Ask a Question related to ASP.NET Security, Design and Development.
-
Shaker #1
Get UserGroup of Active Directory to control the security
Hi,
I have an ASP.Net Intranet App with C#.
I don't need to ask users about by User and PWD since they are already
logged in.
This is acheived through "<deny users="?" />" tag. no problem with it.
My concern now is to determine the the user group where the user is
belonging to.
to control the rest of navigation to the site.
Please provide me with clear code to do that.
--
MCSD not .Net
Shaker Guest
-
Active Directory Search fails ("The directory service is unavailab
Hi all, I'm having one of those nerve wrecking errors, when trying to perform a simple search in an Active Directory. The objective of the code... -
Server cannot access application directory ... The directory does not exist or is not accessible because of security settings
If you are using Windows XP in a Workgroup, rather than a Domain, then by default "Simple Filesharing" is turned on, and you won't see a security... -
Security Problem With Active Directory
Hi there, I want to get root path for my Active directory. My Active Directory Machine and Web server are on different phisical machine in the... -
user security policy active directory
I want to apply a policy to a single user in our domain. For example, take away the run command, force background, etc. Like you could do with... -
Local v. Domain/Active Directory Security
I have what I believe is fairly common. I am running XP Pro on a home network. I have 4 computers connected to a LinkSys router/switch. I use... -
Joe Kaplan \(MVP - ADSI\) #2 Re: Get UserGroup of Active Directory to control the security
If you are using Windows authentication in ASP.NET, you can easily do basic
role-based security against the user's group membership using the
WindowsPrincipal class which is exposed as the IPrincipal object returned by
the User property on the HttpContext or Page class or the
Thread.CurrentPrincipal class for code that does not reference System.Web
such as a middle tier layer or something.
You just call the User.IsInRole method with the name of the group you are
interested in (in domain\group name format) and it will return true or
false.
Additionally, the allow and deny tags in web.config, which are used by the
UrlAuthorizationModule, can be used to declaratively allow and deny access
to certain parts of your page. Use the same syntax as above, e.g.
<allow roles="mydomain\mygroup"/>
Finally, you can use the PrincipalPermission and
PrincipalPermissionAttribute to achieve similar things, although I'm not a
big fan of the attribute as the principal name must be specified at compile
time.
HTH,
Joe K.
"Shaker" <Shaker@discussions.microsoft.com> wrote in message
news:885A0DAC-CB23-45D6-958A-4D19E3526B1D@microsoft.com...> Hi,
> I have an ASP.Net Intranet App with C#.
>
> I don't need to ask users about by User and PWD since they are already
> logged in.
> This is acheived through "<deny users="?" />" tag. no problem with it.
>
> My concern now is to determine the the user group where the user is
> belonging to.
> to control the rest of navigation to the site.
> Please provide me with clear code to do that.
>
> --
> MCSD not .Net
Joe Kaplan \(MVP - ADSI\) Guest
-
Shaker #3 Re: Get UserGroup of Active Directory to control the security
Thanks this works fine,
But I Still need a way to get user info beside a full tree of Usergroup from
AD without providing Password.
I'll get the user name using (User.Identity.Name) of page object.
Thnaks Again
"Joe Kaplan (MVP - ADSI)" wrote:
> If you are using Windows authentication in ASP.NET, you can easily do basic
> role-based security against the user's group membership using the
> WindowsPrincipal class which is exposed as the IPrincipal object returned by
> the User property on the HttpContext or Page class or the
> Thread.CurrentPrincipal class for code that does not reference System.Web
> such as a middle tier layer or something.
>
> You just call the User.IsInRole method with the name of the group you are
> interested in (in domain\group name format) and it will return true or
> false.
>
> Additionally, the allow and deny tags in web.config, which are used by the
> UrlAuthorizationModule, can be used to declaratively allow and deny access
> to certain parts of your page. Use the same syntax as above, e.g.
>
> <allow roles="mydomain\mygroup"/>
>
> Finally, you can use the PrincipalPermission and
> PrincipalPermissionAttribute to achieve similar things, although I'm not a
> big fan of the attribute as the principal name must be specified at compile
> time.
>
> HTH,
>
> Joe K.
>
> "Shaker" <Shaker@discussions.microsoft.com> wrote in message
> news:885A0DAC-CB23-45D6-958A-4D19E3526B1D@microsoft.com...>> > Hi,
> > I have an ASP.Net Intranet App with C#.
> >
> > I don't need to ask users about by User and PWD since they are already
> > logged in.
> > This is acheived through "<deny users="?" />" tag. no problem with it.
> >
> > My concern now is to determine the the user group where the user is
> > belonging to.
> > to control the rest of navigation to the site.
> > Please provide me with clear code to do that.
> >
> > --
> > MCSD not .Net
>
>Shaker Guest
-
Joe Kaplan \(MVP - ADSI\) #4 Re: Get UserGroup of Active Directory to control the security
Can you explain what you mean by "user info"? Your original question asked
about AD groups and I thought I answered that.
Joe K.
"Shaker" <Shaker@discussions.microsoft.com> wrote in message
news:6E0D3B77-22BE-4215-B8E3-9F105AD106F4@microsoft.com...> Thanks this works fine,
> But I Still need a way to get user info beside a full tree of Usergroup
> from
> AD without providing Password.
> I'll get the user name using (User.Identity.Name) of page object.
