Using login alias in Membership Provider

Discussion in 'ASP .Net Security' started by Stephen Walch, Oct 27, 2006.

  1. Our user directly allows authentication with "short names". For example,
    the user "Joe Cool/Acme" can log in with the user id "jcool".

    In implementing an ASP.NET Membership Provider, we can not figure out how to
    supply the real user name (used in access control settings, etc.) when users
    log in using just the short name. It seems like the ValidateUser method
    should provide a way to supply the real name in addition to just returning
    true or false. Are we missing something?

    Thanks!
     
    Stephen Walch, Oct 27, 2006
    #1
    1. Advertising

  2. no - this is just not supported by membership. If you need to augment the
    membership data with additional data you need to use Profile and simply write
    your own authentication library that is not tied to membership.

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Our user directly allows authentication with "short names". For
    > example, the user "Joe Cool/Acme" can log in with the user id "jcool".
    >
    > In implementing an ASP.NET Membership Provider, we can not figure out
    > how to supply the real user name (used in access control settings,
    > etc.) when users log in using just the short name. It seems like the
    > ValidateUser method should provide a way to supply the real name in
    > addition to just returning true or false. Are we missing something?
    >
    > Thanks!
    >
     
    Dominick Baier, Oct 27, 2006
    #2
    1. Advertising

  3. sorry - i meant

    _or_ simply write your own auth lib.

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > no - this is just not supported by membership. If you need to augment
    > the membership data with additional data you need to use Profile and
    > simply write your own authentication library that is not tied to
    > membership.
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >> Our user directly allows authentication with "short names". For
    >> example, the user "Joe Cool/Acme" can log in with the user id
    >> "jcool".
    >>
    >> In implementing an ASP.NET Membership Provider, we can not figure out
    >> how to supply the real user name (used in access control settings,
    >> etc.) when users log in using just the short name. It seems like the
    >> ValidateUser method should provide a way to supply the real name in
    >> addition to just returning true or false. Are we missing something?
    >>
    >> Thanks!
    >>
     
    Dominick Baier, Oct 27, 2006
    #3
  4. Hello Stephen,

    I think Dominick's suggestion is reasonable. From the requirement you
    mentioned, you want to also provide an additional display name when the
    user login through their logid. I think the Display name is an additional
    field to the built-in membership provider, the built-in membership provider
    exposs username, password, email, question, answer.... properties.

    Therefore, if you want to attache such additional properties, you may
    consider extending the default membership provider or use other storage
    (such as the Profile properties Dominick mentioned). Would you also tell us
    how you will use the display name in your application's code (some pseudo
    code will be helpful). We can consider whch approach is better according to
    your concrete scenario.

    Here are some articles about the ASP.NET profile service and memberhip
    provider

    #ASP.NET Profile Properties
    http://msdn2.microsoft.com/en-us/library/at64shx3.aspx

    #Defining ASP.NET Profile Properties
    http://msdn2.microsoft.com/en-us/library/d8b58y5d.aspx


    #ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
    Resources
    http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx

    Please feel free to let me know if you have any further questions or ideas.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Oct 27, 2006
    #4
  5. I believe that you have misunderstood my question. I am not trying to add a
    "Display Name". Users have only one name ("John Smith/Acme") and that is
    the only name that is ever used in access control lists, role membership
    lists, etc. and it is the only name that should be displayed.

    The problem is that my directory allows users to authenticate with multiple
    versions of their name ("John Smith", "jsmith" " or even
    "John" or "Smith" if those happen to be unique in the organization).
    Regardless of how they authenticate, I always want to return the real name
    "John Smith/Acme" to ASP.NET.


    "Steven Cheng[MSFT]" <> wrote in message
    news:$ArmYfZ%...
    > Hello Stephen,
    >
    > I think Dominick's suggestion is reasonable. From the requirement you
    > mentioned, you want to also provide an additional display name when the
    > user login through their logid. I think the Display name is an additional
    > field to the built-in membership provider, the built-in membership
    > provider
    > exposs username, password, email, question, answer.... properties.
    >
    > Therefore, if you want to attache such additional properties, you may
    > consider extending the default membership provider or use other storage
    > (such as the Profile properties Dominick mentioned). Would you also tell
    > us
    > how you will use the display name in your application's code (some pseudo
    > code will be helpful). We can consider whch approach is better according
    > to
    > your concrete scenario.
    >
    > Here are some articles about the ASP.NET profile service and memberhip
    > provider
    >
    > #ASP.NET Profile Properties
    > http://msdn2.microsoft.com/en-us/library/at64shx3.aspx
    >
    > #Defining ASP.NET Profile Properties
    > http://msdn2.microsoft.com/en-us/library/d8b58y5d.aspx
    >
    >
    > #ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
    > Resources
    > http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx
    >
    > Please feel free to let me know if you have any further questions or
    > ideas.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    >
    >
    >
    >
    >
     
    Stephen Walch, Oct 27, 2006
    #5
  6. Thanks for your reply Stephen,

    So are you using the AD membership provider currently? If so, AD membership
    provider only allow us to authenticate user in a single format only. If
    you're not authenticate user through AD membership provider, are you using
    custom provider or a extended membership provider derived from AD memberhip
    provider? As you said that

    "Users have only one name ("John Smith/Acme") and that is the only name
    that is ever used in access control lists, role membership lists, etc."

