NT based roles using forms authentication

Discussion in 'ASP .Net' started by Sharat Koya, Aug 13, 2004.

  1. Sharat Koya

    Sharat Koya Guest

    Please can you help with a problem I am having.

    My web config is set to...
    <authorization><deny users="?"/>
    <authentication mode="Forms">
    <forms name=".COOKIE" loginUrl="login.aspx" protection="All"
    timeout="5" path="/"/>
    </authentication>
    <identity impersonate="true"/>

    login.aspx uses advapi32.dll to create the token and authenticate the
    user
    using the code..
    if(LogonUser(TextBoxUsername.Text,
    "HILLSRD",
    TextBoxPassword.Text,
    LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT,
    ref token) != 0)
    {

    FormsAuthentication.RedirectFromLoginPage(TextBoxUsername.Text,
    CBoxRememberMe.Checked);

    }

    but when I want to enable NT group security but when I go to access
    User.IsInRole it always returns false? I digged a little deeper by
    live debugging and found that m_roles array is always empty. What am I
    doing wrong - why aren't the roles avaialble that are on the domain?


    many thanks for any help on this.

    Sharat Koya
     
    Sharat Koya, Aug 13, 2004
    #1
    1. Advertising

  2. Sharat Koya

    Scott Allen Guest

    Hi Sharat:

    I'm not sure what the requirements are for your application, but I'm
    thinking you could save yourself a good deal of code if you let
    Windows manage the authentication and impersonation with a web.config
    along the lines of:

    <system.web>
    <authentication mode="Windows"/>
    <identity impersonate="true"/>
    <authorization>
    <deny users="?"/>
    <allow users="*"/>
    </authorization>
    </system.web>

    This will avoid you having to use LogonUser in your code. If you do go
    this way - you need to use the token given out by LogonUser to do the
    impersonation, and pass the token to CloseHandle for proper cleanup
    afterwards.

    --
    Scott
    http://www.OdeToCode.com


    On 13 Aug 2004 08:12:33 -0700, (Sharat
    Koya) wrote:

    >Please can you help with a problem I am having.
    >
    >My web config is set to...
    ><authorization><deny users="?"/>
    ><authentication mode="Forms">
    ><forms name=".COOKIE" loginUrl="login.aspx" protection="All"
    >timeout="5" path="/"/>
    ></authentication>
    ><identity impersonate="true"/>
    >
    >login.aspx uses advapi32.dll to create the token and authenticate the
    >user
    >using the code..
    >if(LogonUser(TextBoxUsername.Text,
    > "HILLSRD",
    > TextBoxPassword.Text,
    > LOGON32_LOGON_INTERACTIVE,
    > LOGON32_PROVIDER_DEFAULT,
    > ref token) != 0)
    > {
    >
    > FormsAuthentication.RedirectFromLoginPage(TextBoxUsername.Text,
    >CBoxRememberMe.Checked);
    >
    > }
    >
    >but when I want to enable NT group security but when I go to access
    >User.IsInRole it always returns false? I digged a little deeper by
    >live debugging and found that m_roles array is always empty. What am I
    >doing wrong - why aren't the roles avaialble that are on the domain?
    >
    >
    >many thanks for any help on this.
    >
    >Sharat Koya
     
    Scott Allen, Aug 13, 2004
    #2
    1. Advertising

  3. Sharat Koya

    bruce barker Guest

    <identity impersonate="true"/> means to impersonate the iis authenticated
    user, in your case because you are using forms authentication, the iis user
    is the anonymous login.

    because you are using forms authentication, its your job to fill in the
    roles. you will need to do this on every request.

    -- bruce (sqlwork.com)


    "Sharat Koya" <> wrote in message
    news:...
    > Please can you help with a problem I am having.
    >
    > My web config is set to...
    > <authorization><deny users="?"/>
    > <authentication mode="Forms">
    > <forms name=".COOKIE" loginUrl="login.aspx" protection="All"
    > timeout="5" path="/"/>
    > </authentication>
    > <identity impersonate="true"/>
    >
    > login.aspx uses advapi32.dll to create the token and authenticate the
    > user
    > using the code..
    > if(LogonUser(TextBoxUsername.Text,
    > "HILLSRD",
    > TextBoxPassword.Text,
    > LOGON32_LOGON_INTERACTIVE,
    > LOGON32_PROVIDER_DEFAULT,
    > ref token) != 0)
    > {
    >
    > FormsAuthentication.RedirectFromLoginPage(TextBoxUsername.Text,
    > CBoxRememberMe.Checked);
    >
    > }
    >
    > but when I want to enable NT group security but when I go to access
    > User.IsInRole it always returns false? I digged a little deeper by
    > live debugging and found that m_roles array is always empty. What am I
    > doing wrong - why aren't the roles avaialble that are on the domain?
    >
    >
    > many thanks for any help on this.
    >
    > Sharat Koya
     
