Get UserGroup of Active Directory to control the security

[Shaker]

Hi,
I have an ASP.Net Intranet App with C#.

I don't need to ask users about by User and PWD since they are already
logged in.
This is acheived through "<deny users="?" />" tag. no problem with it.

My concern now is to determine the the user group where the user is
belonging to.
to control the rest of navigation to the site.
Please provide me with clear code to do that.

 

[Joe Kaplan \(MVP - ADSI\)]

If you are using Windows authentication in ASP.NET, you can easily do basic
role-based security against the user's group membership using the
WindowsPrincipal class which is exposed as the IPrincipal object returned by
the User property on the HttpContext or Page class or the
Thread.CurrentPrincipal class for code that does not reference System.Web
such as a middle tier layer or something.

You just call the User.IsInRole method with the name of the group you are
interested in (in domain\group name format) and it will return true or
false.

Additionally, the allow and deny tags in web.config, which are used by the
UrlAuthorizationModule, can be used to declaratively allow and deny access
to certain parts of your page. Use the same syntax as above, e.g.

<allow roles="mydomain\mygroup"/>

Finally, you can use the PrincipalPermission and
PrincipalPermissionAttribute to achieve similar things, although I'm not a
big fan of the attribute as the principal name must be specified at compile
time.

HTH,

Joe K.

 

[Shaker]

Thanks this works fine,
But I Still need a way to get user info beside a full tree of Usergroup from
AD without providing Password.
I'll get the user name using (User.Identity.Name) of page object.

Thnaks Again

 

[Joe Kaplan \(MVP - ADSI\)]

Can you explain what you mean by "user info"? Your original question asked
about AD groups and I thought I answered that.

Joe K.

 

[Shaker]

User info such as Title, Extension, email,...Department,..etc

 

[Joe Kaplan \(MVP - ADSI\)]

Ah, that requires a query to AD.

Essentially, you just need to use the DirectorySearcher to query AD where
sAMAccountName equals the user's name from Context.User.Identity.Name (after
the domain prefix, e.g. domain\sAMAccountName). The filter would look like:

(sAMAccountName=userName)

The trick is going to be getting a security context that can query the
directory. If you use impersonation, you can use the user's own security
context to do that, but you'll need Kerberos delegation if you are using
Windows Integrated authentication. There is a good article here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

Joe K.