    Then, you should always use this name as the username to validate through
    membership provider. In other words, you can not make the membership
    provider know both "John Smith/Acme" and "", you must
    determine which schema to use. At least the current built-in
    ActiveDirectory membership provider require this.

    Also, as for the ACL(Access Control List) you mentioned, are they normal
    NTFS file ACL or AD object ACL? How will you use them in your application?

    If convenient, you can provide the membership & role manager specific
    configuration in your application's web.config so that we can get a clear
    view of it.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Oct 27, 2006
    #6
  7. Hello,

    If i understand correctly, you want to authenticate a user with either his
    userId, his name, shortname, cn....?

    You can search through ad using the anr property then get the user's upn.

    For this, you need to add some code to perform the search (something like
    the following)

    ValidateUser(GetUPN(<whatever>),<password>)

    Private Function GetUPN(ByVal userId As String) As String
    Dim de As DirectoryEntry =
    System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().GetDirectoryEntry()
    Dim deSearch As DirectorySearcher = New DirectorySearcher()

    deSearch.SearchRoot = de
    deSearch.Filter = "(&(objectClass=user)(anr=" + userId + "))"
    deSearch.SearchScope = SearchScope.Subtree
    Dim results As SearchResult = deSearch.FindOne()
    If Not (results Is Nothing) Then
    Return results(0).Properties("userPrincipalName")
    Else
    Return Nothing
    End If
    End Function

    You may need additional search properties.

    warning: the function may not work as is.

    HTH

    Renaud

    "Stephen Walch" wrote:

    > I believe that you have misunderstood my question. I am not trying to add a
    > "Display Name". Users have only one name ("John Smith/Acme") and that is
    > the only name that is ever used in access control lists, role membership
    > lists, etc. and it is the only name that should be displayed.
    >
    > The problem is that my directory allows users to authenticate with multiple
    > versions of their name ("John Smith", "jsmith" " or even
    > "John" or "Smith" if those happen to be unique in the organization).
    > Regardless of how they authenticate, I always want to return the real name
    > "John Smith/Acme" to ASP.NET.
    >
    >
    > "Steven Cheng[MSFT]" <> wrote in message
    > news:$ArmYfZ%...
    > > Hello Stephen,
    > >
    > > I think Dominick's suggestion is reasonable. From the requirement you
    > > mentioned, you want to also provide an additional display name when the
    > > user login through their logid. I think the Display name is an additional
    > > field to the built-in membership provider, the built-in membership
    > > provider
    > > exposs username, password, email, question, answer.... properties.
    > >
    > > Therefore, if you want to attache such additional properties, you may
    > > consider extending the default membership provider or use other storage
    > > (such as the Profile properties Dominick mentioned). Would you also tell
    > > us
    > > how you will use the display name in your application's code (some pseudo
    > > code will be helpful). We can consider whch approach is better according
    > > to
    > > your concrete scenario.
    > >
    > > Here are some articles about the ASP.NET profile service and memberhip
    > > provider
    > >
    > > #ASP.NET Profile Properties
    > > http://msdn2.microsoft.com/en-us/library/at64shx3.aspx
    > >
    > > #Defining ASP.NET Profile Properties
    > > http://msdn2.microsoft.com/en-us/library/d8b58y5d.aspx
    > >
    > >
    > > #ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
    > > Resources
    > > http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx
    > >
    > > Please feel free to let me know if you have any further questions or
    > > ideas.
    > >
    > > Sincerely,
    > >
    > > Steven Cheng
    > >
    > > Microsoft MSDN Online Support Lead
    > >
    > >
    > >
    > > ==================================================
    > >
    > > Get notification to my posts through email? Please refer to
    > > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > > ications.
    > >
    > >
    > >
    > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > > where an initial response from the community or a Microsoft Support
    > > Engineer within 1 business day is acceptable. Please note that each follow
    > > up response may take approximately 2 business days as the support
    > > professional working with you may need further investigation to reach the
    > > most efficient resolution. The offering is not appropriate for situations
    > > that require urgent, real-time or phone-based interactions or complex
    > > project analysis and dump analysis issues. Issues of this nature are best
    > > handled working with a dedicated Microsoft Support Engineer by contacting
    > > Microsoft Customer Support Services (CSS) at
    > > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    > >
    > > ==================================================
    > >
    > >
    > >
    > > This posting is provided "AS IS" with no warranties, and confers no
    > > rights.
    > >
    > >
    > >
    > >
    > >
    > >

    >
    >
    >
     
    Renaud Langis, Oct 27, 2006
    #7
  8. Thanks, but I am not using AD. See above posts.

