User Authentication, Active Directory and more (help)

[Timothy Parez]

Hi,

Can a .NET application make use of the information within the Active
Directory in order to Authenticate and Authorize users?

For example users from a specific group have been authorize to use a
number of features in the application while users from another group
have not.

I know there is something called Code Access Security, but there seem to
be classes for the Active Directory Services and classes for something
called Windows Principle.

I wonder if someone could get me started with this.

Another thing is, can devices running the Compact Framework
be authenticated and authorized in the same way (since they don't have a
user logged on) Can they be a valid member of a domain ?


Thnx.

[Joe Kaplan \(MVP - ADSI\)]

Yes, .NET can make use of any Windows account (local machine, NT4 domain or
AD) for authentication and authorization.

The built-in support for this is in the WindowsIdentity and WindowsPrincipal
classes. WindowsIdentity represents the Windows user and is basicallly a
wrapper around the Windows login token. WindowsPrincipal contains a
WindowsIdentity and provides the ability to do role-based authorization
against a user's Windows groups by calling the IsInRole method with the
Windows group name. You can get the current WindowsIdentity at any time by
calling WindowsIdentity.GetCurrent().

The WindowsPrincipal class can be associated automatically with the
currently executing thread as well. The mechanism for doing this is
different depending on whether it is an ASP.NET or WinForms/Console app.
This association allows you to take advantage of the
PrincipalPermissionAttribute for doing declarative security in .NET. There
is quite a bit of explanation of this stuff that you can find in MSDN if you
need specifics, or you can ask here.

Joe K.

"Timothy Parez" <tpsoftware@users.sourceforge.net> wrote in message
news:X6CdnTDpUNfLs0zdRVn-jA@scarlet.biz...

> Hi,
>
> Can a .NET application make use of the information within the Active
> Directory in order to Authenticate and Authorize users?
>
> For example users from a specific group have been authorize to use a
> number of features in the application while users from another group
> have not.
>
> I know there is something called Code Access Security, but there seem to
> be classes for the Active Directory Services and classes for something
> called Windows Principle.
>
> I wonder if someone could get me started with this.
>
> Another thing is, can devices running the Compact Framework
> be authenticated and authorized in the same way (since they don't have a
> user logged on) Can they be a valid member of a domain ?
>
>
> Thnx.

[Timothy Parez]

Joe Kaplan (MVP - ADSI) wrote:

> Yes, .NET can make use of any Windows account (local machine, NT4 domain or
> AD) for authentication and authorization.
>
> The built-in support for this is in the WindowsIdentity and WindowsPrincipal
> classes. WindowsIdentity represents the Windows user and is basicallly a
> wrapper around the Windows login token. WindowsPrincipal contains a
> WindowsIdentity and provides the ability to do role-based authorization
> against a user's Windows groups by calling the IsInRole method with the
> Windows group name. You can get the current WindowsIdentity at any time by
> calling WindowsIdentity.GetCurrent().
>
> The WindowsPrincipal class can be associated automatically with the
> currently executing thread as well. The mechanism for doing this is
> different depending on whether it is an ASP.NET or WinForms/Console app.
> This association allows you to take advantage of the
> PrincipalPermissionAttribute for doing declarative security in .NET. There
> is quite a bit of explanation of this stuff that you can find in MSDN if you
> need specifics, or you can ask here.
>
> Joe K.
>

What about the PocketPC,
how would I fit it into this scenario
because the PocketPC's will be used to scan barcodes and insert items
into the database (with that barcode as the key)

[Joe Kaplan \(MVP - ADSI\)]

Ah, forgot that part. I'm not a CF programmer, so I don't know the details,
but the Framework reference doesn't say WindowsIdentity is supported on CF,
so you may be SOL. My guess is that PocketPC doesn't support Windows
security (you don't log onto the domain on one of those, do you?), so that's
why it is excluded.

I'm not sure what to tell you to do on Pocket PC, sorry. It doesn't even
look like any of the classes in System.Security.Principal are in the CF, so
you may have to roll your own.

Joe K.

"Timothy Parez" <tpsoftware@users.sourceforge.net> wrote in message
news:40D1D8AC.2070500@users.sourceforge.net...

> Joe Kaplan (MVP - ADSI) wrote:

> > Yes, .NET can make use of any Windows account (local machine, NT4 domain

or

> > AD) for authentication and authorization.
> >
> > The built-in support for this is in the WindowsIdentity and

WindowsPrincipal

> > classes. WindowsIdentity represents the Windows user and is basicallly

a

> > wrapper around the Windows login token. WindowsPrincipal contains a
> > WindowsIdentity and provides the ability to do role-based authorization
> > against a user's Windows groups by calling the IsInRole method with the
> > Windows group name. You can get the current WindowsIdentity at any time

by

> > calling WindowsIdentity.GetCurrent().
> >
> > The WindowsPrincipal class can be associated automatically with the
> > currently executing thread as well. The mechanism for doing this is
> > different depending on whether it is an ASP.NET or WinForms/Console app.
> > This association allows you to take advantage of the
> > PrincipalPermissionAttribute for doing declarative security in .NET.

There

> > is quite a bit of explanation of this stuff that you can find in MSDN if

you

> > need specifics, or you can ask here.
> >
> > Joe K.
> >

>
> What about the PocketPC,
> how would I fit it into this scenario
> because the PocketPC's will be used to scan barcodes and insert items
> into the database (with that barcode as the key)

[Timothy Parez]

Would the following be possible:

On the Server I could have an XML WebService which takes a windows
username and password as parameters for a "login" function.
Can this be done ?

