How to authenticate ASP.NET page against AD

[DWY]

All I want to do is setup a role within the web.config, but what "exactly" do
I specify? Can I use a security group? Do I have to specify domain\user?
I've tried variations, but none seem to work.

 

[Joe Kaplan \(MVP - ADSI\)]

How have you configured your authentication in IIS? Is anonymous disabled?
You also need ASP.NET set to Windows authentication in web.config (although
that is the default).

Once you have done that, you can use AD groups in your role names. They go
in the format "domain\group name".

Joe K.

 

[DWY]

Thank you for the informative post.

However, something still isn't correct because when I try the following code
in page_load, I still get "Not in Role" even though I know for a fact that
I'm in the shown Security Group. I've tried both sides, a group I'm in and a
group I'm not in and I get the same result.

Response.Write(User.Identity.Name)

Dim wp As New
System.Security.Principal.WindowsPrincipal(System.Security.Principal.WindowsIdentity.GetCurrent())

If wp.IsInRole("domain01\CSS Users") Then
Response.Write("In Role")
Else
Response.Write("Not in Role")
End If

Also, the intent of my original post was to perform authentication using
nothing but the "role" attribute from the web.config and not custom code.
What if I wanted to add another role to access the web application? using
this method I'd need to recompile, with the web.config, it's a simply change,
no recompile or re-install.

 

[DWY]

Ok, I figured it out (using Patrick's code fromm below). In ASP.net v1.0,
the role is case-sensitive and 1.1+ it's not. I switched the ASP.net version
in the IIS Manager and it works using the custom code shown by Patrick,
however, I still cannot get it working using just the web.config file...

 

[Dominick Baier [DevelopMentor]]

WindowsIdentity.GetCurrent()) return the identity of the worker process -
but i guess you want to do the role check against the client...

that's Context.User.IsInRole(...);

 

[Joe Kaplan \(MVP - ADSI\)]

I think the bug in 1.0 was fixed in a service pack. Are your .NET Framework
versions fully patched?

As long as the UrlAuthorizationModule has not been removed from your list of
httpModules for the site, the <allow> and <deny> tags should work just fine.

That httpModule is added by default in machine.config, but it is possible
that something else in the site (perhaps a global level web.config) removed
it.

What do your <allow> and <deny> tags look like?

Joe K.