Listing domain users

Discussion in 'ASP .Net Security' started by Felix_WafyTech, Feb 18, 2006.

  1. Hello,

    I'm using windows authentication to authenticate users to my site. I now
    want to

    1. Add the ability of listing domain users (From Active Directory)
    2. Filter the user list based on the roles (or groups) assigned to them (via
    Active Directory).

    Any help would be greatly appreciated.

    Thanks,
    Felix.J
     
    Felix_WafyTech, Feb 18, 2006
    #1
    1. Advertising

  2. Forgot to mention that the site is created using VS 2005 / ASP .NET 2.0.

    "Felix_WafyTech" <> wrote in message
    news:#...
    > Hello,
    >
    > I'm using windows authentication to authenticate users to my site. I now
    > want to
    >
    > 1. Add the ability of listing domain users (From Active Directory)
    > 2. Filter the user list based on the roles (or groups) assigned to them

    (via
    > Active Directory).
    >
    > Any help would be greatly appreciated.
    >
    > Thanks,
    > Felix.J
    >
    >
     
    Felix_WafyTech, Feb 18, 2006
    #2
    1. Advertising

  3. Felix_WafyTech

    MikeS Guest

    Maybe have a look at System.DirectoryServices, the DirectorySearcher,
    SearchResult and DirectoryEntry.
     
    MikeS, Feb 18, 2006
    #3
  4. I agree with Mike that you need to query AD with classes in
    System.DirectoryServices. Here is a simple sample which may help you
    understand:

    http://support.microsoft.com/?id=326340

    Hope this help,

    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Luke Zhang [MSFT], Feb 20, 2006
    #4
  5. Thanks for the reply.

    The article that you quoted applies to ASP .NET 1.0 and 1.1. How about ASP
    ..NET 2.0? Are there any enhancements to the way AD Authentication is
    performed using ASP .NET 2.0?

    Thanks,
    Felix.J


    "Luke Zhang [MSFT]" <> wrote in message
    news:...
    > I agree with Mike that you need to query AD with classes in
    > System.DirectoryServices. Here is a simple sample which may help you
    > understand:
    >
    > http://support.microsoft.com/?id=326340
    >
    > Hope this help,
    >
    > Luke Zhang
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
     
    Felix_WafyTech, Feb 20, 2006
    #5
  6. All of the binding code in ASP.NET 2.0 for S.DS is about the same. What
    kind of enhancements were you looking for? If you explain more what your
    app is trying to do and whose credentials you are trying to use to do it,
    that would help.

    The primary directory services enhancements in .NET 2.0 are a large number
    of additional searching features, some cool enhancements for managing ACLs
    on DS objects and the S.DS.ActiveDirectory namespace.

    Joe K.

    "Felix_WafyTech" <> wrote in message
    news:...
    > Thanks for the reply.
    >
    > The article that you quoted applies to ASP .NET 1.0 and 1.1. How about ASP
    > .NET 2.0? Are there any enhancements to the way AD Authentication is
    > performed using ASP .NET 2.0?
    >
    > Thanks,
    > Felix.J
    >
    >
    > "Luke Zhang [MSFT]" <> wrote in message
    > news:...
    >> I agree with Mike that you need to query AD with classes in
    >> System.DirectoryServices. Here is a simple sample which may help you
    >> understand:
    >>
    >> http://support.microsoft.com/?id=326340
    >>
    >> Hope this help,
    >>
    >> Luke Zhang
    >> (This posting is provided "AS IS", with no warranties, and confers no
    >> rights.)
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 20, 2006
    #6
  7. Felix_WafyTech

    Felix Guest

    Thanks. I read the How To's listed in MSDN, and I'm quite clear about the
    authentication.

    I'm now trying to secure a page that allows users to view, insert and edit
    data. I now want to secure this page using windows authentication role based
    security. This is what I would like to do:

    1. All users including anonymous users should be able to view data.
    2. All users with the Managers role can view and insert data.
    3. All users with the Administrators role can view, insert and edit data.

    I've seen examples that create three different folders (and .aspx files) for
    each of these actions and use the web.config file to allow or deny access to
    those pages based on roles. I would like to do the same but with a single
    page. I do not want to duplicate web pages. Any help would be greatly
    appreciated.

