Active Directory - Groups and Permissions

Discussion in 'ASP .Net' started by Scott, May 2, 2006.

  1. Scott

    Scott Guest

    I'm creating an intranet site that uses Forms authentication to
    validate users against an Active Directory. Users need to be able to
    login both from work and remotely. Then I want to be able to do two
    things: (1) Check whether a user is in an AD group and (2) enforce NTFS
    permissions based on AD username.

    First scenario: "Joe" logs in to the web site from home using his
    domain username and password. Joe should see certain content on the web
    site based on his AD group membership. Let's say he's in Marketing, so
    I'd like to be able to check whether User.IsInRole("Marketing"). Right
    now when I try that, I get a message saying: "Method is only supported
    if the user name parameter matches the user name in the current Windows
    Identity." Is this because I've set the app to use the
    AspNetWindowsTokenRoleProvider? Does that only work if he is physically
    logged into a computer on the AD domain? Is there a way to emulate the
    Windows Identity? Or should I be using a different role provider?

    Second scenario: Joe has certain permissions to network resources that
    need to be enforced. For example, a web folder (WebDAV) with financial
    data allows members in group "Marketing" read access only. It is
    enforced when he physically logs into the AD domain at work, but it
    should also be enforced when he logs in from the road. Right now I'm
    using <identity impersonate="true"/> - hoping it will use his username
    "Joe" rather than the ASP.NET worker process to access that folder. Is
    that the right way to approach the problem?

    Currently I'm developing the site on a Windows XP machine using VS2005
    and the built-in ASP web server. The production web server will be
    Windows 2003, and the AD domain itself is Windows 2000. Any help is
    much appreciated. Here are the relevant snippets from my web.config
    file:

    <connectionStrings>
    <add name="ADConnectionString"
    connectionString="LDAP://machine.domain.com/CN=Users,DC=machine,DC=domain,DC=com"
    />
    </connectionStrings>

    <roleManager enabled="true"
    defaultProvider="AspNetWindowsTokenRoleProvider" />

    <identity impersonate="true"/>

    <authentication mode="Forms">
    <forms name=".ADAuthCookie" timeout="10" />
    </authentication>

    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>

    <membership defaultProvider="MyADMembershipProvider">
    <providers>
    <add name="MyADMembershipProvider"
    type="System.Web.Security.ActiveDirectoryMembershipProvi der"
    connectionStringName="ADConnectionString"
    connectionUsername="domain\user" connectionPassword="password"
    attributeMapUsername="sAMAccountName" enableSearchMethods="true" />
    </providers>
    </membership>
     
    Scott, May 2, 2006
    #1
    1. Advertising

  2. Scott

    Scott Guest

    Anyone have any tips on this? Even any general resources about how to
    harness Active Directory on an ASP.NET 2.0 intranet?
     
    Scott, May 16, 2006
    #2
    1. Advertising

  3. Juan T. Llibre, May 16, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. rote
    Replies:
    2
    Views:
    504
  2. Spam Catcher
    Replies:
    4
    Views:
    538
    Willy Denoyette [MVP]
    Apr 21, 2008
  3. L Magarian
    Replies:
    3
    Views:
    240
    Joe Kaplan \(MVP - ADSI\)
    Sep 28, 2004
  4. Cathie

    Problem with Searching Groups in Active Directory

    Cathie, Apr 4, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    123
    Cathie
    Apr 4, 2005
  5. David
    Replies:
    14
    Views:
    886
    Patrick.O.Ige
    Nov 4, 2005
Loading...

Share This Page