ActiveDirectoryMembershipProvider - IsInRole problem

Discussion in 'ASP .Net Security' started by David Thielen, Mar 22, 2006.

  1. Hi;

    For forms/ActiveDirectoryMembershipProvider authentication, I get an
    authenticated user but IsInRole fails. I am getting a FormsIdentity where
    authentication-"Forms" and name="dave". I do have to enter my domain password
    for it to login.

    web.config:
    <roleManager enabled="true"/>
    <authentication mode="Forms">
    <forms name=".ADAuthCookie" loginUrl="login.aspx">
    </forms>
    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>
    <membership defaultProvider="MyProvider">
    <providers>
    <clear/>
    <add name="MyProvider"
    type="System.Web.Security.ActiveDirectoryMembershipProvider,
    System.Web, Version=2.0.0.0, Culture=neutral,
    PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="ADService"
    attributeMapUsername="SAMAccountName"
    />
    </providers>
    </membership>



    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com
    David Thielen, Mar 22, 2006
    #1
    1. Advertising

  2. is the problem on the other thread resolved??

    There is no ActiveDirectoryRolesProvider - the roles are not populated from
    AD...thats why IsInRole fails.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi;
    >
    > For forms/ActiveDirectoryMembershipProvider authentication, I get an
    > authenticated user but IsInRole fails. I am getting a FormsIdentity
    > where authentication-"Forms" and name="dave". I do have to enter my
    > domain password for it to login.
    >
    > web.config:
    > <roleManager enabled="true"/>
    > <authentication mode="Forms">
    > <forms name=".ADAuthCookie" loginUrl="login.aspx">
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?"/>
    > </authorization>
    > <membership defaultProvider="MyProvider">
    > <providers>
    > <clear/>
    > <add name="MyProvider"
    > type="System.Web.Security.ActiveDirectoryMembershipProvider,
    > System.Web, Version=2.0.0.0, Culture=neutral,
    > PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="ADService"
    > attributeMapUsername="SAMAccountName"
    > />
    > </providers>
    > </membership
    Dominick Baier [DevelopMentor], Mar 22, 2006
    #2
    1. Advertising

  3. Hi;

    Yes - windows authentication works 100%.

    Yes - ActiveDirectory authentication does authenticate against domain
    username and password.

    So just this IsInRole issue. How do I get the roles to come from AD?

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com



    "Dominick Baier [DevelopMentor]" wrote:

    > is the problem on the other thread resolved??
    >
    > There is no ActiveDirectoryRolesProvider - the roles are not populated from
    > AD...thats why IsInRole fails.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi;
    > >
    > > For forms/ActiveDirectoryMembershipProvider authentication, I get an
    > > authenticated user but IsInRole fails. I am getting a FormsIdentity
    > > where authentication-"Forms" and name="dave". I do have to enter my
    > > domain password for it to login.
    > >
    > > web.config:
    > > <roleManager enabled="true"/>
    > > <authentication mode="Forms">
    > > <forms name=".ADAuthCookie" loginUrl="login.aspx">
    > > </forms>
    > > </authentication>
    > > <authorization>
    > > <deny users="?"/>
    > > </authorization>
    > > <membership defaultProvider="MyProvider">
    > > <providers>
    > > <clear/>
    > > <add name="MyProvider"
    > > type="System.Web.Security.ActiveDirectoryMembershipProvider,
    > > System.Web, Version=2.0.0.0, Culture=neutral,
    > > PublicKeyToken=b03f5f7f11d50a3a"
    > > connectionStringName="ADService"
    > > attributeMapUsername="SAMAccountName"
    > > />
    > > </providers>
    > > </membership>

    >
    >
    >
    David Thielen, Mar 22, 2006
    #3
  4. ps - the use case for this authentication method is all users are in AD, but
    some use firefox or opera as their browser.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com



    "Dominick Baier [DevelopMentor]" wrote:

