User Authentication, Active Directory and more (help)

Discussion in 'ASP .Net Security' started by Timothy Parez, Jun 17, 2004.

  1. Hi,

    Can a .NET application make use of the information within the Active
    Directory in order to Authenticate and Authorize users?

    For example users from a specific group have been authorize to use a
    number of features in the application while users from another group
    have not.

    I know there is something called Code Access Security, but there seem to
    be classes for the Active Directory Services and classes for something
    called Windows Principle.

    I wonder if someone could get me started with this.

    Another thing is, can devices running the Compact Framework
    be authenticated and authorized in the same way (since they don't have a
    user logged on) Can they be a valid member of a domain ?


    Thnx.
     
    Timothy Parez, Jun 17, 2004
    #1
    1. Advertising

  2. Yes, .NET can make use of any Windows account (local machine, NT4 domain or
    AD) for authentication and authorization.

    The built-in support for this is in the WindowsIdentity and WindowsPrincipal
    classes. WindowsIdentity represents the Windows user and is basicallly a
    wrapper around the Windows login token. WindowsPrincipal contains a
    WindowsIdentity and provides the ability to do role-based authorization
    against a user's Windows groups by calling the IsInRole method with the
    Windows group name. You can get the current WindowsIdentity at any time by
    calling WindowsIdentity.GetCurrent().

    The WindowsPrincipal class can be associated automatically with the
    currently executing thread as well. The mechanism for doing this is
    different depending on whether it is an ASP.NET or WinForms/Console app.
    This association allows you to take advantage of the
    PrincipalPermissionAttribute for doing declarative security in .NET. There
    is quite a bit of explanation of this stuff that you can find in MSDN if you
    need specifics, or you can ask here.

    Joe K.

    "Timothy Parez" <> wrote in message
    news:...
    > Hi,
    >
    > Can a .NET application make use of the information within the Active
    > Directory in order to Authenticate and Authorize users?
    >
    > For example users from a specific group have been authorize to use a
    > number of features in the application while users from another group
    > have not.
    >
    > I know there is something called Code Access Security, but there seem to
    > be classes for the Active Directory Services and classes for something
    > called Windows Principle.
    >
    > I wonder if someone could get me started with this.
    >
    > Another thing is, can devices running the Compact Framework
    > be authenticated and authorized in the same way (since they don't have a
    > user logged on) Can they be a valid member of a domain ?
    >
    >
    > Thnx.
     
    Joe Kaplan \(MVP - ADSI\), Jun 17, 2004
    #2
    1. Advertising

  3. Joe Kaplan (MVP - ADSI) wrote:
    > Yes, .NET can make use of any Windows account (local machine, NT4 domain or
    > AD) for authentication and authorization.
    >
    > The built-in support for this is in the WindowsIdentity and WindowsPrincipal
    > classes. WindowsIdentity represents the Windows user and is basicallly a
    > wrapper around the Windows login token. WindowsPrincipal contains a
    > WindowsIdentity and provides the ability to do role-based authorization
    > against a user's Windows groups by calling the IsInRole method with the
    > Windows group name. You can get the current WindowsIdentity at any time by
    > calling WindowsIdentity.GetCurrent().
    >
    > The WindowsPrincipal class can be associated automatically with the
    > currently executing thread as well. The mechanism for doing this is
    > different depending on whether it is an ASP.NET or WinForms/Console app.
    > This association allows you to take advantage of the
    > PrincipalPermissionAttribute for doing declarative security in .NET. There
    > is quite a bit of explanation of this stuff that you can find in MSDN if you
    > need specifics, or you can ask here.
    >
    > Joe K.
    >


    What about the PocketPC,
    how would I fit it into this scenario
    because the PocketPC's will be used to scan barcodes and insert items
    into the database (with that barcode as the key)
     
    Timothy Parez, Jun 17, 2004
    #3
  4. Ah, forgot that part. I'm not a CF programmer, so I don't know the details,
    but the Framework reference doesn't say WindowsIdentity is supported on CF,
    so you may be SOL. My guess is that PocketPC doesn't support Windows
    security (you don't log onto the domain on one of those, do you?), so that's
    why it is excluded.

    I'm not sure what to tell you to do on Pocket PC, sorry. It doesn't even
    look like any of the classes in System.Security.Principal are in the CF, so
    you may have to roll your own.

    Joe K.

