Getting AD Groups

[Guest]

Hi Gurus,

I seek you expert advice on the following scenario:-

Environment: Windows 2003, IIS6, Windows Integrated Authentication, .Net
Framework 1.1, ASP.Net, C#
Based on the Integrated Windows Authentication, I'm trying to get the AD
groups where the user's belong to from my ASP.Net page.

Any pointers, articles, links or samples are appreciated.

Thanks in advance.


Han

 

[Joe Kaplan \(MVP - ADSI\)]

Actually, even better is just to query the user's group membership via the
IPrincipal object in Context.User. From any web page you can do:

Context.User.IsInRole("mydomain\\mygroup");

With Windows Integrated Auth, the runtime uses the token created by IIS
during login to create a WindowsPrincipal object that will contain all of
the user's security group memberships. You just specify them in
domain\groupname format and you are all set.

Querying groups via S.DS works too, but I wouldn't recommend it if the
user's login token is already built. If you needed to query group
membership for a different user, then an AD lookup might be needed. Let me
know if you need the actual S.DS code to do that (it can be a bit icky).

Joe K.

Check out classes inside of the System.DirectoryServices namespace. It's

pretty simple from there.

 

[Joseph E Shook [MVP - ADSI]]

Since you are using Windows Integrated Security and all the other parts
that make life wonderful I would agree with Joe Kaplan and look into the
token that is available on every page you request. At least it is
available on every page if anonymous authentication is also off or
web.config only allows authenticated users, or a some acl set somewhere
forces the authentication. But anyways on to the references...

Dan Appleman wrote a nice E-Book on Amazon that covers ways to use
reflection to call private members of the framework to get at a Tokens
Groups. It is really cool but not a secure practice. With the 1.1
framework you can run the web application in partial trusted modes that
disallow reflection, which is good. Here is the link called Hijacking
..Net Vol 1: Role Based Security [DOWNLOAD: PDF]
http://www.amazon.com/exec/obidos/t..._dtl_eb/104-6955238-2682323?v=glance&s=ebooks


Another way to get the user groups from a token is through PInvoke of
the Win32 APIs. Keith Brown wrote a COM component to that we as c#
developers can call through COM Interop rather than the laborious
PInvoke process that it would take in C#. Look at the code and you will
see. Here is the link
http://www.pluralsight.com/keith/security/code/tokdumpsrv.zip
Their site is brand new so I actually had to infer this link. Look in
the bin directory and register the dll. If you need some help getting
it to work before they have the site running let me know. Or see the
next item.

I have worked on a HttpModule that hosts the tokdumpsrv.dll. The module
is setup of to accept providers. I wrote a sample provider that
contains the HttpModule. It is all in a solution with a sample web app
just to demo how it could work when I am done. Basically there is just
a default.aspx page that does nothing more than show you who the user is
requesting the page. Add the querystring (?DCtrace=true) to the end of
the url and out dumps the full token dump of the thread token and the
process token. My intension for this are to be able to trouble shoot
developer and production web servers experiencing authentication and
authorization craziness...
Check out a screen dump and down load a zip of the solution here in my
blog.
[http://www.deploymentcentric.com/Blogs/joe/PermaLink.aspx?guid=5c549203-fa43-434d-84a0-a445a870cdbb]
Send me your questions and maybe I can get back to working on it.


I am hoping that the 2.0 framework will have some of these features
built in. IsInRole is nice but you have to know the roles ahead of
time. That is great for standard role based security.

 

[jzhu]

One option is to use DataMarvel's wrapper for Win32 APIs
http://www.DataMarvel.co
Using its NAccessToken wrapper with your current "WindowsIdentity.Token", you can call "Groups" property that returns all groups and its attributes, or simply call "UserGroups" that returns all the "regular" groups in the form of "domain\user" format ("regular" means it ignores the "Logon SID" and all the restrictive groups). Its try version has a sample solution that shows how to call them.