Windows Integrated Security - Restricting Users Without Groups

M

Mr Newbie

Hi,

Im in a situation where I need to restrict users, but I dont have access or
wont be allowed access to manage groups in the domain. How can I restrict
access is this case ?
 
E

Edwin Knoppert

I wonder then, how will you distinct a user at all?
I'm using roles, when the user get's authenticated i stamp it to 'user' :)

I think you'll need to elaborate the possiblities you have.
 
C

Confused !

The possibilities are slim

Windows Authentication
No ability to add and remove people from the active directory.

I want to restrict users from being able to access the site.

--
 
K

Kevin Spencer

Hi Mr. N,

It's not clear from your post whether or not it is a requirement that your
users are in fact, Active Directory user accounts, or whether, perhaps, they
could be some other form of "user."

That is, if the requirement is that they are Active Directory users, and you
have access to Active Directory via System.DirectoryServices and LDAP (read
only at least), you can create a separate database with an entry for each
user. Then you can mange the permissions that each user has via this
database, which would be entirely separate from Active Directory, other then
the user account name being in Active Directory, and the web requiring an
Active Directory login to access (disallow anonymous access, in other
words). If this is the case, all Active Directory user accounts would have
to have permission to log in to the web site (so that your ASP.Net app could
authenticate them via your database), and your app would handle allowing
access to different resources, or even all resources.

If, on the other hand, you can neither grant all domain users access to the
web, or you can't get read access to the Active Directory, you could allow
anonymous access, employ a web login (via a web page), and use a database to
manage the permissions in much the same way as described above.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.
 
M

Mr Newbie

Hi Kevin,

Thanks for your reply. I have managed to restrict access to roles by using
the following in the Authentication Event in global.asax. I have hard coded
it just for test purposes, but I can then add the allow
roles="Administrator" into the web.config and this works.

However, in my testing, I cant seem to get User.IsInRole("GroupName") to
work, it seems that the windows group membership does not correlate to this
function ( at least I cant get it to work. ) Do you know where these groups
needs to be ( Local machine, Domain, Universal group etc ? and do you
have to go get the memberships etc from those groups ??

Cheers - Mr N

If Request.IsAuthenticated Then

Dim rl As System.Collections.ArrayList

rl = DataAccess.getUserRoles(User.Identity.Name)

'Convert the roleList ArrayList to a String array

Dim roleListArray As String() = {"Administrator"}
'CType(rl.ToArray(GetType(String)), String())

'Add the roles to the User Principal

HttpContext.Current.User = _

New System.Security.Principal.GenericPrincipal(User.Identity, roleListArray)

End If
 
M

Mr Newbie

Patrick, thanks for your reply.

Through investigation, I have discovered that you dont need impersonation to
check the group membership. What I was missing was the domain name
DOMAINNAME\GroupName

The only caviat here is that if you change the groups the user needs to log
off an on again to make the changes effective. Using the windows security
permissions principal has no real value in my case, and impersonation
carries additional overhead not to mention the extra risk of failure of the
application when those permissions are not taken into account.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top