine for weeks with no problems. The Search Box, to which you can add Providers like MSDN, Google, Yahoo, Wikipedia, Amazon, etc., is a real time-saver, as are the multiple Tabs. You can even Save groups of Tabs! If you haven't been testing your sites with it, shame on you! Grab it now at: http://www.microsoft.com/windows/ie/ie7/ie7betaredirect.mspx
-Andrew
