ASP.NET with ADirectory role based authentication

[naijacoder naijacoder]

Hi Everyone,
I have some Questions relating to Active Directory and
Asp.net.
1)I have created a role based authorisation using SQL Server but i want
to use
Active Directory as a datastore now?
2)Now if i want to allow the user to login credentials against the
Active directory and then
implementing the roles i have in my Database would i need to have roles
in my Active Directory?
3)What i really want to do is FOR my users to login using their
username(windows logon) authenticate them against Active Directory after
authentication ..then authorization depending on their ROLES and then
redirecting them to the resources they are allowed to browse on.
4)Now i'm authenticating against my database with username and pwd.And i
created some Roles in the Database for my authorisation.But i want to
authenticate using Active Directory and then Authorisation..
But if i have to use Active Directory for authorisation wil i have to
have ROLES in my active Directory?

Thanks in advance and waiting for all ideas,arcticlea and resources...


*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Mohamed Sharaf]

Hi naijacoder,
I think you can find this KB aricle useful
How To Use Forms Authentication with Active Directory
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html[/url]
/secmod16.asp

Regards,
Mohamed Sharaf
MEA Developer Support Center
ITWorx on behalf Microsoft EMEA GTSC

[naijacoder naijacoder]

Thanks very much for the reply and for the article but
i have made a form authentication already with ADirectory and its
working FINE!
But what i want to do now is to authenticate against a particular GROUP
for example Security in Active Directory.
For example a USER A logs in and he is not in the group called security
he shouldn't have access and if he is in the GROUP Security then he
should be authenticated.
I was thinking about using ROLES in Active Directory but my Question is
that can i have roles created in Windows 2000 server Active
Directory?And if i can can i use form authentication directly to the
ROLES in Actice Directory!!.
Thnaks in advance and all ideas are welcome.





*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Joe Kaplan \(MVP - ADSI\)]

This is easiest to do if you use Windows authentication in IIS against AD.
When you do that, ASP.NET will create a WindowsPrincipal object in the
Context.User property that is used for providing identity and authorization
services to your application. The IsInRole method in WindowsPrincipal will
return true or false based on the user's AD group membership. You supply
the group names in the form "domain\group name".

If you don't use Windows authentication and decide to use Form
Authentication against AD (which I don't recommend), then you need to
compute the user's group membership programmatically and create the
appropriate IPrincipal object.

Joe K.

"naijacoder naijacoder" <naijacoder@toughguy.net> wrote in message
news:uvWjVJ1iEHA.3232@TK2MSFTNGP10.phx.gbl...

> Thanks very much for the reply and for the article but
> i have made a form authentication already with ADirectory and its
> working FINE!
> But what i want to do now is to authenticate against a particular GROUP
> for example Security in Active Directory.
> For example a USER A logs in and he is not in the group called security
> he shouldn't have access and if he is in the GROUP Security then he
> should be authenticated.
> I was thinking about using ROLES in Active Directory but my Question is
> that can i have roles created in Windows 2000 server Active
> Directory?And if i can can i use form authentication directly to the
> ROLES in Actice Directory!!.
> Thnaks in advance and all ideas are welcome.
>
>
>
>
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!

[Paul Clement]

On Thu, 26 Aug 2004 02:51:59 -0700, naijacoder naijacoder <naijacoder@toughguy.net> wrote:

¤ Thanks very much for the reply and for the article but
¤ i have made a form authentication already with ADirectory and its
¤ working FINE!
¤ But what i want to do now is to authenticate against a particular GROUP
¤ for example Security in Active Directory.
¤ For example a USER A logs in and he is not in the group called security
¤ he shouldn't have access and if he is in the GROUP Security then he
¤ should be authenticated.
¤ I was thinking about using ROLES in Active Directory but my Question is
¤ that can i have roles created in Windows 2000 server Active
¤ Directory?And if i can can i use form authentication directly to the
¤ ROLES in Actice Directory!!.
¤ Thnaks in advance and all ideas are welcome.
¤

The link posted by Mohamed has a subtopic link (in the Contents section) to a function that
enumerates the user's group membership:

Develop LDAP Group Retrieval Code to Look Up the User's Group Membership
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod16.asp[/url]


Paul ~~~ [email]pclement@ameritech.net[/email]
Microsoft MVP (Visual Basic)

[Joe Kaplan \(MVP - ADSI\)]

Additionally, you can use Google groups to find some other examples of doing
the group lookup properly. The example in the article provided by Paul is
okay, but it has a few flaws in it that could cause you trouble. I've
written about it here pretty extensively. Until I am successful at getting
the PAG guys to update the article with better code, you'll have to find it
via other sources. TokenGroups is the keyword.

