Re: AzMan Still the way to go?

Agreed with D. His book should be very good too. I'm looking for it. I
like mine too, but it is really only appropriate if you need to do LDAP
programming, and I'd say that isn't needed here.

The thing to know with Windows authentication (IWA in IIS) in ASP.NET is
that the user will be authenticated by the OS and your code will be given a
WindowsPrincipal object representing the authenticated user. The
WindowsPrincipal contains the user's name and their groups. You can check
the groups directly for authorization by doing IsInRole.

If you want to create a mapping between the principals in AD (users and
groups) and your application-specific roles, that is one thing that AzMan
shines at. However, it is also big and complex and may be overkill. A very
simple approach is to create a simple mapping between AD groups and your
application roles and then create a new GenericPrincipal object in the
Authenticate event handler of global.asax that simply reads the users
groups, figures out which mapped application roles they get, and then
creates the appropriate array of roles to feed into the GenericPrincipal
constructor. After that, the rest of your code can authorize based on the
application-specific roles. This type of approach is basically like a poor
man's AzMan, where you have to implement the storage of the role mappings
and the implementation of the role mappings yourself and don't get the
advantage of having the powerful role/task/operation model that AzMan
supports. The benefiit is that there is no black box and you understand
exactly how everything works. The downside is that you may have to write
more code, won't get a pretty UI for maintaining the mapping policy for
free, and have less abstraction in your model, which may mean that your code
ends up being harder to maintain. It is all trade-offs. :)

It may also be possible to use the SQL role provider to get some of this
functionality; I'm not sure how it integrates with Windows auth. The thing
you want to try to avoid is storing all of your users in SQL, as that will
create a maintenance nightmare with keeping the data in sync with AD. Ick!

Joe K.


--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:4580be63132808c8969ce59d3740@xxxxxxxxxxxxxxxxxxxxx
Well - you find that much info about IWA in Stefan's book - it is more
about the providers.
The good thing with IWA is, that you turn it on and it just works - you
don't need any code. IIS does all the heavy lifting -
here's you'll find a lot of info on how to integrate with Windows
security - unfortunately you'll have to wait some more weeks for it...

http://www.microsoft.com/mspress/books/9989.asp

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

Joe, I'm still waiting for my book to show up so I'm sort of stalling.
However from reading your previous note, I think I'm getting a bit
overwhelmed with information. (meaning confused)

I can use windows authentication IIS, and was actually planing on it.
That explains my confusion, because everything is form based, and I
have been trying to just use the Windows authentication in IIS for
initial authentication and then look at a mixture of what AD groups,
and what sqlRoles they are part of to determine what they see. Maybe
that approach is to complex and I should eliminate something in there.
I'm just not sure what approach to take.

I know I can do IWA.... SSO would come along with that also. I guess
that leaves me back with, most of the documentation is for forms.
Maybe that book will give me a better 101 level understanding of which
approach to take.

(leave to go check the mail...where's that book)





.

Relevant Pages

  • Re: Windows Authentication method on IIS6
    ... The microsoft.public.windows.server.* groups deal with Windows 2003 ... The microsoft.public.inetserver.* groups deal with IIS ... > the authentication button, ... You can configure either one or multiple realm names on a server running IIS ...
    (microsoft.public.win2000.security)
  • Re: How to access Windows IIS User Info with Perl
    ... but the IIS server is configured for Windows ... allowed for Basic Authentication, Windows Authentication (or whatever ... Do you know if they are part of a standard ...
    (comp.lang.perl.misc)
  • Windows Authentication with IIS on separate machines
    ... Yes, setting Basic Authentication in IIS works, but the ... >in SQL server but doesn't work if user account was ... >imported from a Windows account. ...
    (microsoft.public.sqlserver.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... IIS Resource Guide). ... I next looked a little into Windows 2003. ... IMHO, the label on the option, "Enable Integrated Windows Authentication", ... the documentation leads one to ...
    (microsoft.public.windows.server.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... IIS Resource Guide). ... I next looked a little into Windows 2003. ... IMHO, the label on the option, "Enable Integrated Windows Authentication", ... the documentation leads one to ...
    (microsoft.public.inetserver.iis.security)