    "Timothy Parez" <> wrote in message
    news:...
    > Joe Kaplan (MVP - ADSI) wrote:
    > > Yes, .NET can make use of any Windows account (local machine, NT4 domain

    or
    > > AD) for authentication and authorization.
    > >
    > > The built-in support for this is in the WindowsIdentity and

    WindowsPrincipal
    > > classes. WindowsIdentity represents the Windows user and is basicallly

    a
    > > wrapper around the Windows login token. WindowsPrincipal contains a
    > > WindowsIdentity and provides the ability to do role-based authorization
    > > against a user's Windows groups by calling the IsInRole method with the
    > > Windows group name. You can get the current WindowsIdentity at any time

    by
    > > calling WindowsIdentity.GetCurrent().
    > >
    > > The WindowsPrincipal class can be associated automatically with the
    > > currently executing thread as well. The mechanism for doing this is
    > > different depending on whether it is an ASP.NET or WinForms/Console app.
    > > This association allows you to take advantage of the
    > > PrincipalPermissionAttribute for doing declarative security in .NET.

    There
    > > is quite a bit of explanation of this stuff that you can find in MSDN if

    you
    > > need specifics, or you can ask here.
    > >
    > > Joe K.
    > >

    >
    > What about the PocketPC,
    > how would I fit it into this scenario
    > because the PocketPC's will be used to scan barcodes and insert items
    > into the database (with that barcode as the key)
     
    Joe Kaplan \(MVP - ADSI\), Jun 17, 2004
    #4
  5. Would the following be possible:

    On the Server I could have an XML WebService which takes a windows
    username and password as parameters for a "login" function.
    Can this be done ?

    Thnx
    (Sorry for the endless questions)


    Joe Kaplan (MVP - ADSI) wrote:
    > Ah, forgot that part. I'm not a CF programmer, so I don't know the details,
    > but the Framework reference doesn't say WindowsIdentity is supported on CF,
    > so you may be SOL. My guess is that PocketPC doesn't support Windows
    > security (you don't log onto the domain on one of those, do you?), so that's
    > why it is excluded.
    >
    > I'm not sure what to tell you to do on Pocket PC, sorry. It doesn't even
    > look like any of the classes in System.Security.Principal are in the CF, so
    > you may have to roll your own.
    >
    > Joe K.
    >
    > "Timothy Parez" <> wrote in message
    > news:...
    >
    >>Joe Kaplan (MVP - ADSI) wrote:
    >>
    >>>Yes, .NET can make use of any Windows account (local machine, NT4 domain

    >
    > or
    >
    >>>AD) for authentication and authorization.
    >>>
    >>>The built-in support for this is in the WindowsIdentity and

    >
    > WindowsPrincipal
    >
    >>>classes. WindowsIdentity represents the Windows user and is basicallly

    >
    > a
    >
    >>>wrapper around the Windows login token. WindowsPrincipal contains a
    >>>WindowsIdentity and provides the ability to do role-based authorization
    >>>against a user's Windows groups by calling the IsInRole method with the
    >>>Windows group name. You can get the current WindowsIdentity at any time

    >
    > by
    >
    >>>calling WindowsIdentity.GetCurrent().
    >>>
    >>>The WindowsPrincipal class can be associated automatically with the
    >>>currently executing thread as well. The mechanism for doing this is
    >>>different depending on whether it is an ASP.NET or WinForms/Console app.
    >>>This association allows you to take advantage of the
    >>>PrincipalPermissionAttribute for doing declarative security in .NET.

    >
    > There
    >
    >>>is quite a bit of explanation of this stuff that you can find in MSDN if

    >
    > you
    >
    >>>need specifics, or you can ask here.
    >>>
    >>>Joe K.
    >>>

    >>
    >>What about the PocketPC,
    >>how would I fit it into this scenario
    >>because the PocketPC's will be used to scan barcodes and insert items
    >>into the database (with that barcode as the key)

    >
    >
    >
     
    Timothy Parez, Jun 18, 2004
    #5
  6. Sure, you could do that and return some sort of cookie/token that could be
    passesd in subsequent messages. You might want to check out how ASP.NET
    forms authentication works as it does really similar stuff and they have
    already thought through a lot of the security issues.

    To validate the credentials on the server side, you could use
    System.DirectoryServices to validate via LDAP or use the LogonUser API to
    actually try to log the user on to Windows. It depends on what you need to
    do, but either might be appropriate solutions.

    Another nice thing is that the role-based authorization framework IS
    available in regular Windows, so you can do role-based authorization in your
    Web Services.

    Without knowing more about your application architecture, it is hard to make
    really good suggestions about how you should proceed, but hopefully this is
    still helpful.

    Joe K.


