Re: Active Directory and Roles

Right, and that is the kind of code we don't like as we don't like using
memberOf for enumerating group membership. It doesn't do full transitive
group membership expansion, includes both security and non-security groups
and doesn't include the primary group. The tokenGroups approach that I
referred to earlier addresses all of those problems. This approach is
generally very effective for AD and ADAM, although it is an AD-specific
feature, so it obviously won't work with 3rd party directories.

The credentials issue for access the directory can be solved a variety of
ways. Configuring the process account to access the directory is probably
the easiest, but you can also configure the app to impersonate a specific
account. You can also supply credentials to the LDAP server and store them
securely in configuration. With a third party directory, this is probably
the only viable option as they don't tend to support Windows auth. :) COM+
is also an option, but it is my least favorite as it is the hardest to
deploy. We actually cover a lot of this stuff in chapter 8 of our book. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Robert Ginsburg" <robert.ginsburg@xxxxxxxx> wrote in message
news:%23yQx7B2fGHA.4776@xxxxxxxxxxxxxxxxxxxxxxx
Ok so if you are using the ActiveDirectoryMembershipProvider then you will
indeed have to code something. MSDN implies (see exceprt below) that you
dont need . Since this probably means that IIS is running as a local
anonymous account, you will probably have to wrap up the sample code in a
COM+ (whoop call that enterprise services) class and give it an AD
identity that has enough permissions to enumerate groups on other user
objects

// from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch3_ImpDirectAuth_WSE30.asp
If you use an LDAP-enabled directory service other than Active Directory
or ADAM to validate credentials, you may need to create a custom
membership provider. For more details on how to build custom ASP.NET 2.0
providers, see Building Custom Providers for ASP.NET 2.0 Membership. Also,
depending how you store and retrieve account roles in your directory
service, you may need to implement a custom RoleProvider. For example, if
you use an LDAP schema for user roles that is not supported through
ActiveDirectoryMembershipProvider, you will need to implement a custom
RoleProvider to retrieve roles for your users.

In a custom RoleProvider class, you need to retrieve the user roles from
the directory service by overriding the GetRolesForUser() method. The code
to retrieve user roles from the directory service would look like the
following example.

public override string[] GetRolesForUser(string username)
{
using (DirectoryEntry rootEntry = new
DirectoryEntry(this.connectionString))
{
rootEntry.Username = this.username;
rootEntry.Password = this.password;

rootEntry.AuthenticationType = AuthenticationTypes.None;
rootEntry.RefreshCache();

//Search the user in the directory service
using (DirectorySearcher searcher = new
DirectorySearcher(rootEntry))
{
searcher.PropertiesToLoad.Add("memberOf");
searcher.PropertiesToLoad.Add(this.usernameAttribute);

searcher.Filter = String.Format("(&(objectClass=user)({0}={1}))",
this.usernameAttribute, username);
SearchResult result = searcher.FindOne();
DirectoryEntry userEntry = result.GetDirectoryEntry();

string[] roles = null;

PropertyValueCollection property =
userEntry.Properties["memberOf"];
if (property.Value is Array)
{
Array values = (Array)property.Value;
roles = new string[values.Length];
values.CopyTo(roles, 0);
}
else if (property.Value is string)
{
roles = new string[1];
roles[0] = (string)property.Value;
}
return roles;
}
}
}
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:uoAzfb0fGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
I think he is using the Active Directory membership provider in ASP.NET
2.0 though, so he doesn't get a WindowsPrincipal. It uses LDAP, so he
needs a corresponding LDAP method to build roles as well (unless he can
use protocol transition).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Robert Ginsburg" <robert.ginsburg@xxxxxxxx> wrote in message
news:%23yltZ1yfGHA.1320@xxxxxxxxxxxxxxxxxxxxxxx
On the IIS security settings for your virtual directory, disable
anonymous access, enable any or all of the other authentication
providers (basic, windows integrated, digest, ...). In your web.config
file, locate the system.web section and make sure these entries are
there
<authentication mode="Windows" />

<identity impersonate="true" />

Once you have done that your site is now setup for impersonation,
depending on the .NET version you must either get the identity from the
My namespace (for 2.X) or from the Context.User object (for 1.X). Cast
the identity as a WindowsPrincipal and simply call IsInRole. It will
check domain groups for you. Here is the MSDN reference for .NET 2.X

ms-help://MS.MSDNQTR.v80.en/MS.MSDN.v80/MS.VisualStudio.v80.en/dv_vbcn/html/f7e734bd-33d4-402e-8eed-ffc905f94fa0.htm




"Kenneth Keeley" <kenkeeley@xxxxxxxxxxx> wrote in message
news:OksW0jsfGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

"Robert Ginsburg" <robert.ginsburg@xxxxxxxx> wrote in message
news:OSz1RSmfGHA.4776@xxxxxxxxxxxxxxxxxxxxxxx
If you are using windows impersonation then
WindowsPrincipal.IsInRole(...)
will check group membership. If you are using LDAP to check the
authentication but are not impersonating the user then you will have
to
construct the group membership manually.

What did you mean by windows impersonation? could you show me a sample
code
of how to authenicate a user and obtain the roles using this method.

Thanks
Kenneth










.

Relevant Pages

  • Re: WindowsTokenRoleProvider & Domain Groups
    ... It looks to me that if Windows auth in ASP.NET works for you, ... just use Context.User.IsInRole to look at group membership. ... IIS vdir Directory Security is set to only Integrated Windows ... account to my domain account and leaving impersonate on. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IsInRole & SID/Token Caching in .NET v1.1
    ... Remember also that if you update group membership on a domain, ... domain controllers, thus when you restart your service (login the ... > I'm building will be used by ASP.NET apps and also by Windows Services. ... > WindowsIdentity from the target UPNName, ...
    (microsoft.public.dotnet.security)
  • Re: Single OU limitations
    ... there could be issues with group membership. ... In Windows 2000 it ... limitation is removed in W2k3. ... I've w2k3 sp1 ent. ...
    (microsoft.public.windows.server.active_directory)
  • Re: General questions about LDAP, GC and access permissions
    ... using Windows Communicaiton Foundation, ... is that we get a combination of all permissions that may be directly assigned ... users and groups and assigning various permissions to those. ... calculate a user's group membership in the user's logon token. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Printer rights
    ... a useable shortcut to the Printers and Faxes folder (on Windows XP), ... group membership after the user logs on, they have to logoff and logon again ... if the user account is a local user account, then the group must also be ...
    (microsoft.public.win2000.printing)