RoleProvider for AD Group membership

Discussion in 'ASP .Net Security' started by Olivier Matrot, Nov 6, 2006.

  1. Hello,
    I'm in the process of writing my own Active Directory RoleProvider to be
    able to check if a user is member of a given group. But maybe it already
    exists somewhere in the community ? I do not want to use AzMan. Basically,
    it should provide the same functionnality as the WindowsTokenRoleProvider
    and should work with form authentification (and ActiveDirectoryMembership
    Provider).
    Any help appreciated.
    TIA.
     
    Olivier Matrot, Nov 6, 2006
    #1
    1. Advertising

  2. Hello Olivier,

    In .NET framework 2.0, there is a new role provider class
    "AuthorizationStoreRoleProvider" Class:

    http://msdn2.microsoft.com/en-us/library/system.web.security.authorizationst
    oreroleprovider(VS.80).aspx

    You can use AuthorizationStoreRoleProvider for role membership checks. The
    benefit of using AuthorizationStoreRoleProvider is that it provides a
    consistent set of APIs for role authorization

    Here are also an article about it:

    How To: Use Role Manager in ASP.NET 2.0
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
    /PAGHT000013.asp?_r=1

    Hope this help,

    Sincerely,

    Luke Zhang

    Microsoft Online Community Support
    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Luke Zhang [MSFT], Nov 6, 2006
    #2
    1. Advertising

  3. Ryan Dunn and me (and also Joe Kaplan) worked on an AD role provider.

    mail me - and i send you the code (it is not final - but chances are high
    it will work for you)

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    > I'm in the process of writing my own Active Directory RoleProvider to
    > be
    > able to check if a user is member of a given group. But maybe it
    > already
    > exists somewhere in the community ? I do not want to use AzMan.
    > Basically,
    > it should provide the same functionnality as the
    > WindowsTokenRoleProvider
    > and should work with form authentification (and
    > ActiveDirectoryMembership
    > Provider).
    > Any help appreciated.
    > TIA.
     
    Dominick Baier, Nov 6, 2006
    #3
  4. Hello Luke,
    Membership check is done via the AspNetActiveDirectoryMembershipProvider
    I'm trying to use AuthorizationStoreRoleProvider, but it seems to be
    difficult to use :
    1) What is the format of the connection string ? I'm using the following :
    MSLDAP://rtetest.private/CN=AzMan,OU=FaxBox,DC=rtetest,DC=private

    But the following exception is thrown :
    The service did not respond to the start or control request in a timely
    fashion. (Exception from HRESULT: 0x8007041D)

    Please note that I'm accessing a domain that is located in another forest.
    This is working just fine with the membership provider.

    Here is the content of my web.config file :
    <connectionStrings>

    <add name="MemberShipProvider"
    connectionString="LDAP://rtetest.private/OU=FaxBox,DC=rtetest,dc=private"/>

    <add name="AzmanRoleProvider"
    connectionString="MSLDAP://rtetest.private/CN=AzMan,OU=FaxBox,DC=rtetest,DC=private"/>

    </connectionStrings>



    <roleManager

    enabled="true"

    cacheRolesInCookie="true" defaultProvider="AuthorizationStoreRoleProvider">

    <providers>

    <!-- Only on Windows 2003 by default !-->

    <add

    name="AuthorizationStoreRoleProvider"

    type="System.Web.Security.AuthorizationStoreRoleProvider"

    connectionStringName="AzmanRoleProvider"

    cacheRefreshInterval="60"

    />

    </providers>

    </roleManager>

    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
    <providers>

    <add name="AspNetActiveDirectoryMembershipProvider"

    type="System.Web.Security.ActiveDirectoryMembershipProvider,

    System.Web, Version=2.0.0.0, Culture=neutral,

    PublicKeyToken=b03f5f7f11d50a3a"

    connectionStringName="MemberShipProvider"/>

    </providers>

    </membership>

    TIA.

