Re: Active Directory and Roles
- From: "Robert Ginsburg" <robert.ginsburg@xxxxxxxx>
- Date: Wed, 24 May 2006 14:32:56 -0400
Ok so if you are using the ActiveDirectoryMembershipProvider then you will
indeed have to code something. MSDN implies (see exceprt below) that you
dont need . Since this probably means that IIS is running as a local
anonymous account, you will probably have to wrap up the sample code in a
COM+ (whoop call that enterprise services) class and give it an AD identity
that has enough permissions to enumerate groups on other user objects
// from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch3_ImpDirectAuth_WSE30.asp
If you use an LDAP-enabled directory service other than Active Directory or
ADAM to validate credentials, you may need to create a custom membership
provider. For more details on how to build custom ASP.NET 2.0 providers, see
Building Custom Providers for ASP.NET 2.0 Membership. Also, depending how
you store and retrieve account roles in your directory service, you may need
to implement a custom RoleProvider. For example, if you use an LDAP schema
for user roles that is not supported through
ActiveDirectoryMembershipProvider, you will need to implement a custom
RoleProvider to retrieve roles for your users.
In a custom RoleProvider class, you need to retrieve the user roles from the
directory service by overriding the GetRolesForUser() method. The code to
retrieve user roles from the directory service would look like the following
example.
public override string[] GetRolesForUser(string username)
{
using (DirectoryEntry rootEntry = new
DirectoryEntry(this.connectionString))
{
rootEntry.Username = this.username;
rootEntry.Password = this.password;
rootEntry.AuthenticationType = AuthenticationTypes.None;
rootEntry.RefreshCache();
//Search the user in the directory service
using (DirectorySearcher searcher = new
DirectorySearcher(rootEntry))
{
searcher.PropertiesToLoad.Add("memberOf");
searcher.PropertiesToLoad.Add(this.usernameAttribute);
searcher.Filter = String.Format("(&(objectClass=user)({0}={1}))",
this.usernameAttribute, username);
SearchResult result = searcher.FindOne();
DirectoryEntry userEntry = result.GetDirectoryEntry();
string[] roles = null;
PropertyValueCollection property =
userEntry.Properties["memberOf"];
if (property.Value is Array)
{
Array values = (Array)property.Value;
roles = new string[values.Length];
values.CopyTo(roles, 0);
}
else if (property.Value is string)
{
roles = new string[1];
roles[0] = (string)property.Value;
}
return roles;
}
}
}
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:uoAzfb0fGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
I think he is using the Active Directory membership provider in ASP.NET 2.0
though, so he doesn't get a WindowsPrincipal. It uses LDAP, so he needs a
corresponding LDAP method to build roles as well (unless he can use
protocol transition).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Robert Ginsburg" <robert.ginsburg@xxxxxxxx> wrote in message
news:%23yltZ1yfGHA.1320@xxxxxxxxxxxxxxxxxxxxxxx
On the IIS security settings for your virtual directory, disable
anonymous access, enable any or all of the other authentication providers
(basic, windows integrated, digest, ...). In your web.config file, locate
the system.web section and make sure these entries are there
<authentication mode="Windows" />
<identity impersonate="true" />
Once you have done that your site is now setup for impersonation,
depending on the .NET version you must either get the identity from the
My namespace (for 2.X) or from the Context.User object (for 1.X). Cast
the identity as a WindowsPrincipal and simply call IsInRole. It will
check domain groups for you. Here is the MSDN reference for .NET 2.X
ms-help://MS.MSDNQTR.v80.en/MS.MSDN.v80/MS.VisualStudio.v80.en/dv_vbcn/html/f7e734bd-33d4-402e-8eed-ffc905f94fa0.htm
"Kenneth Keeley" <kenkeeley@xxxxxxxxxxx> wrote in message
news:OksW0jsfGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
"Robert Ginsburg" <robert.ginsburg@xxxxxxxx> wrote in message
news:OSz1RSmfGHA.4776@xxxxxxxxxxxxxxxxxxxxxxx
If you are using windows impersonation then
WindowsPrincipal.IsInRole(...)
will check group membership. If you are using LDAP to check the
authentication but are not impersonating the user then you will have to
construct the group membership manually.
What did you mean by windows impersonation? could you show me a sample
code
of how to authenicate a user and obtain the roles using this method.
Thanks
Kenneth
.
- Follow-Ups:
- Re: Active Directory and Roles
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Active Directory and Roles
- References:
- Active Directory and Roles
- From: Kenneth Keeley
- Re: Active Directory and Roles
- From: Robert Ginsburg
- Re: Active Directory and Roles
- From: Kenneth Keeley
- Re: Active Directory and Roles
- From: Robert Ginsburg
- Re: Active Directory and Roles
- From: Joe Kaplan \(MVP - ADSI\)
- Active Directory and Roles
- Prev by Date: Re: Create Secure Application
- Next by Date: Re: Active Directory and Roles
- Previous by thread: Re: Active Directory and Roles
- Next by thread: Re: Active Directory and Roles
- Index(es):
Relevant Pages
|
|
