Re: Authorization problem

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/27/04

• Next message: [MSFT]: "RE: Selecting"
• Previous message: Patrick.O.Ige: "Re: Authorization problem"
• In reply to: Patrick.O.Ige: "Re: Authorization problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 27 Oct 2004 00:52:23 -0500

I think the standard Forms Authentication with ASP.NET article is an okay
starting point. I'd suggest you rip out their group lookup code and replace
it with some code that uses tokenGroups instead of memberOf. There are many
advantages to this approach.

http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
http://groups.google.com/groups?hl=en&lr=&selm=eGzmt3W9DHA.2404%40TK2MSFTNGP12.phx.gbl

If you are having trouble with ASP.NET and security contexts in S.DS, please
read this too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

The alternatives to this are to use the LogonUser API or SSPI to
authenticate the user and create a Windows token that can be turned into a
WindowsPrincipal for role-based authorization. This approach is actually
better in many ways to the LDAP approach, but might not work in all
situations. These have also been discussed endlessly on the public
newsgroups.

Joe K.

"Patrick.O.Ige" <PatrickOIge@discussions.microsoft.com> wrote in message
news:D5889396-F8AC-46DB-9A29-84074D8DEDD9@microsoft.com...
> Hi,
> I'm using form authentication with Active Directory not a Database.
> Can you give me a hint how i can GetRoles from the Active Directory and
> later perform Authorisation?
> Thx
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> 'imports System.Security.Principal
>> 'imports System.Reflection
>>
>> Function GetRoles(byval identity as WindowsIdentity) as String()
>>
>> Dim idType As Type
>> idType = GetType(WindowsIdentity)
>> Dim result As Object =
>> idType.InvokeMember("_GetRoles",BindingFlags.Static Or
>> BindingFlags.InvokeMethod Or BindingFlags.NonPublic,Nothing, identity,
>> New
>> Object() {identity.Token}, Nothing)
>> Dim roles() As String = DirectCast(result, String())
>> Return roles
>>
>> End Function
>>
>> Like I said, this is for troubleshooting only, not for production code.
>> This may not work in future versions of the framework, but does on 1.1.
>>
>> Joe K.
>>
>> "Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
>> news:OHvb7S3uEHA.1988@TK2MSFTNGP12.phx.gbl...
>> > Never heard of reflection ;-)
>> > how to do?
>> >
>> >
>> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> > wrote
>> > in message news:emupGP3uEHA.2116@TK2MSFTNGP14.phx.gbl...
>> >> One other thing to check:
>> >>
>> >> Can you do a programmatic check instead of a declarative one? Try
>> >> Context.User.IsInRole("machine\administrators") or
>> >> Thread.CurrentPrincipal.IsInRole("machine\administrators")?
>> >>
>> >> Those should do the same thing as the declarative demand, but it is
>> >> worth
>> >> a shot.
>> >>
>> >> Another thing to try is to use reflection on _GetRoles private method
>> >> on
>> >> WindowsIdentity to see what the actual values are. This can be
>> >> helpful
>> >> for troubleshooting Windows group resolution. Don't use this in
>> >> production though!
>> >>
>> >> Google will dig up a bunch of code samples showing how to do that if
>> >> you
>> >> need it.
>> >>
>> >> Joe K.
>> >>
>> >> "Nikolay Petrov" <johntup2_nospam_@mail.bg> wrote in message
>> >> news:eVwiaG3uEHA.3948@TK2MSFTNGP15.phx.gbl...
>> >>>I have done that. It is fine.
>> >>> Something else is broken. The auditing don't show nothing also.
>> >>>
>> >>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> >>> wrote in message news:efhvF42uEHA.1976@TK2MSFTNGP09.phx.gbl...
>> >>>> Are you certain that the client is being authenticated with Windows
>> >>>> authentication? It would probably be a good idea to dump out the
>> >>>> value
>> >>>> of Context.User.Identity.Name and make sure it is the user that you
>> >>>> think it is.
>> >>>>
>> >>>> Joe K.
>> >>
>> >>
>> >
>> >
>>
>>
>>

---

• Next message: [MSFT]: "RE: Selecting"
• Previous message: Patrick.O.Ige: "Re: Authorization problem"
• In reply to: Patrick.O.Ige: "Re: Authorization problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Win 98 in ADS integrieren ... Seite zum "AD Client für Downlevel CLients". ... Active Directory Client Extensions for Windows 95/98 and Windows NT 4.0 ... software can take advantage of improved authentication features in NTLM ... (microsoft.public.de.german.windows.server.active_directory) Re: Change in ASP.Net authentication between Win2000 and Win2003 ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ... (microsoft.public.windows.server.security) Re: Change in ASP.Net authentication between Win2000 and Win2003 ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ... (microsoft.public.inetserver.iis.security) Re: redundant time source ... Time Sync is very important to windows. ... Kerberos authentication and, therefore, to Active Directory-based ... Active Directory domain ... (microsoft.public.windows.server.active_directory) Re: Passing form credentials to windows security ... the standardized browsers and the authentication protocols just don't ... You can configure two websites, one Intranet that is Windows only, the other ... and then authenticate them against Active Directory and then pass the ... those credentials exactly as Microsoft has done with Exchange webmail. ... (microsoft.public.inetserver.iis.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2004-10