    "Luke Zhang [MSFT]" <> wrote in message
    news:%...
    > Hello Olivier,
    >
    > In .NET framework 2.0, there is a new role provider class
    > "AuthorizationStoreRoleProvider" Class:
    >
    > http://msdn2.microsoft.com/en-us/library/system.web.security.authorizationst
    > oreroleprovider(VS.80).aspx
    >
    > You can use AuthorizationStoreRoleProvider for role membership checks. The
    > benefit of using AuthorizationStoreRoleProvider is that it provides a
    > consistent set of APIs for role authorization
    >
    > Here are also an article about it:
    >
    > How To: Use Role Manager in ASP.NET 2.0
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
    > /PAGHT000013.asp?_r=1
    >
    > Hope this help,
    >
    > Sincerely,
    >
    > Luke Zhang
    >
    > Microsoft Online Community Support
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    >
    >
     
    Olivier Matrot, Nov 6, 2006
    #4
  5. Olivier Matrot

    Joe Kaplan Guest

    Yes, I just gave it to someone else and it seemed to work pretty well for
    them. I think Ryan and I will try to finish it up and publish it on our
    book's website once he gets back from vacation.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Ryan Dunn and me (and also Joe Kaplan) worked on an AD role provider.
    >
    > mail me - and i send you the code (it is not final - but chances are high
    > it will work for you)
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hello,
    >> I'm in the process of writing my own Active Directory RoleProvider to
    >> be
    >> able to check if a user is member of a given group. But maybe it
    >> already
    >> exists somewhere in the community ? I do not want to use AzMan.
    >> Basically,
    >> it should provide the same functionnality as the
    >> WindowsTokenRoleProvider
    >> and should work with form authentification (and
    >> ActiveDirectoryMembership
    >> Provider).
    >> Any help appreciated.
    >> TIA.

    >
    >
     
    Joe Kaplan, Nov 6, 2006
    #5
  6. The general format for the Connection string is as follows:

    msldap://ServerName:port//DistinguishedNameForTheStore

    The server name and the port are optional. If a server name is not
    provided, the default domain controller is used. If a port is not
    specified, the default LDAP port (LDAP_PORT, 389) is used. The
    distinguished name (DN) for the store begins with the relative
    distinguished name (RDN) of the AzAuthorizationStore object. For example,
    if the RDN of the AzAuthorizationStore object is MyStore and MyStore is in
    an organizational unit (OU) named AzMan, a possible connction string for
    the Active Directory store is as follows:

    msldap://MyServer/CN=MyStore,OU=AzMan,DC=MyDomain,DC=Fabrikam,DC=Com

    Sincerely,

    Luke Zhang

    Microsoft Online Community Support
    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Luke Zhang [MSFT], Nov 7, 2006
    #6
  7. Luke,
    Is this provider working in an out of domain scenario, which is accessing a
    domain in another forest ? In this case, we must probably give proper
    credentials to make it work.


    "Luke Zhang [MSFT]" <> wrote in message
    news:...
    > The general format for the Connection string is as follows:
    >
    > msldap://ServerName:port//DistinguishedNameForTheStore
    >
    > The server name and the port are optional. If a server name is not
    > provided, the default domain controller is used. If a port is not
    > specified, the default LDAP port (LDAP_PORT, 389) is used. The
    > distinguished name (DN) for the store begins with the relative
    > distinguished name (RDN) of the AzAuthorizationStore object. For example,
    > if the RDN of the AzAuthorizationStore object is MyStore and MyStore is in
    > an organizational unit (OU) named AzMan, a possible connction string for
    > the Active Directory store is as follows:
    >
    > msldap://MyServer/CN=MyStore,OU=AzMan,DC=MyDomain,DC=Fabrikam,DC=Com
    >
    > Sincerely,
    >
    > Luke Zhang
    >
    > Microsoft Online Community Support
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    >
    >
     
    Olivier Matrot, Nov 7, 2006
    #7
  8. Hello Olivier,

    This provider will work between trusted domains.

    Sincerely,

    Luke Zhang

    Microsoft Online Community Support
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Luke Zhang [MSFT], Nov 8, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Olbert

    MembershipProvider/RoleProvider Problems

    Mark Olbert, Jan 10, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    2,903
    Steven Cheng[MSFT]
    Jan 10, 2006
  2. Mark Olbert
    Replies:
    0
    Views:
    642
    Mark Olbert
    Jan 10, 2006
  3. Chris
    Replies:
    0
    Views:
    871
    Chris
    Mar 6, 2006
  4. Burak Gunay
    Replies:
    4
    Views:
    2,167
    Erik Funkenbusch
    Mar 22, 2006
  5. Keith Patrick
    Replies:
    1
    Views:
    670
    Dominick Baier
    Aug 20, 2006
Loading...

Share This Page