Joe K.

"Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in message
news:dn5si0pv1ngp9f944btlm7lptf0fo5ktbc@4ax.com...

> On Thu, 26 Aug 2004 02:51:59 -0700, naijacoder naijacoder

<naijacoder@toughguy.net> wrote:

>
> ¤ Thanks very much for the reply and for the article but
> ¤ i have made a form authentication already with ADirectory and its
> ¤ working FINE!
> ¤ But what i want to do now is to authenticate against a particular GROUP
> ¤ for example Security in Active Directory.
> ¤ For example a USER A logs in and he is not in the group called security
> ¤ he shouldn't have access and if he is in the GROUP Security then he
> ¤ should be authenticated.
> ¤ I was thinking about using ROLES in Active Directory but my Question is
> ¤ that can i have roles created in Windows 2000 server Active
> ¤ Directory?And if i can can i use form authentication directly to the
> ¤ ROLES in Actice Directory!!.
> ¤ Thnaks in advance and all ideas are welcome.
> ¤
>
> The link posted by Mohamed has a subtopic link (in the Contents section)

to a function that

> enumerates the user's group membership:
>
> Develop LDAP Group Retrieval Code to Look Up the User's Group Membership
>

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod16.asp[/url]

>
>
> Paul ~~~ [email]pclement@ameritech.net[/email]
> Microsoft MVP (Visual Basic)

[naijacoder naijacoder]

I have used the article below thx for the link.
But when i want to see the list of groups the authenticated user is a
member of,and my adding the code
"Response.Write("Groups: " + authTicket.UserData + "<br>");
at theApplication_AuthenticateRequest event handler in the
global.aspx.cs file.
I don't see any GROUPS listed.
And when i paste it into my Default.aspx it says error:-
Name 'authTicket' is not declared.
Any help for this from you GUYS.
And by the way i looking for an article :-
How To Use Windows Authentication with Active Directory(incuding Role
based authorization for users depending on their security groups in the
Active Directory).
Thanks in Advance


[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/[/url]
html/secmod16.asp


*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Mohamed Sharaf]

Hi,
You need to do two things
1) Write a function to retrieve the groups of the user
(you can find a sample here
[url]http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx[/url])

2)In the Application_AuthenticateRequest, you need to build your user data
by adding the groups you got from the previous step to the principal object.
All the steps you can find it in this MSDN article.
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/act[/url]
ive_directory_authentication_from_asp__net.asp

I hope that helps
Mohamed Sharaf
MEA Developer Support Center
ITWorx on behalf Microsoft EMEA GTSC

[naijacoder naijacoder]

Thanks Mohamed for the link and info.
Are u advicing to add my GROUPS to the code
below(Application_AuthenticateRequest)?
I have retrieved the list of the GROUPS i want to use but where and how
below should i add the GROUP name?
Thanks in Advance!

void Application_AuthenticateRequest(Object sender, EventArgs e)
{
String cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

if(null == authCookie)
{
//There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
//Write the exception to the Event Log.
return;
}
if(null == authTicket)
{
//Cookie failed to decrypt.
return;
}
//When the ticket was created, the UserData property was assigned a
//pipe-delimited string of group names.
String[] groups = authTicket.UserData.Split(new char[]{'|'});
//Create an Identity.
GenericIdentity id = new GenericIdentity(authTicket.Name,
"LdapAuthentication");
//This principal flows throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, groups);
Context.User = principal;
}



*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Mohamed Sharaf]

Yes, you need to add the groups names to the principal to give your code
the ability to use IsInRole method of the GenericPrincipal class

Best regards,
Mohamed Sharaf
MEA Developer Support Center
ITWorx on behalf Microsoft EMEA GTSC