    > is the problem on the other thread resolved??
    >
    > There is no ActiveDirectoryRolesProvider - the roles are not populated from
    > AD...thats why IsInRole fails.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi;
    > >
    > > For forms/ActiveDirectoryMembershipProvider authentication, I get an
    > > authenticated user but IsInRole fails. I am getting a FormsIdentity
    > > where authentication-"Forms" and name="dave". I do have to enter my
    > > domain password for it to login.
    > >
    > > web.config:
    > > <roleManager enabled="true"/>
    > > <authentication mode="Forms">
    > > <forms name=".ADAuthCookie" loginUrl="login.aspx">
    > > </forms>
    > > </authentication>
    > > <authorization>
    > > <deny users="?"/>
    > > </authorization>
    > > <membership defaultProvider="MyProvider">
    > > <providers>
    > > <clear/>
    > > <add name="MyProvider"
    > > type="System.Web.Security.ActiveDirectoryMembershipProvider,
    > > System.Web, Version=2.0.0.0, Culture=neutral,
    > > PublicKeyToken=b03f5f7f11d50a3a"
    > > connectionStringName="ADService"
    > > attributeMapUsername="SAMAccountName"
    > > />
    > > </providers>
    > > </membership>

    >
    >
    >
    David Thielen, Mar 22, 2006
    #4
  5. right - and i think it is a pretty heavy limitation that there is no AD role
    provider...

    it is on my todo list - but i haven't found time so far...


    You have to fetch them manually - joe knows at least 3 ways to do that :)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > ps - the use case for this authentication method is all users are in
    > AD, but some use firefox or opera as their browser.
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> is the problem on the other thread resolved??
    >>
    >> There is no ActiveDirectoryRolesProvider - the roles are not
    >> populated from AD...thats why IsInRole fails.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi;
    >>>
    >>> For forms/ActiveDirectoryMembershipProvider authentication, I get an
    >>> authenticated user but IsInRole fails. I am getting a FormsIdentity
    >>> where authentication-"Forms" and name="dave". I do have to enter my
    >>> domain password for it to login.
    >>>
    >>> web.config:
    >>> <roleManager enabled="true"/>
    >>> <authentication mode="Forms">
    >>> <forms name=".ADAuthCookie" loginUrl="login.aspx">
    >>> </forms>
    >>> </authentication>
    >>> <authorization>
    >>> <deny users="?"/>
    >>> </authorization>
    >>> <membership defaultProvider="MyProvider">
    >>> <providers>
    >>> <clear/>
    >>> <add name="MyProvider"
    >>> type="System.Web.Security.ActiveDirectoryMembershipProvider,
    >>> System.Web, Version=2.0.0.0, Culture=neutral,
    >>> PublicKeyToken=b03f5f7f11d50a3a"
    >>> connectionStringName="ADService"
    >>> attributeMapUsername="SAMAccountName"
    >>> />
    >>> </providers>
    >>> </membership
    Dominick Baier [DevelopMentor], Mar 22, 2006
    #5
  6. Yeah, if I had time right now, I'd put one together for you. In the
    meantime, you can check out Ryan's blog (www.dunnry.com) and see his
    tokenGroups group membership expansion sample. It works quite well. You
    could probably roll that into a role provider if you wanted to try.

    Ryan and I are together at a conference next week, so maybe we can try to do
    something like this? Who knows. :)

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > right - and i think it is a pretty heavy limitation that there is no AD
    > role provider...
    >
    > it is on my todo list - but i haven't found time so far...
    >
    >
    > You have to fetch them manually - joe knows at least 3 ways to do that :)
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> ps - the use case for this authentication method is all users are in
    >> AD, but some use firefox or opera as their browser.
    >>
    >> "Dominick Baier [DevelopMentor]" wrote:
    >>
    >>> is the problem on the other thread resolved??
    >>>
    >>> There is no ActiveDirectoryRolesProvider - the roles are not
    >>> populated from AD...thats why IsInRole fails.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi;
    >>>>
    >>>> For forms/ActiveDirectoryMembershipProvider authentication, I get an
    >>>> authenticated user but IsInRole fails. I am getting a FormsIdentity
    >>>> where authentication-"Forms" and name="dave". I do have to enter my
    >>>> domain password for it to login.
    >>>>
    >>>> web.config:
    >>>> <roleManager enabled="true"/>
    >>>> <authentication mode="Forms">
    >>>> <forms name=".ADAuthCookie" loginUrl="login.aspx">
    >>>> </forms>
    >>>> </authentication>
    >>>> <authorization>
    >>>> <deny users="?"/>
    >>>> </authorization>
    >>>> <membership defaultProvider="MyProvider">
    >>>> <providers>
    >>>> <clear/>
    >>>> <add name="MyProvider"
    >>>> type="System.Web.Security.ActiveDirectoryMembershipProvider,
    >>>> System.Web, Version=2.0.0.0, Culture=neutral,
    >>>> PublicKeyToken=b03f5f7f11d50a3a"
    >>>> connectionStringName="ADService"
    >>>> attributeMapUsername="SAMAccountName"
    >>>> />
    >>>> </providers>
    >>>> </membership>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Mar 22, 2006
    #6
  7. Hi;

    That's amazing that you can authenticate but not authorize from AD - sort of
    makes it useless I think except for the case of any AD user is allowed to do
    anything...

