How to authenticate ASP.NET page against AD

Discussion in 'ASP .Net Security' started by DWY, Feb 1, 2006.

  1. DWY

    DWY Guest

    All I want to do is setup a role within the web.config, but what "exactly" do
    I specify? Can I use a security group? Do I have to specify domain\user?
    I've tried variations, but none seem to work.
     
    DWY, Feb 1, 2006
    #1
    1. Advertising

  2. How have you configured your authentication in IIS? Is anonymous disabled?
    You also need ASP.NET set to Windows authentication in web.config (although
    that is the default).

    Once you have done that, you can use AD groups in your role names. They go
    in the format "domain\group name".

    Joe K.

    "DWY" <> wrote in message
    news:...
    > All I want to do is setup a role within the web.config, but what "exactly"
    > do
    > I specify? Can I use a security group? Do I have to specify domain\user?
    > I've tried variations, but none seem to work.
     
    Joe Kaplan \(MVP - ADSI\), Feb 1, 2006
    #2
    1. Advertising

  3. DWY

    DWY Guest

    Thank you for the informative post.

    However, something still isn't correct because when I try the following code
    in page_load, I still get "Not in Role" even though I know for a fact that
    I'm in the shown Security Group. I've tried both sides, a group I'm in and a
    group I'm not in and I get the same result.

    Response.Write(User.Identity.Name)

    Dim wp As New
    System.Security.Principal.WindowsPrincipal(System.Security.Principal.WindowsIdentity.GetCurrent())

    If wp.IsInRole("domain01\CSS Users") Then
    Response.Write("In Role")
    Else
    Response.Write("Not in Role")
    End If

    Also, the intent of my original post was to perform authentication using
    nothing but the "role" attribute from the web.config and not custom code.
    What if I wanted to add another role to access the web application? using
    this method I'd need to recompile, with the web.config, it's a simply change,
    no recompile or re-install.

    "Patrick.O.Ige" wrote:

    > I have blogged something that could help you at:-
    > http://spaces.msn.com/naijacoder/
    > Hope that helps
    > Patrick
    >
    >
    > "DWY" <> wrote in message
    > news:...
    > > All I want to do is setup a role within the web.config, but what "exactly"
    > > do
    > > I specify? Can I use a security group? Do I have to specify domain\user?
    > > I've tried variations, but none seem to work.

    >
    >
    >
     
    DWY, Feb 1, 2006
    #3
  4. DWY

    DWY Guest

    Ok, I figured it out (using Patrick's code fromm below). In ASP.net v1.0,
    the role is case-sensitive and 1.1+ it's not. I switched the ASP.net version
    in the IIS Manager and it works using the custom code shown by Patrick,
    however, I still cannot get it working using just the web.config file...

    "Joe Kaplan (MVP - ADSI)" wrote:

    > How have you configured your authentication in IIS? Is anonymous disabled?
    > You also need ASP.NET set to Windows authentication in web.config (although
    > that is the default).
    >
    > Once you have done that, you can use AD groups in your role names. They go
    > in the format "domain\group name".
    >
    > Joe K.
    >
    > "DWY" <> wrote in message
    > news:...
    > > All I want to do is setup a role within the web.config, but what "exactly"
    > > do
    > > I specify? Can I use a security group? Do I have to specify domain\user?
    > > I've tried variations, but none seem to work.

    >
    >
    >
     
    DWY, Feb 1, 2006
    #4
  5. WindowsIdentity.GetCurrent()) return the identity of the worker process -
    but i guess you want to do the role check against the client...

    that's Context.User.IsInRole(...);

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thank you for the informative post.
    >
    > However, something still isn't correct because when I try the
    > following code in page_load, I still get "Not in Role" even though I
    > know for a fact that I'm in the shown Security Group. I've tried both
    > sides, a group I'm in and a group I'm not in and I get the same
    > result.
    >
    > Response.Write(User.Identity.Name)
    >
    > Dim wp As New
    > System.Security.Principal.WindowsPrincipal(System.Security.Principal.W
    > indowsIdentity.GetCurrent())
    >
    > If wp.IsInRole("domain01\CSS Users") Then
    > Response.Write("In Role")
    > Else
    > Response.Write("Not in Role")
    > End If
    > Also, the intent of my original post was to perform authentication
    > using nothing but the "role" attribute from the web.config and not
    > custom code. What if I wanted to add another role to access the web
    > application? using this method I'd need to recompile, with the
    > web.config, it's a simply change, no recompile or re-install.
    >
    > "Patrick.O.Ige" wrote:
    >
    >> I have blogged something that could help you at:-
    >> http://spaces.msn.com/naijacoder/
    >> Hope that helps
    >> Patrick
    >> "DWY" <> wrote in message
    >> news:...
    >>
    >>> All I want to do is setup a role within the web.config, but what
    >>> "exactly"
    >>> do
    >>> I specify? Can I use a security group? Do I have to specify
    >>> domain\user?
    >>> I've tried variations, but none seem to work
     
    Dominick Baier [DevelopMentor], Feb 1, 2006
    #5
  6. I think the bug in 1.0 was fixed in a service pack. Are your .NET Framework
    versions fully patched?

    As long as the UrlAuthorizationModule has not been removed from your list of
    httpModules for the site, the <allow> and <deny> tags should work just fine.

    That httpModule is added by default in machine.config, but it is possible
    that something else in the site (perhaps a global level web.config) removed
    it.

    What do your <allow> and <deny> tags look like?

    Joe K.

    "DWY" <> wrote in message
    news:...
    > Ok, I figured it out (using Patrick's code fromm below). In ASP.net v1.0,
    > the role is case-sensitive and 1.1+ it's not. I switched the ASP.net
    > version
    > in the IIS Manager and it works using the custom code shown by Patrick,
    > however, I still cannot get it working using just the web.config file...
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> How have you configured your authentication in IIS? Is anonymous
    >> disabled?
    >> You also need ASP.NET set to Windows authentication in web.config
    >> (although
    >> that is the default).
    >>
    >> Once you have done that, you can use AD groups in your role names. They
    >> go
    >> in the format "domain\group name".
    >>
    >> Joe K.
    >>
    >> "DWY" <> wrote in message
    >> news:...
    >> > All I want to do is setup a role within the web.config, but what
    >> > "exactly"
    >> > do
    >> > I specify? Can I use a security group? Do I have to specify
    >> > domain\user?
    >> > I've tried variations, but none seem to work.

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Feb 1, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jon
    Replies:
    4
    Views:
    518
  2. Tim Mackey
    Replies:
    7
    Views:
    348
    Dominick Baier
    Jan 4, 2007
  3. Ruggiero, Vince
    Replies:
    0
    Views:
    769
    Ruggiero, Vince
    Dec 14, 2009
  4. Ruggiero, Vince
    Replies:
    0
    Views:
    918
    Ruggiero, Vince
    Dec 14, 2009
  5. Bud
    Replies:
    4
    Views:
    164
Loading...

Share This Page