User Authentication, Active Directory and more (help)

T

Timothy Parez

Hi,

Can a .NET application make use of the information within the Active
Directory in order to Authenticate and Authorize users?

For example users from a specific group have been authorize to use a
number of features in the application while users from another group
have not.

I know there is something called Code Access Security, but there seem to
be classes for the Active Directory Services and classes for something
called Windows Principle.

I wonder if someone could get me started with this.

Another thing is, can devices running the Compact Framework
be authenticated and authorized in the same way (since they don't have a
user logged on) Can they be a valid member of a domain ?


Thnx.
 
J

Joe Kaplan \(MVP - ADSI\)

Yes, .NET can make use of any Windows account (local machine, NT4 domain or
AD) for authentication and authorization.

The built-in support for this is in the WindowsIdentity and WindowsPrincipal
classes. WindowsIdentity represents the Windows user and is basicallly a
wrapper around the Windows login token. WindowsPrincipal contains a
WindowsIdentity and provides the ability to do role-based authorization
against a user's Windows groups by calling the IsInRole method with the
Windows group name. You can get the current WindowsIdentity at any time by
calling WindowsIdentity.GetCurrent().

The WindowsPrincipal class can be associated automatically with the
currently executing thread as well. The mechanism for doing this is
different depending on whether it is an ASP.NET or WinForms/Console app.
This association allows you to take advantage of the
PrincipalPermissionAttribute for doing declarative security in .NET. There
is quite a bit of explanation of this stuff that you can find in MSDN if you
need specifics, or you can ask here.

Joe K.
 
T

Timothy Parez

Joe said:
Yes, .NET can make use of any Windows account (local machine, NT4 domain or
AD) for authentication and authorization.

The built-in support for this is in the WindowsIdentity and WindowsPrincipal
classes. WindowsIdentity represents the Windows user and is basicallly a
wrapper around the Windows login token. WindowsPrincipal contains a
WindowsIdentity and provides the ability to do role-based authorization
against a user's Windows groups by calling the IsInRole method with the
Windows group name. You can get the current WindowsIdentity at any time by
calling WindowsIdentity.GetCurrent().

The WindowsPrincipal class can be associated automatically with the
currently executing thread as well. The mechanism for doing this is
different depending on whether it is an ASP.NET or WinForms/Console app.
This association allows you to take advantage of the
PrincipalPermissionAttribute for doing declarative security in .NET. There
is quite a bit of explanation of this stuff that you can find in MSDN if you
need specifics, or you can ask here.

Joe K.

What about the PocketPC,
how would I fit it into this scenario
because the PocketPC's will be used to scan barcodes and insert items
into the database (with that barcode as the key)
 
J

Joe Kaplan \(MVP - ADSI\)

Ah, forgot that part. I'm not a CF programmer, so I don't know the details,
but the Framework reference doesn't say WindowsIdentity is supported on CF,
so you may be SOL. My guess is that PocketPC doesn't support Windows
security (you don't log onto the domain on one of those, do you?), so that's
why it is excluded.

I'm not sure what to tell you to do on Pocket PC, sorry. It doesn't even
look like any of the classes in System.Security.Principal are in the CF, so
you may have to roll your own.

Joe K.
 
T

Timothy Parez

Would the following be possible:

On the Server I could have an XML WebService which takes a windows
username and password as parameters for a "login" function.
Can this be done ?

Thnx
(Sorry for the endless questions)
 
J

Joe Kaplan \(MVP - ADSI\)

Sure, you could do that and return some sort of cookie/token that could be
passesd in subsequent messages. You might want to check out how ASP.NET
forms authentication works as it does really similar stuff and they have
already thought through a lot of the security issues.

To validate the credentials on the server side, you could use
System.DirectoryServices to validate via LDAP or use the LogonUser API to
actually try to log the user on to Windows. It depends on what you need to
do, but either might be appropriate solutions.

Another nice thing is that the role-based authorization framework IS
available in regular Windows, so you can do role-based authorization in your
Web Services.

Without knowing more about your application architecture, it is hard to make
really good suggestions about how you should proceed, but hopefully this is
still helpful.

Joe K.
 
T

Timothy Parez

Hey,

Thnx for all the information.

I would like to ask you for some more help :)

I tried using the following in my web.config file but it doesn't really work

<system.web>
<authentication mode="Windows"/>
<authorization>
<allow roles="Admins" />
<deny users="*" />
</authorization>
</system.web>

I have also played with these values, but either I get a logon screen
but I can never logon, or I don't get a logon screen and get a page that
I'm not authorized to view that page right away.

In any case I don't think this will be the best option for me.

Using the DirectoryServices namespace, can I take a username and
password and validate it against the AD from my code

ie. is there something like (I know seems stupid but I must ask)

if (User.Authenticate("username","password"))
{
MessageBox.Show("Welcome");
}
else
{
MessageBox.Show("Try again m8");
}

This would be a lot better than the logon provided by ASP.NET (more
compatible and usable in code)

Thnx for you help.

Timothy.
 
J

Joe Kaplan \(MVP - ADSI\)

When you are using Windows authentication in IIS and ASP.NET, the roles in
the IPrincipal that gets created will be Windows groups, so they will be of
the form Domain\Group Name.

I order to make sure you are using Windows authentication in IIS, you must
disable anonymous access and enable Basic, Digest or Integrated
authentication. Don't use Basic without SSL or you will be passing
credentials in plain text over the network. In ASP.NET, you need to make
sure the authentication tag in web.config is set to Windows (which is the
default).

In order to authenticate users in Active Directory, the IIS server must be a
member of the Active Directory domain.

If you want to build your own authentication scheme using
System.DirectoryServices or something, then you will also be responsible for
building the IPrincipal object that contains the user's roles. This sample
of Forms authentication with System.DirectoryServices is an okay starting
point.

http://support.microsoft.com/default.aspx?scid=kb;en-us;326340

HTH,

Joe K.
 
T

Timothy Parez

Joe said:
When you are using Windows authentication in IIS and ASP.NET, the roles in
the IPrincipal that gets created will be Windows groups, so they will be of
the form Domain\Group Name.

I order to make sure you are using Windows authentication in IIS, you must
disable anonymous access and enable Basic, Digest or Integrated
authentication. Don't use Basic without SSL or you will be passing
credentials in plain text over the network. In ASP.NET, you need to make
sure the authentication tag in web.config is set to Windows (which is the
default).

In order to authenticate users in Active Directory, the IIS server must be a
member of the Active Directory domain.

If you want to build your own authentication scheme using
System.DirectoryServices or something, then you will also be responsible for
building the IPrincipal object that contains the user's roles. This sample
of Forms authentication with System.DirectoryServices is an okay starting
point.

http://support.microsoft.com/default.aspx?scid=kb;en-us;326340

HTH,

Joe K.

Hey,

I've got that working now
and I now am able to get the name from User.Identity in my ASP.NET page
but methods like IsInRole() seem to have no effect on it.

Any suggestions?
 
J

Joe Kaplan \(MVP - ADSI\)

How are you testing the IsInRole method? With Windows/Domain logins, the
groups you use must be in the form "domain\group name".

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top