    bruce barker, Aug 13, 2004
    #3
  4. Sharat Koya

    Scott Allen Guest

    You could create locked down local accounts on the web server and
    still use Windows authentication. If the server doesn't recognize
    thier current credentials the browser will prompt for then to enter a
    username, password and domain (machine name) to log in with.

    --
    Scott
    http://www.OdeToCode.com

    On Fri, 13 Aug 2004 11:37:03 -0700, "Sharat Koya" <Sharat
    > wrote:

    >The reason I am using this method is that it allows users to be logged in on
    >a secure locked down account whilst allowing them the option to log in as
    >them selves and change between users without logging off the account. Is
    >there a way of perserving this idea without implementing database stored
    >roles?
    >
    >thanks
    >
    >"Scott Allen" wrote:
    >
    >> Hi Sharat:
    >>
    >> I'm not sure what the requirements are for your application, but I'm
    >> thinking you could save yourself a good deal of code if you let
    >> Windows manage the authentication and impersonation with a web.config
    >> along the lines of:
    >>
    >> <system.web>
    >> <authentication mode="Windows"/>
    >> <identity impersonate="true"/>
    >> <authorization>
    >> <deny users="?"/>
    >> <allow users="*"/>
    >> </authorization>
    >> </system.web>
    >>
    >> This will avoid you having to use LogonUser in your code. If you do go
    >> this way - you need to use the token given out by LogonUser to do the
    >> impersonation, and pass the token to CloseHandle for proper cleanup
    >> afterwards.
    >>
    >> --
    >> Scott
    >> http://www.OdeToCode.com
    >>
    >>
    >> On 13 Aug 2004 08:12:33 -0700, (Sharat
    >> Koya) wrote:
    >>
    >> >Please can you help with a problem I am having.
    >> >
    >> >My web config is set to...
    >> ><authorization><deny users="?"/>
    >> ><authentication mode="Forms">
    >> ><forms name=".COOKIE" loginUrl="login.aspx" protection="All"
    >> >timeout="5" path="/"/>
    >> ></authentication>
    >> ><identity impersonate="true"/>
    >> >
    >> >login.aspx uses advapi32.dll to create the token and authenticate the
    >> >user
    >> >using the code..
    >> >if(LogonUser(TextBoxUsername.Text,
    >> > "HILLSRD",
    >> > TextBoxPassword.Text,
    >> > LOGON32_LOGON_INTERACTIVE,
    >> > LOGON32_PROVIDER_DEFAULT,
    >> > ref token) != 0)
    >> > {
    >> >
    >> > FormsAuthentication.RedirectFromLoginPage(TextBoxUsername.Text,
    >> >CBoxRememberMe.Checked);
    >> >
    >> > }
    >> >
    >> >but when I want to enable NT group security but when I go to access
    >> >User.IsInRole it always returns false? I digged a little deeper by
    >> >live debugging and found that m_roles array is always empty. What am I
    >> >doing wrong - why aren't the roles avaialble that are on the domain?
    >> >
    >> >
    >> >many thanks for any help on this.
    >> >
    >> >Sharat Koya

    >>
    >>
     
    Scott Allen, Aug 13, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joey
    Replies:
    2
    Views:
    404
  2. Jules
    Replies:
    2
    Views:
    1,420
    Jules
    Mar 24, 2006
  3. Luis Esteban Valencia Muñoz perrohijueputa@hotmail

    Forms Authentication based on roles.

    Luis Esteban Valencia Muñoz perrohijueputa@hotmail, Aug 9, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    147
    Luis Esteban Valencia Muñoz perrohijueputa@hotmail
    Aug 9, 2004
  4. Keltex
    Replies:
    1
    Views:
    452
    Dominick Baier [DevelopMentor]
    Jan 24, 2006
  5. Eric
    Replies:
    0
    Views:
    224
Loading...

Share This Page