    "Timothy Parez" <> wrote in message
    news:...
    > Would the following be possible:
    >
    > On the Server I could have an XML WebService which takes a windows
    > username and password as parameters for a "login" function.
    > Can this be done ?
    >
    > Thnx
    > (Sorry for the endless questions)
    >
    >
    > Joe Kaplan (MVP - ADSI) wrote:
    > > Ah, forgot that part. I'm not a CF programmer, so I don't know the

    details,
    > > but the Framework reference doesn't say WindowsIdentity is supported on

    CF,
    > > so you may be SOL. My guess is that PocketPC doesn't support Windows
    > > security (you don't log onto the domain on one of those, do you?), so

    that's
    > > why it is excluded.
    > >
    > > I'm not sure what to tell you to do on Pocket PC, sorry. It doesn't

    even
    > > look like any of the classes in System.Security.Principal are in the CF,

    so
    > > you may have to roll your own.
    > >
    > > Joe K.
    > >
    > > "Timothy Parez" <> wrote in message
    > > news:...
    > >
    > >>Joe Kaplan (MVP - ADSI) wrote:
    > >>
    > >>>Yes, .NET can make use of any Windows account (local machine, NT4

    domain
    > >
    > > or
    > >
    > >>>AD) for authentication and authorization.
    > >>>
    > >>>The built-in support for this is in the WindowsIdentity and

    > >
    > > WindowsPrincipal
    > >
    > >>>classes. WindowsIdentity represents the Windows user and is basicallly

    > >
    > > a
    > >
    > >>>wrapper around the Windows login token. WindowsPrincipal contains a
    > >>>WindowsIdentity and provides the ability to do role-based authorization
    > >>>against a user's Windows groups by calling the IsInRole method with the
    > >>>Windows group name. You can get the current WindowsIdentity at any

    time
    > >
    > > by
    > >
    > >>>calling WindowsIdentity.GetCurrent().
    > >>>
    > >>>The WindowsPrincipal class can be associated automatically with the
    > >>>currently executing thread as well. The mechanism for doing this is
    > >>>different depending on whether it is an ASP.NET or WinForms/Console

    app.
    > >>>This association allows you to take advantage of the
    > >>>PrincipalPermissionAttribute for doing declarative security in .NET.

    > >
    > > There
    > >
    > >>>is quite a bit of explanation of this stuff that you can find in MSDN

    if
    > >
    > > you
    > >
    > >>>need specifics, or you can ask here.
    > >>>
    > >>>Joe K.
    > >>>
    > >>
    > >>What about the PocketPC,
    > >>how would I fit it into this scenario
    > >>because the PocketPC's will be used to scan barcodes and insert items
    > >>into the database (with that barcode as the key)

    > >
    > >
    > >
     
    Joe Kaplan \(MVP - ADSI\), Jun 18, 2004
    #6
  7. Hey,

    Thnx for all the information.

    I would like to ask you for some more help :)

    I tried using the following in my web.config file but it doesn't really work

    <system.web>
    <authentication mode="Windows"/>
    <authorization>
    <allow roles="Admins" />
    <deny users="*" />
    </authorization>
    </system.web>

    I have also played with these values, but either I get a logon screen
    but I can never logon, or I don't get a logon screen and get a page that
    I'm not authorized to view that page right away.

    In any case I don't think this will be the best option for me.

    Using the DirectoryServices namespace, can I take a username and
    password and validate it against the AD from my code

    ie. is there something like (I know seems stupid but I must ask)

    if (User.Authenticate("username","password"))
    {
    MessageBox.Show("Welcome");
    }
    else
    {
    MessageBox.Show("Try again m8");
    }

    This would be a lot better than the logon provided by ASP.NET (more
    compatible and usable in code)

    Thnx for you help.

    Timothy.
     
    Timothy Parez, Jun 21, 2004
    #7
  8. When you are using Windows authentication in IIS and ASP.NET, the roles in
    the IPrincipal that gets created will be Windows groups, so they will be of
    the form Domain\Group Name.

    I order to make sure you are using Windows authentication in IIS, you must
    disable anonymous access and enable Basic, Digest or Integrated
    authentication. Don't use Basic without SSL or you will be passing
    credentials in plain text over the network. In ASP.NET, you need to make
    sure the authentication tag in web.config is set to Windows (which is the
    default).

    In order to authenticate users in Active Directory, the IIS server must be a
    member of the Active Directory domain.

    If you want to build your own authentication scheme using
    System.DirectoryServices or something, then you will also be responsible for
    building the IPrincipal object that contains the user's roles. This sample
    of Forms authentication with System.DirectoryServices is an okay starting
    point.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;326340

    HTH,

    Joe K.

