web site and active directory

[Guest]

I'm creating a new intranet web site in VS 05 .NET 2.0 and I don't want my
users to log into the site at all. How can get thier username and show their
full name on my web page and how can I give the users "roles"? meaning, if
the AA hits the site I dont want her seeing IT menu picks or menu options not
for her, and if IT hits the site, I don't want them seeing menu picks for
sales.

ok, in a nutshell here is what I want to accomplish
1) show menu options to the user based on their role/department
2) show the users full name on my page: John Smith and not Domain\Smith

 

[David R. Longnecker]

While I'm sure there are several ways, here's how I do it based off web searches and general trial and error.

This has worked flawlessly (so far) with both AD 2000 and AD 2003. Be sure to import System.DirectoryServices as a reference.

Create a class either in your business logic tier or your web (presentation) tier. See the attachment for an example. The general logic is highlighted below. This returns a dataset of names based on a recieved dataset of usernames. You could just as easily use the same logic via the getUser and pull only displayName.

private static void setup()
{
root = new DirectoryEntry("LDAP://RootDSE");
defaultContext = "LDAP://" +
(string)root.Properties["defaultNamingContext"].Value;
entry = new DirectoryEntry(defaultContext);
entry.Username = "domain\\user";
entry.Password = "password";
entry.AuthenticationType = AuthenticationTypes.Secure;
entry.Options.PageSize = 999;
}

public static DataRow getUser(String username)
{
DataTable dt = new DataTable();
DataRow row = dt.NewRow();

dt.Columns.Add("username");
dt.Columns.Add("displayName");

search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + username + ")";
search.PropertiesToLoad.Add("displayName");

SearchResult result = search.FindOne();

if (result != null)
{
row["username"] = username;
row["displayName"] = getADProperty(result, "displayname");
}

return row;
}

On your web page, you now have a datarow to query and set your label.text = your datarow["displayName"].ToString(). This will allow you to capture departments, usernames, displaynames, etc. The only caveat is in regards to group membership. memberOf is a long list of group memberships that are sometimes odd to parse through (to me). Here's how I do it; this assumes you already have your SearchResults (result) from earlier.

foreach (SearchResult result in resultCol)
{
String group = "";

int propCount = result.Properties["memberOf"].Count;

for (int i = 0; i <= propCount - 1; i++)
{
String dn = result.Properties["memberOf"].ToString();
int index = dn.IndexOf("=", 1);
int index2 = dn.IndexOf(",", 1);
if (index != -1)
{
group = dn.Substring(index + 1, (index2 - index) - 1).ToLower();

if (group == "group1" ||
group == "group2")
{
Session["isMemberofGroups"] = true;
return;
}
}
}

You can build these into functions such as IsMemberOfA(string username) and include the setup() as posted earlier... or however your data and business layers are setup.

Hope this helps!

-dl

 

[Sean Chambers]

I have done something similar to this before, The easiest way to do it
is to add them to groups via AD, then on the first load of the site,
grab a list of their groups they are a member of, enumerate the group
membership and add to an authentication ticket, this way you don't have
to query AD on every postback, then on whatever page, add the content
pieces depending on their group membership in the authentication
ticket.

Theres a couple of tutorials on this kind of stuff, I know there is one
on thecodeproject.com somewhere, if you need it I can provide some code
from one of my older projects.

hope this helps!

sean

 

[Steven Cheng[MSFT]]

Thanks for Sean and David 's input.

Hello igotyourdotnet,

As for the intranet application, you mentioned that you do not want the
client users to log into site at all, do you mean you do not want to
explicitly prompt (a form) in your web application to accept user's
username/password credential but automatically get their windows identity
information? If this is the case, you can enable integrated windows
authentication for the ASP.NET's virtual directory in IIS and also disable
anonymous access. Thus, the IIS will help automatically authenticate the
client request and get the windows identity info. Also, in your ASP.NET
application, you need to configure it to use "Windows" Authentication so
that you can get the user identity in ASP.NET code. e.g.

====================
protected void Page_Load(object sender, EventArgs e)
{
Response.Write("<br/>user: " + User.Identity.Name);
}
====================

For your scenario, you also want to provide role based authorization on
page resources, since the roles should be application specific (not quite
coupled with windows user groups), I suggest you use custom storage like
database to store the roles for each windows user. And the ASP.NET default
SqlRoleProvider is capable of this. So here you can use windows
authentication + SqlRoleProvide together to provide role based url
authroization against windows users. Also, for the menu item displaying
(depending on user role), you can use the security Trimming feature of the
ASP.NET SiteMapProvider.

#ASP.NET Site-Map Security Trimming
http://msdn2.microsoft.com/en-us/library/ms178428.aspx

And there is a good example demonstrating all the above things I mentioned
from scottgu's blog:

#Recipe: Implementing Role-Based Security with ASP.NET 2.0 using Windows
Authentication and SQL Server
http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Bas
ed-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.asp
x

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.