Ok so if you are using the ActiveDirectoryMembershipProvider then you will
indeed have to code something. MSDN implies (see exceprt below) that you
dont need . Since this probably means that IIS is running as a local
anonymous account, you will probably have to wrap up the sample code in a
COM+ (whoop call that enterprise services) class and give it an AD
identity that has enough permissions to enumerate groups on other user
objects
// from
http://msdn.microsoft.com/library/d...s/dnpag2/html/WSS_Ch3_ImpDirectAuth_WSE30.asp
If you use an LDAP-enabled directory service other than Active Directory
or ADAM to validate credentials, you may need to create a custom
membership provider. For more details on how to build custom ASP.NET 2.0
providers, see Building Custom Providers for ASP.NET 2.0 Membership. Also,
depending how you store and retrieve account roles in your directory
service, you may need to implement a custom RoleProvider. For example, if
you use an LDAP schema for user roles that is not supported through
ActiveDirectoryMembershipProvider, you will need to implement a custom
RoleProvider to retrieve roles for your users.
In a custom RoleProvider class, you need to retrieve the user roles from
the directory service by overriding the GetRolesForUser() method. The code
to retrieve user roles from the directory service would look like the
following example.
public override string[] GetRolesForUser(string username)
{
using (DirectoryEntry rootEntry = new
DirectoryEntry(this.connectionString))
{
rootEntry.Username = this.username;
rootEntry.Password = this.password;
rootEntry.AuthenticationType = AuthenticationTypes.None;
rootEntry.RefreshCache();
//Search the user in the directory service
using (DirectorySearcher searcher = new
DirectorySearcher(rootEntry))
{
searcher.PropertiesToLoad.Add("memberOf");
searcher.PropertiesToLoad.Add(this.usernameAttribute);
searcher.Filter = String.Format("(&(objectClass=user)({0}={1}))",
this.usernameAttribute, username);
SearchResult result = searcher.FindOne();
DirectoryEntry userEntry = result.GetDirectoryEntry();
string[] roles = null;
PropertyValueCollection property =
userEntry.Properties["memberOf"];
if (property.Value is Array)
{
Array values = (Array)property.Value;
roles = new string[values.Length];
values.CopyTo(roles, 0);
}
else if (property.Value is string)
{
roles = new string[1];
roles[0] = (string)property.Value;
}
return roles;
}
}
}
Joe Kaplan (MVP - ADSI) said:
I think he is using the Active Directory membership provider in ASP.NET
2.0 though, so he doesn't get a WindowsPrincipal. It uses LDAP, so he
needs a corresponding LDAP method to build roles as well (unless he can
use protocol transition).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net