>
> Thnaks Again
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>>> If you are using Windows authentication in ASP.NET, you can easily do
>> basic
>> role-based security against the user's group membership using the
>> WindowsPrincipal class which is exposed as the IPrincipal object returned
>> by
>> the User property on the HttpContext or Page class or the
>> Thread.CurrentPrincipal class for code that does not reference System.Web
>> such as a middle tier layer or something.
>>
>> You just call the User.IsInRole method with the name of the group you are
>> interested in (in domain\group name format) and it will return true or
>> false.
>>
>> Additionally, the allow and deny tags in web.config, which are used by
>> the
>> UrlAuthorizationModule, can be used to declaratively allow and deny
>> access
>> to certain parts of your page. Use the same syntax as above, e.g.
>>
>> <allow roles="mydomain\mygroup"/>
>>
>> Finally, you can use the PrincipalPermission and
>> PrincipalPermissionAttribute to achieve similar things, although I'm not
>> a
>> big fan of the attribute as the principal name must be specified at
>> compile
>> time.
>>
>> HTH,
>>
>> Joe K.
>>
>> "Shaker" <Shaker@discussions.microsoft.com> wrote in message
>> news:885A0DAC-CB23-45D6-958A-4D19E3526B1D@microsoft.com...>>>> > Hi,
>> > I have an ASP.Net Intranet App with C#.
>> >
>> > I don't need to ask users about by User and PWD since they are already
>> > logged in.
>> > This is acheived through "<deny users="?" />" tag. no problem with it.
>> >
>> > My concern now is to determine the the user group where the user is
>> > belonging to.
>> > to control the rest of navigation to the site.
>> > Please provide me with clear code to do that.
>> >
>> > --
>> > MCSD not .Net
>>
>>
Joe Kaplan \(MVP - ADSI\) Guest
-
Shaker #5 Re: Get UserGroup of Active Directory to control the security
User info such as Title, Extension, email,...Department,..etc
"Joe Kaplan (MVP - ADSI)" wrote:
> Can you explain what you mean by "user info"? Your original question asked
> about ups and I thought I answered that.
>
> Joe K.
>
> "Shaker" <Shaker@discussions.microsoft.com> wrote in message
> news:6E0D3B77-22BE-4215-B8E3-9F105AD106F4@microsoft.com...>> > Thanks this works fine,
> > But I Still need a way to get user info beside a full tree of Usergroup
> > from
> > AD without providing Password.
> > I'll get the user name using (User.Identity.Name) of page object.
> >
> > Thnaks Again
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> If you are using Windows authentication in ASP.NET, you can easily do
> >> basic
> >> role-based security against the user's group membership using the
> >> WindowsPrincipal class which is exposed as the IPrincipal object returned
> >> by
> >> the User property on the HttpContext or Page class or the
> >> Thread.CurrentPrincipal class for code that does not reference System.Web
> >> such as a middle tier layer or something.
> >>
> >> You just call the User.IsInRole method with the name of the group you are
> >> interested in (in domain\group name format) and it will return true or
> >> false.
> >>
> >> Additionally, the allow and deny tags in web.config, which are used by
> >> the
> >> UrlAuthorizationModule, can be used to declaratively allow and deny
> >> access
> >> to certain parts of your page. Use the same syntax as above, e.g.
> >>
> >> <allow roles="mydomain\mygroup"/>
> >>
> >> Finally, you can use the PrincipalPermission and
> >> PrincipalPermissionAttribute to achieve similar things, although I'm not
> >> a
> >> big fan of the attribute as the principal name must be specified at
> >> compile
> >> time.
> >>
> >> HTH,
> >>
> >> Joe K.
> >>
> >> "Shaker" <Shaker@discussions.microsoft.com> wrote in message
> >> news:885A0DAC-CB23-45D6-958A-4D19E3526B1D@microsoft.com...
> >> > Hi,
> >> > I have an ASP.Net Intranet App with C#.
> >> >
> >> > I don't need to ask users about by User and PWD since they are already
> >> > logged in.
> >> > This is acheived through "<deny users="?" />" tag. no problem with it.
> >> >
> >> > My concern now is to determine the the user group where the user is
> >> > belonging to.
> >> > to control the rest of navigation to the site.
> >> > Please provide me with clear code to do that.
> >> >
> >> > --
> >> > MCSD not .Net
> >>
> >>
> >>
>
>Shaker Guest
-
Joe Kaplan \(MVP - ADSI\) #6 Re: Get UserGroup of Active Directory to control the security
Ah, that requires a query to AD.
Essentially, you just need to use the DirectorySearcher to query AD where
sAMAccountName equals the user's name from Context.User.Identity.Name (after
the domain prefix, e.g. domain\sAMAccountName). The filter would look like:
(sAMAccountName=userName)
The trick is going to be getting a security context that can query the
directory. If you use impersonation, you can use the user's own security
context to do that, but you'll need Kerberos delegation if you are using
Windows Integrated authentication. There is a good article here:
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]
Joe K.
"Shaker" <Shaker@discussions.microsoft.com> wrote in message
news:4CDF42E3-6261-4633-8B12-1488607B9C3E@microsoft.com...> User info such as Title, Extension, email,...Department,..etc
>
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>>> Can you explain what you mean by "user info"? Your original question
>> asked
>> about ups and I thought I answered that.
>>
>> Joe K.
>>
Joe Kaplan \(MVP - ADSI\) Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
