Re: WindowsTokenRoleProvider & Domain Groups

I don't understand why you need to use forms auth if you are going to use AD
as the auth store. What's the point? I realize that MS provided the AD
membership provider to address this need, but I still struggle to understand
when it is really needed.

If you do plan to use the AD membership provider, you will need an AD
LDAP-based role provider as well such as the one I mentioned that Ryan is
working on currently. To look up your additional attributes in AD, that
will require the DirectorySearcher as you've already been doing.

Definitely check out the book, especially the end of ch 10 to see how the
tokenGroups thing works to get a user's group membership via LDAP. That is
the query that the whole thing pivots around. The rest is just framework
code to make that data work within the provider model and provide
appropriate credentials and connection info to AD.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Craig Wagner" <MSDNNospam207@xxxxxxxxxxxxx> wrote in message
news:383BFA30-92CB-4267-A5DD-2187EE0A57BD@xxxxxxxxxxxxxxxx
"If you are using Windows auth in IIS/ASP.NET..."

Ah, there's the rub. The only reason I'm using Windows Authentication
right
now is because that's the only way I could start experimenting with the
GetRoles method.

As I said in another post, ultimately the app needs to run with anonymous
access enabled and forms authentication. The current configuration (using
Windows Authentication) was only to get me started understanding a bit
about
this stuff. Of course the first thing I ran into was not seeing the domain
local groups, which confused me.

Given that I ultimately need to use Forms Authentication and have the web
app run with anonymous access enabled, using the
ActiveDirectoryMembershipProvider for authentication and DirectorySearcher
to
look up the user's name and groups seems the way to go.

I will take a look at your book for more hints.


.

Relevant Pages

  • Re: Active Directory Membership Provider permission
    ... The AD membership provider plugs ... It sounds like he just wants the authentication part and doesn't need the ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The current service account is a User account and the subject provider ...
    (microsoft.public.windows.server.active_directory)
  • Re: Forms Authentication against ADAM
    ... Did you try setting the userPrincipalName attribute in ADAM? ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Using web based forms authentication: ... appropriately permissioned ADAM ID in the membership provider ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Forms Authentication against ADAM
    ... schema included with ADAM has that attribute. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Using web based forms authentication: ... appropriately permissioned ADAM ID in the membership provider ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: AzMan Still the way to go?
    ... I'd actually like to understand the membership provider stuff a bit better ... I see similar struggles with AzMan, such as the errors you mentioned in your ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... auth store role provider and the AD membership provider, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Login Security for Intranet/Internet application
    ... a standard intranet app. ... However, you may also want to support IWA authentication for internal users, ... if the application depends on Windows security ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)