Re: WindowsTokenRoleProvider & Domain Groups
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 Feb 2007 09:24:16 -0600
There is a nice sample that shows how to use the AD tokenGroups attribute to
retrieve a user's transitive security group membership in ch 10 of our book
which is a free download from our website (see link below). This technique
is the basis for which Ryan's ActiveDirectoryRoleProvider works. I'd
suggest checking that out.
If you need to do AD stuff and need to get up to speed with LDAP
programming, the book will likely help you.
It looks to me that if Windows auth in ASP.NET works for you, you should
just use Context.User.IsInRole to look at group membership. You really
don't need the WindowsTokenRoleProvider for this. I only think it is useful
in the context of an application that is coded to use the membership/roles
API and wants to provide flexibility to their customers as to which
providers they can use.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Craig Wagner" <MSDNNospam207@xxxxxxxxxxxxx> wrote in message
news:E9B0885E-9EF9-4691-AB38-60AF99C0DF1E@xxxxxxxxxxxxxxxx
See my response to Joe about the ActiveDirectoryMembershipProvider.
My configuration is:
Windows XP Pro (IIS 5)
web.config contains <authentication mode="Windows" />
IIS vdir Directory Security is set to only Integrated Windows
Authentication
Impersonation is turned on
I don't know how definitive this is, but when I display the values of
Environment.UserDomainName and Environment.UserName I get WAGNER\cwagner,
which is my domain credentials.
I also tried turning anonymous access back on and setting the anonymous
user
account to my domain account and leaving impersonate on. Again
Environment.UserDomainName and Environment.UserName reported
WAGNER\cwagner,
but GetRoles returned nothing.
Because ultimately I'm going to be able to need to get information about a
user other than the one that is logged in, the
DirectoryEntry/DirectorySearcher approach seems like the better one. In
the
back of my mind I had always wondered how I would make GetRoles get me
information for other than the currently authenticated user, but I'm new
to
working with AD and just kind of latched on to the first thing I found and
started experimenting with it.
"Steven Cheng[MSFT]" wrote:
For the "WindowsTokenRoleProvider", based on my local test, it seems with
an authenticated windows user, all the groups(domain ,local domain and
built-in ones) can be correctly retrieved. But my test is performed in VS
2005 test webserver which is running under my logon user(domain account).
So I think the behavior may be related to yoru ASP.NET application's
worker
process identity(since the AD query is performed under process identity
if
no impersonate is using). What's the current security identity of your
ASP.NET worker process, are you using IIS5 or IIS6. I suggest you also
try
configure the ASP.NET application to running under a domain account to
see
whether you can get all the correct groups.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no
rights.
.
- Follow-Ups:
- Re: WindowsTokenRoleProvider & Domain Groups
- From: Steven Cheng[MSFT]
- Re: WindowsTokenRoleProvider & Domain Groups
- References:
- Re: WindowsTokenRoleProvider & Domain Groups
- From: Joe Kaplan
- Re: WindowsTokenRoleProvider & Domain Groups
- From: Joe Kaplan
- Re: WindowsTokenRoleProvider & Domain Groups
- From: Joe Kaplan
- Re: WindowsTokenRoleProvider & Domain Groups
- From: Steven Cheng[MSFT]
- Re: WindowsTokenRoleProvider & Domain Groups
- Prev by Date: Re: Custom Profile Provider
- Next by Date: Re: WindowsTokenRoleProvider & Domain Groups
- Previous by thread: Re: WindowsTokenRoleProvider & Domain Groups
- Next by thread: Re: WindowsTokenRoleProvider & Domain Groups
- Index(es):
Relevant Pages
|
|