    Thanks,
    Felix.J

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%...
    > All of the binding code in ASP.NET 2.0 for S.DS is about the same. What
    > kind of enhancements were you looking for? If you explain more what your
    > app is trying to do and whose credentials you are trying to use to do it,
    > that would help.
    >
    > The primary directory services enhancements in .NET 2.0 are a large number
    > of additional searching features, some cool enhancements for managing ACLs
    > on DS objects and the S.DS.ActiveDirectory namespace.
    >
    > Joe K.
    >
    > "Felix_WafyTech" <> wrote in message
    > news:...
    >> Thanks for the reply.
    >>
    >> The article that you quoted applies to ASP .NET 1.0 and 1.1. How about
    >> ASP
    >> .NET 2.0? Are there any enhancements to the way AD Authentication is
    >> performed using ASP .NET 2.0?
    >>
    >> Thanks,
    >> Felix.J
    >>
    >>
    >> "Luke Zhang [MSFT]" <> wrote in message
    >> news:...
    >>> I agree with Mike that you need to query AD with classes in
    >>> System.DirectoryServices. Here is a simple sample which may help you
    >>> understand:
    >>>
    >>> http://support.microsoft.com/?id=326340
    >>>
    >>> Hope this help,
    >>>
    >>> Luke Zhang
    >>> (This posting is provided "AS IS", with no warranties, and confers no
    >>> rights.)
    >>>

    >>
    >>

    >
    >
     
    Felix, Feb 20, 2006
    #7
  8. Felix_WafyTech

    MikeS Guest

    The simple answer may be that you may need to use of a rolemanager and
    make use of calls to User.IsInRole to determine what you will allow
    your users see and do.

    I wonder about some other things...

    Are you using the WindowsTokenRoleProvider, that is, are the roles you
    mentioned defined as NT groups?

    Do you have your sql procs locked down with grants based on these same
    roles so that you need to impersonate the callers role back to the
    database? If so you may want to use different connection strings based
    on each type of user. ...Or is there a (nother can of worms) middle
    tier...

    Me, I think it is probably more trouble to manage different views in a
    single page than to just create the three pages that know exactly who
    they are dealing with and isolate as much common functionality using
    web controls and master pages. But otherwise maybe look at the
    multiview control.

    Note that location tag lock downs using windows auth and NT group names
    don't need a full blown rolemanger but as soon as you want to call any
    Roles.* method or anything like it you need the rolemanager.
     
    MikeS, Feb 20, 2006
    #8
  9. Agreed. Don't do any LDAP for this. Windows does all of the group lookup
    stuff for you with WindowsPrincipal.IsInRole (for any version of ASP.NET)
    and the new membership stuff for 2.0.

    Joe K.

    "MikeS" <> wrote in message
    news:...
    > The simple answer may be that you may need to use of a rolemanager and
    > make use of calls to User.IsInRole to determine what you will allow
    > your users see and do.
    >
    > I wonder about some other things...
    >
    > Are you using the WindowsTokenRoleProvider, that is, are the roles you
    > mentioned defined as NT groups?
    >
    > Do you have your sql procs locked down with grants based on these same
    > roles so that you need to impersonate the callers role back to the
    > database? If so you may want to use different connection strings based
    > on each type of user. ...Or is there a (nother can of worms) middle
    > tier...
    >
    > Me, I think it is probably more trouble to manage different views in a
    > single page than to just create the three pages that know exactly who
    > they are dealing with and isolate as much common functionality using
    > web controls and master pages. But otherwise maybe look at the
    > multiview control.
    >
    > Note that location tag lock downs using windows auth and NT group names
    > don't need a full blown rolemanger but as soon as you want to call any
    > Roles.* method or anything like it you need the rolemanager.
    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 20, 2006
    #9
  10. Hi,

    Thanks for the reply.

    I'm getting an error "Logon failure: unknown user name or bad password." when using the following code to retrieve the users list from Active Directory. The error occurs in the line mySearcher.FindAll(). I'm using windows authentication role based security. The site map menus hide/unhide based on the user logged into windows. I do not understand why the below code says unknown user name when the sitemap menu's work as expected. Any help is very much appreciated.

    DirectoryEntry entry = new DirectoryEntry("LDAP://" + domainName);

    DirectorySearcher mySearcher = new DirectorySearcher(entry);

    mySearcher.Filter = ("(objectClass=user)");

    foreach (System.DirectoryServices.SearchResult resEnt in mySearcher.FindAll())

    Thanks,

    Felix.J



    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    > Agreed. Don't do any LDAP for this. Windows does all of the group lookup
    > stuff for you with WindowsPrincipal.IsInRole (for any version of ASP.NET)
    > and the new membership stuff for 2.0.
    >
    > Joe K.
    >
    > "MikeS" <> wrote in message
    > news:...
    > > The simple answer may be that you may need to use of a rolemanager and
    > > make use of calls to User.IsInRole to determine what you will allow
    > > your users see and do.
    > >
    > > I wonder about some other things...
    > >
    > > Are you using the WindowsTokenRoleProvider, that is, are the roles you
    > > mentioned defined as NT groups?
    > >
    > > Do you have your sql procs locked down with grants based on these same
    > > roles so that you need to impersonate the callers role back to the
    > > database? If so you may want to use different connection strings based
    > > on each type of user. ...Or is there a (nother can of worms) middle
    > > tier...
    > >
    > > Me, I think it is probably more trouble to manage different views in a
    > > single page than to just create the three pages that know exactly who
    > > they are dealing with and isolate as much common functionality using
    > > web controls and master pages. But otherwise maybe look at the
    > > multiview control.
    > >
    > > Note that location tag lock downs using windows auth and NT group names
    > > don't need a full blown rolemanger but as soon as you want to call any
    > > Roles.* method or anything like it you need the rolemanager.
    > >