    "Renaud Langis" <> wrote in message
    news:...
    > Hello,
    >
    > If i understand correctly, you want to authenticate a user with either his
    > userId, his name, shortname, cn....?
    >
    > You can search through ad using the anr property then get the user's upn.
    >
    > For this, you need to add some code to perform the search (something like
    > the following)
    >
    > ValidateUser(GetUPN(<whatever>),<password>)
    >
    > Private Function GetUPN(ByVal userId As String) As String
    > Dim de As DirectoryEntry =
    > System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().GetDirectoryEntry()
    > Dim deSearch As DirectorySearcher = New DirectorySearcher()
    >
    > deSearch.SearchRoot = de
    > deSearch.Filter = "(&(objectClass=user)(anr=" + userId + "))"
    > deSearch.SearchScope = SearchScope.Subtree
    > Dim results As SearchResult = deSearch.FindOne()
    > If Not (results Is Nothing) Then
    > Return results(0).Properties("userPrincipalName")
    > Else
    > Return Nothing
    > End If
    > End Function
    >
    > You may need additional search properties.
    >
    > warning: the function may not work as is.
    >
    > HTH
    >
    > Renaud
    >
    > "Stephen Walch" wrote:
    >
    >> I believe that you have misunderstood my question. I am not trying to
    >> add a
    >> "Display Name". Users have only one name ("John Smith/Acme") and that is
    >> the only name that is ever used in access control lists, role membership
    >> lists, etc. and it is the only name that should be displayed.
    >>
    >> The problem is that my directory allows users to authenticate with
    >> multiple
    >> versions of their name ("John Smith", "jsmith" " or even
    >> "John" or "Smith" if those happen to be unique in the organization).
    >> Regardless of how they authenticate, I always want to return the real
    >> name
    >> "John Smith/Acme" to ASP.NET.
    >>
    >>
    >> "Steven Cheng[MSFT]" <> wrote in message
    >> news:$ArmYfZ%...
    >> > Hello Stephen,
    >> >
    >> > I think Dominick's suggestion is reasonable. From the requirement you
    >> > mentioned, you want to also provide an additional display name when the
    >> > user login through their logid. I think the Display name is an
    >> > additional
    >> > field to the built-in membership provider, the built-in membership
    >> > provider
    >> > exposs username, password, email, question, answer.... properties.
    >> >
    >> > Therefore, if you want to attache such additional properties, you may
    >> > consider extending the default membership provider or use other storage
    >> > (such as the Profile properties Dominick mentioned). Would you also
    >> > tell
    >> > us
    >> > how you will use the display name in your application's code (some
    >> > pseudo
    >> > code will be helpful). We can consider whch approach is better
    >> > according
    >> > to
    >> > your concrete scenario.
    >> >
    >> > Here are some articles about the ASP.NET profile service and memberhip
    >> > provider
    >> >
    >> > #ASP.NET Profile Properties
    >> > http://msdn2.microsoft.com/en-us/library/at64shx3.aspx
    >> >
    >> > #Defining ASP.NET Profile Properties
    >> > http://msdn2.microsoft.com/en-us/library/d8b58y5d.aspx
    >> >
    >> >
    >> > #ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
    >> > Resources
    >> > http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx
    >> >
    >> > Please feel free to let me know if you have any further questions or
    >> > ideas.
    >> >
    >> > Sincerely,
    >> >
    >> > Steven Cheng
    >> >
    >> > Microsoft MSDN Online Support Lead
    >> >
    >> >
    >> >
    >> > ==================================================
    >> >
    >> > Get notification to my posts through email? Please refer to
    >> > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    >> > ications.
    >> >
    >> >
    >> >
    >> > Note: The MSDN Managed Newsgroup support offering is for non-urgent
    >> > issues
    >> > where an initial response from the community or a Microsoft Support
    >> > Engineer within 1 business day is acceptable. Please note that each
    >> > follow
    >> > up response may take approximately 2 business days as the support
    >> > professional working with you may need further investigation to reach
    >> > the
    >> > most efficient resolution. The offering is not appropriate for
    >> > situations
    >> > that require urgent, real-time or phone-based interactions or complex
    >> > project analysis and dump analysis issues. Issues of this nature are
    >> > best
    >> > handled working with a dedicated Microsoft Support Engineer by
    >> > contacting
    >> > Microsoft Customer Support Services (CSS) at
    >> > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >> >
    >> > ==================================================
    >> >
    >> >
    >> >
    >> > This posting is provided "AS IS" with no warranties, and confers no
    >> > rights.
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >

    >>
    >>
    >>
     
    Stephen Walch, Oct 27, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. sloan
    Replies:
    5
    Views:
    1,539
    sloan
    Jun 4, 2006
  2. Replies:
    0
    Views:
    782
  3. sloan
    Replies:
    1
    Views:
    557
    Chad Scharf
    Jul 3, 2007
  4. grocery_stocker
    Replies:
    9
    Views:
    817
    grocery_stocker
    May 24, 2008
  5. Rich Williams

    ASP.NET 2.0 Membership Provider - SSL alias - shared webapp

    Rich Williams, Jul 4, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    230
    Rich Williams
    Jul 6, 2005
Loading...

Share This Page