    "Timothy Parez" <> wrote in message
    news:...
    > Hey,
    >
    > Thnx for all the information.
    >
    > I would like to ask you for some more help :)
    >
    > I tried using the following in my web.config file but it doesn't really

    work
    >
    > <system.web>
    > <authentication mode="Windows"/>
    > <authorization>
    > <allow roles="Admins" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    >
    > I have also played with these values, but either I get a logon screen
    > but I can never logon, or I don't get a logon screen and get a page that
    > I'm not authorized to view that page right away.
    >
    > In any case I don't think this will be the best option for me.
    >
    > Using the DirectoryServices namespace, can I take a username and
    > password and validate it against the AD from my code
    >
    > ie. is there something like (I know seems stupid but I must ask)
    >
    > if (User.Authenticate("username","password"))
    > {
    > MessageBox.Show("Welcome");
    > }
    > else
    > {
    > MessageBox.Show("Try again m8");
    > }
    >
    > This would be a lot better than the logon provided by ASP.NET (more
    > compatible and usable in code)
    >
    > Thnx for you help.
    >
    > Timothy.
     
    Joe Kaplan \(MVP - ADSI\), Jun 21, 2004
    #8
  9. Joe Kaplan (MVP - ADSI) wrote:
    > When you are using Windows authentication in IIS and ASP.NET, the roles in
    > the IPrincipal that gets created will be Windows groups, so they will be of
    > the form Domain\Group Name.
    >
    > I order to make sure you are using Windows authentication in IIS, you must
    > disable anonymous access and enable Basic, Digest or Integrated
    > authentication. Don't use Basic without SSL or you will be passing
    > credentials in plain text over the network. In ASP.NET, you need to make
    > sure the authentication tag in web.config is set to Windows (which is the
    > default).
    >
    > In order to authenticate users in Active Directory, the IIS server must be a
    > member of the Active Directory domain.
    >
    > If you want to build your own authentication scheme using
    > System.DirectoryServices or something, then you will also be responsible for
    > building the IPrincipal object that contains the user's roles. This sample
    > of Forms authentication with System.DirectoryServices is an okay starting
    > point.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
    >
    > HTH,
    >
    > Joe K.
    >
    > "Timothy Parez" <> wrote in message
    > news:...
    >
    >>Hey,
    >>
    >>Thnx for all the information.
    >>
    >>I would like to ask you for some more help :)
    >>
    >>I tried using the following in my web.config file but it doesn't really

    >
    > work
    >
    >><system.web>
    >> <authentication mode="Windows"/>
    >> <authorization>
    >> <allow roles="Admins" />
    >> <deny users="*" />
    >> </authorization>
    >></system.web>
    >>
    >>I have also played with these values, but either I get a logon screen
    >>but I can never logon, or I don't get a logon screen and get a page that
    >>I'm not authorized to view that page right away.
    >>
    >>In any case I don't think this will be the best option for me.
    >>
    >>Using the DirectoryServices namespace, can I take a username and
    >>password and validate it against the AD from my code
    >>
    >>ie. is there something like (I know seems stupid but I must ask)
    >>
    >>if (User.Authenticate("username","password"))
    >>{
    >>MessageBox.Show("Welcome");
    >>}
    >>else
    >>{
    >>MessageBox.Show("Try again m8");
    >>}
    >>
    >>This would be a lot better than the logon provided by ASP.NET (more
    >>compatible and usable in code)
    >>
    >>Thnx for you help.
    >>
    >>Timothy.

    >
    >
    >


    Hey,

    I've got that working now
    and I now am able to get the name from User.Identity in my ASP.NET page
    but methods like IsInRole() seem to have no effect on it.

    Any suggestions?
     
    Timothy Parez, Jul 5, 2004
    #9
  10. How are you testing the IsInRole method? With Windows/Domain logins, the
    groups you use must be in the form "domain\group name".

    Joe K.

    >
    > Hey,
    >
    > I've got that working now
    > and I now am able to get the name from User.Identity in my ASP.NET page
    > but methods like IsInRole() seem to have no effect on it.
    >
    > Any suggestions?
     
    Joe Kaplan \(MVP - ADSI\), Jul 5, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    6
    Views:
    4,963
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=
    Oct 31, 2005
  2. Replies:
    4
    Views:
    7,395
  3. Replies:
    0
    Views:
    2,830
  4. Jono Jones
    Replies:
    9
    Views:
    159
    Nicole Calinoiu
    Apr 25, 2006
  5. Thana
    Replies:
    2
    Views:
    255
    Patrick.O.Ige
    Oct 3, 2006
Loading...

Share This Page