    >
    >
     
    Felix_WafyTech, Feb 21, 2006
    #10
  11. You are trying to connect to the directory with default credentials. That may or may not work, depending on the state of the current security context. It is pretty much the exact same set of rules governing connecting to SQL server using SSPI.

    Why do you need to do this though? I thought you were going to use the built-in role-based security stuff that ASP.NET already supports with Windows auth?

    Joe K.

    "Felix_WafyTech" <> wrote in message news:%...
    Hi,

    Thanks for the reply.

    I'm getting an error "Logon failure: unknown user name or bad password." when using the following code to retrieve the users list from Active Directory. The error occurs in the line mySearcher.FindAll(). I'm using windows authentication role based security. The site map menus hide/unhide based on the user logged into windows. I do not understand why the below code says unknown user name when the sitemap menu's work as expected. Any help is very much appreciated.

    DirectoryEntry entry = new DirectoryEntry("LDAP://" + domainName);

    DirectorySearcher mySearcher = new DirectorySearcher(entry);

    mySearcher.Filter = ("(objectClass=user)");

    foreach (System.DirectoryServices.SearchResult resEnt in mySearcher.FindAll())

    Thanks,

    Felix.J



    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    > Agreed. Don't do any LDAP for this. Windows does all of the group lookup
    > stuff for you with WindowsPrincipal.IsInRole (for any version of ASP.NET)
    > and the new membership stuff for 2.0.
    >
    > Joe K.
    >
    > "MikeS" <> wrote in message
    > news:...
    > > The simple answer may be that you may need to use of a rolemanager and
    > > make use of calls to User.IsInRole to determine what you will allow
    > > your users see and do.
    > >
    > > I wonder about some other things...
    > >
    > > Are you using the WindowsTokenRoleProvider, that is, are the roles you
    > > mentioned defined as NT groups?
    > >
    > > Do you have your sql procs locked down with grants based on these same
    > > roles so that you need to impersonate the callers role back to the
    > > database? If so you may want to use different connection strings based
    > > on each type of user. ...Or is there a (nother can of worms) middle
    > > tier...
    > >
    > > Me, I think it is probably more trouble to manage different views in a
    > > single page than to just create the three pages that know exactly who
    > > they are dealing with and isolate as much common functionality using
    > > web controls and master pages. But otherwise maybe look at the
    > > multiview control.
    > >
    > > Note that location tag lock downs using windows auth and NT group names
    > > don't need a full blown rolemanger but as soon as you want to call any
    > > Roles.* method or anything like it you need the rolemanager.
    > >

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 21, 2006
    #11
  12. Felix_WafyTech

    MikeS Guest

    As Joe remarked...

    Perhaps because you are trying to connect to the LDAP server using
    ASP's credentials which are shown in
    System.Security.Principal.WindowsIdentity.GetCurrent.Name.

    Maybe try to use the DirectoryEntry (String, String, String)
    constructor as shown in the article that Luke referenced and provide
    credentials that have rights to query AD.

    Might be a better topic for the AD forum now.

    I'll tell you what though, if you go and flesh out the whole
    RoleProvider interface that uses NT groups instead of AzMan and isn't
    half implemented like the WindowsTokenRoleProvider then please share it
    with me.
     
    MikeS, Feb 21, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sunil Miriyala
    Replies:
    0
    Views:
    805
    Sunil Miriyala
    Mar 1, 2004
  2. Dirk Hagemann

    Listing all machines in a domain

    Dirk Hagemann, Oct 15, 2003, in forum: Python
    Replies:
    7
    Views:
    718
    Dirk Hagemann
    Oct 30, 2003
  3. Dirk Hagemann

    Listing computers of a WinNT-Domain

    Dirk Hagemann, Nov 6, 2003, in forum: Python
    Replies:
    2
    Views:
    399
    Dirk Hagemann
    Nov 6, 2003
  4. bitshift
    Replies:
    1
    Views:
    577
    bruce barker
    Jun 22, 2007
  5. gga
    Replies:
    0
    Views:
    101
Loading...

Share This Page