User management with Windows Authentication

Discussion in 'ASP .Net Security' started by jfer, Sep 15, 2005.

  1. jfer

    jfer Guest

    I am creating a web application for use on an intranet and am having
    some problems understanding how to maintain web application user lists
    with windows authentication. Adding domain users to a group on the web
    server and utilizing <allow><deny> tags to restrict access is quite
    nice. However this is really only feasible when the userbase is small.
    If one of your apps has to allow 500+ people you would have to sit at
    the server and add all these domain accounts to the windows group. Is
    there a better way? This seems like an adminmistrative nightmare.

    Thanks
     
    jfer, Sep 15, 2005
    #1
    1. Advertising

  2. Hello jfer,

    just use domain groups in the <authorization> element or on the NTFS ACLs
    of the aspx pages.
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I am creating a web application for use on an intranet and am having
    > some problems understanding how to maintain web application user lists
    > with windows authentication. Adding domain users to a group on the
    > web
    > server and utilizing <allow><deny> tags to restrict access is quite
    > nice. However this is really only feasible when the userbase is
    > small.
    > If one of your apps has to allow 500+ people you would have to sit at
    > the server and add all these domain accounts to the windows group. Is
    > there a better way? This seems like an adminmistrative nightmare.
    >
    > Thanks
    >
     
    Dominick Baier [DevelopMentor], Sep 15, 2005
    #2
    1. Advertising

  3. jfer

    jfer Guest

    The problem is not how to use <authorization> the problem is how do you
    maintain the listing of windows users and groups which <authorization>
    depends on. Sitting at the server and adding 500 users to a
    "toolXUser" group for a toolX web application seems a bit much. I
    would like to maintain this listing of groups in a SQL database so that
    I can build my own front end for maintaining the users and groups. Is
    this where I need to build up my own GenericPrincipal ? Any thoughts
    are appreciated.

    Thanks
     
    jfer, Sep 15, 2005
    #3
  4. Hello jfer,

    what makes a SQL front end better than a (already provided) front end for
    windows account management?? What do you mean by "sitting at the server"
    - as is said you can use AD groups and this all works remotely.

    Of course, you can do that - do you want to switch completely to sql based
    user account management do you just want to store the roles in sql?
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > The problem is not how to use <authorization> the problem is how do
    > you maintain the listing of windows users and groups which
    > <authorization> depends on. Sitting at the server and adding 500
    > users to a "toolXUser" group for a toolX web application seems a bit
    > much. I would like to maintain this listing of groups in a SQL
    > database so that I can build my own front end for maintaining the
    > users and groups. Is this where I need to build up my own
    > GenericPrincipal ? Any thoughts are appreciated.
    >
    > Thanks
    >
     
    Dominick Baier [DevelopMentor], Sep 15, 2005
    #4
  5. jfer

    jfer Guest

    Yes I want to store the roles in SQL but I am having problems
    understanding how to attach the roles to the user. I was initially
    using Forms Authentication and the new RoleManager aspect of ASP.NET
    2.0 to pull roles from SQL for users. However I realized forms
    authentication is not a viable solution to another aspect of my tool so
    I need windows authentication with the rolemanager for authorization
    elements. Is it possible to mix these? Thanks for insight
     
    jfer, Sep 16, 2005
    #5
  6. jfer

    jfer Guest

    Just to clarify I want to use windows authentication in my web
    application but I want to maintain and attach my own roles to the user
    pulled from an SQL database. Theres plenty of examples on the web
    showing how to do this with Forms Authentication but I cannot seem to
    find any using Windows Authentication.

    Thanks
     
    jfer, Sep 16, 2005
    #6
  7. Hello jfer,

    in Authenticate_Request

    // get the roles
    string[] roles = _getRoles(Context.User.Identity.Name);

    // create new prinicipal
    GenericPrincipal p = new GenericPrincipal(Context.User.Identity, roles);

    // set new user
    Context.User = p;
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Yes I want to store the roles in SQL but I am having problems
    > understanding how to attach the roles to the user. I was initially
    > using Forms Authentication and the new RoleManager aspect of ASP.NET
    > 2.0 to pull roles from SQL for users. However I realized forms
    > authentication is not a viable solution to another aspect of my tool
    > so I need windows authentication with the rolemanager for
    > authorization elements. Is it possible to mix these? Thanks for
    > insight
    >
     
    Dominick Baier [DevelopMentor], Sep 16, 2005
    #7
  8. jfer

    jfer Guest

    I am using the new asp.net role manager/provider to obtain and link a
    user to roles. My problem is the authentication portion of the system
    now. In asp.net 2.0 how do you hook into the Authenticate_Request
    portion of the pipeline? Is this done through an HTTPModule? Again
    appreciate the help. Thanks
     
    jfer, Sep 19, 2005
    #8
  9. Hello jfer,

    ah ok - important info...

    no -the sql role provide assumes forms authentication.

    either you write your own role provider, or you disable role provider and
    do it in authenticate_request as i showed you - the heavy lifting has to
    be done in the getRoles method.

    Just add a Authenticate_Request method to global.asax or write a HttpModule.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I am using the new asp.net role manager/provider to obtain and link a
    > user to roles. My problem is the authentication portion of the system
    > now. In asp.net 2.0 how do you hook into the Authenticate_Request
    > portion of the pipeline? Is this done through an HTTPModule? Again
    > appreciate the help. Thanks
    >
     
    Dominick Baier [DevelopMentor], Sep 19, 2005
    #9
  10. jfer

    jfer Guest

    I have created my own role provider by extending the SqlRoleProvider
    class as I did not want to be stuck to Microsoft's backend database.
    So far it seems I am able to mix Windows authentication with a role
    provider (without using forms authentication) as my <allow
    roles="someRole"> are correctly authorizing from the web.config. Just
    thought I'd share that.

    Cheers
     
    jfer, Sep 20, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Floris van Haaster

    Project management / bug management

    Floris van Haaster, Sep 23, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    1,260
    Jon Paal
    Sep 23, 2005
  2. pouet
    Replies:
    2
    Views:
    793
    Will Hartung
    Jul 30, 2004
  3. Ramon
    Replies:
    5
    Views:
    3,755
    isocial
    Mar 25, 2010
  4. Mike Robbins
    Replies:
    1
    Views:
    153
  5. Ilias Lazaridis

    User Management and Authentication with Perl

    Ilias Lazaridis, Jun 25, 2007, in forum: Perl Misc
    Replies:
    4
    Views:
    125
    Ilias Lazaridis
    Jun 28, 2007
Loading...

Share This Page