    If you write one, I would be happy to test it.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com



    "Joe Kaplan (MVP - ADSI)" wrote:

    > Yeah, if I had time right now, I'd put one together for you. In the
    > meantime, you can check out Ryan's blog (www.dunnry.com) and see his
    > tokenGroups group membership expansion sample. It works quite well. You
    > could probably roll that into a role provider if you wanted to try.
    >
    > Ryan and I are together at a conference next week, so maybe we can try to do
    > something like this? Who knows. :)
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    > > right - and i think it is a pretty heavy limitation that there is no AD
    > > role provider...
    > >
    > > it is on my todo list - but i haven't found time so far...
    > >
    > >
    > > You have to fetch them manually - joe knows at least 3 ways to do that :)
    > >
    > > ---------------------------------------
    > > Dominick Baier - DevelopMentor
    > > http://www.leastprivilege.com
    > >
    > >> ps - the use case for this authentication method is all users are in
    > >> AD, but some use firefox or opera as their browser.
    > >>
    > >> "Dominick Baier [DevelopMentor]" wrote:
    > >>
    > >>> is the problem on the other thread resolved??
    > >>>
    > >>> There is no ActiveDirectoryRolesProvider - the roles are not
    > >>> populated from AD...thats why IsInRole fails.
    > >>>
    > >>> ---------------------------------------
    > >>> Dominick Baier - DevelopMentor
    > >>> http://www.leastprivilege.com
    > >>>> Hi;
    > >>>>
    > >>>> For forms/ActiveDirectoryMembershipProvider authentication, I get an
    > >>>> authenticated user but IsInRole fails. I am getting a FormsIdentity
    > >>>> where authentication-"Forms" and name="dave". I do have to enter my
    > >>>> domain password for it to login.
    > >>>>
    > >>>> web.config:
    > >>>> <roleManager enabled="true"/>
    > >>>> <authentication mode="Forms">
    > >>>> <forms name=".ADAuthCookie" loginUrl="login.aspx">
    > >>>> </forms>
    > >>>> </authentication>
    > >>>> <authorization>
    > >>>> <deny users="?"/>
    > >>>> </authorization>
    > >>>> <membership defaultProvider="MyProvider">
    > >>>> <providers>
    > >>>> <clear/>
    > >>>> <add name="MyProvider"
    > >>>> type="System.Web.Security.ActiveDirectoryMembershipProvider,
    > >>>> System.Web, Version=2.0.0.0, Culture=neutral,
    > >>>> PublicKeyToken=b03f5f7f11d50a3a"
    > >>>> connectionStringName="ADService"
    > >>>> attributeMapUsername="SAMAccountName"
    > >>>> />
    > >>>> </providers>
    > >>>> </membership>

    > >
    > >

    >
    >
    >
    David Thielen, Mar 26, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. arjun

    isInRole Problem

    arjun, Nov 28, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    3,566
    arjun
    Nov 30, 2004
  2. =?Utf-8?B?UGV0ZXI=?=

    problem with .IsInRole

    =?Utf-8?B?UGV0ZXI=?=, Jan 25, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    402
    =?Utf-8?B?UGV0ZXI=?=
    Jan 25, 2005
  3. =?Utf-8?B?RGF2ZQ==?=

    IsInRole problem?

    =?Utf-8?B?RGF2ZQ==?=, Mar 24, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    2,108
    Elton Wang
    Mar 25, 2005
  4. Gonza
    Replies:
    5
    Views:
    518
    Patrick.O.Ige
    Nov 22, 2006
  5. Renaud Langis

    ActiveDirectoryMembershipProvider.ValidateUser problem

    Renaud Langis, Oct 20, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    945
    Renaud Langis
    Oct 25, 2006
Loading...

Share This Page