Thnx
(Sorry for the endless questions)


Joe Kaplan (MVP - ADSI) wrote:

> Ah, forgot that part. I'm not a CF programmer, so I don't know the details,
> but the Framework reference doesn't say WindowsIdentity is supported on CF,
> so you may be SOL. My guess is that PocketPC doesn't support Windows
> security (you don't log onto the domain on one of those, do you?), so that's
> why it is excluded.
>
> I'm not sure what to tell you to do on Pocket PC, sorry. It doesn't even
> look like any of the classes in System.Security.Principal are in the CF, so
> you may have to roll your own.
>
> Joe K.
>
> "Timothy Parez" <tpsoftware@users.sourceforge.net> wrote in message
> news:40D1D8AC.2070500@users.sourceforge.net...
>

>>Joe Kaplan (MVP - ADSI) wrote:
>>

>>>Yes, .NET can make use of any Windows account (local machine, NT4 domain

>
> or
>

>>>AD) for authentication and authorization.
>>>
>>>The built-in support for this is in the WindowsIdentity and

>
> WindowsPrincipal
>

>>>classes. WindowsIdentity represents the Windows user and is basicallly

>
> a
>

>>>wrapper around the Windows login token. WindowsPrincipal contains a
>>>WindowsIdentity and provides the ability to do role-based authorization
>>>against a user's Windows groups by calling the IsInRole method with the
>>>Windows group name. You can get the current WindowsIdentity at any time

>
> by
>

>>>calling WindowsIdentity.GetCurrent().
>>>
>>>The WindowsPrincipal class can be associated automatically with the
>>>currently executing thread as well. The mechanism for doing this is
>>>different depending on whether it is an ASP.NET or WinForms/Console app.
>>>This association allows you to take advantage of the
>>>PrincipalPermissionAttribute for doing declarative security in .NET.

>
> There
>

>>>is quite a bit of explanation of this stuff that you can find in MSDN if

>
> you
>

>>>need specifics, or you can ask here.
>>>
>>>Joe K.
>>>

>>
>>What about the PocketPC,
>>how would I fit it into this scenario
>>because the PocketPC's will be used to scan barcodes and insert items
>>into the database (with that barcode as the key)

>
>
>

[Joe Kaplan \(MVP - ADSI\)]

Sure, you could do that and return some sort of cookie/token that could be
passesd in subsequent messages. You might want to check out how ASP.NET
forms authentication works as it does really similar stuff and they have
already thought through a lot of the security issues.

To validate the credentials on the server side, you could use
System.DirectoryServices to validate via LDAP or use the LogonUser API to
actually try to log the user on to Windows. It depends on what you need to
do, but either might be appropriate solutions.

Another nice thing is that the role-based authorization framework IS
available in regular Windows, so you can do role-based authorization in your
Web Services.

Without knowing more about your application architecture, it is hard to make
really good suggestions about how you should proceed, but hopefully this is
still helpful.

Joe K.


"Timothy Parez" <tpsoftware@users.sourceforge.net> wrote in message
news:C_mdndIxROF64U_dRVn-sA@scarlet.biz...

> Would the following be possible:
>
> On the Server I could have an XML WebService which takes a windows
> username and password as parameters for a "login" function.
> Can this be done ?
>
> Thnx
> (Sorry for the endless questions)
>
>
> Joe Kaplan (MVP - ADSI) wrote:

> > Ah, forgot that part. I'm not a CF programmer, so I don't know the

details,

> > but the Framework reference doesn't say WindowsIdentity is supported on

CF,

> > so you may be SOL. My guess is that PocketPC doesn't support Windows
> > security (you don't log onto the domain on one of those, do you?), so

that's

> > why it is excluded.
> >
> > I'm not sure what to tell you to do on Pocket PC, sorry. It doesn't

even

> > look like any of the classes in System.Security.Principal are in the CF,

so

> > you may have to roll your own.
> >
> > Joe K.
> >
> > "Timothy Parez" <tpsoftware@users.sourceforge.net> wrote in message
> > news:40D1D8AC.2070500@users.sourceforge.net...
> >

> >>Joe Kaplan (MVP - ADSI) wrote:
> >>
> >>>Yes, .NET can make use of any Windows account (local machine, NT4

domain

> >
> > or
> >

> >>>AD) for authentication and authorization.
> >>>
> >>>The built-in support for this is in the WindowsIdentity and

> >
> > WindowsPrincipal
> >

> >>>classes. WindowsIdentity represents the Windows user and is basicallly

> >
> > a
> >

> >>>wrapper around the Windows login token. WindowsPrincipal contains a
> >>>WindowsIdentity and provides the ability to do role-based authorization
> >>>against a user's Windows groups by calling the IsInRole method with the
> >>>Windows group name. You can get the current WindowsIdentity at any

time

> >
> > by
> >

> >>>calling WindowsIdentity.GetCurrent().
> >>>
> >>>The WindowsPrincipal class can be associated automatically with the
> >>>currently executing thread as well. The mechanism for doing this is
> >>>different depending on whether it is an ASP.NET or WinForms/Console

app.

> >>>This association allows you to take advantage of the
> >>>PrincipalPermissionAttribute for doing declarative security in .NET.

> >
> > There
> >

> >>>is quite a bit of explanation of this stuff that you can find in MSDN

if

> >
> > you
> >

> >>>need specifics, or you can ask here.
> >>>
> >>>Joe K.
> >>>
> >>
> >>What about the PocketPC,
> >>how would I fit it into this scenario
> >>because the PocketPC's will be used to scan barcodes and insert items
> >>into the database (with that barcode as the key)

> >
> >
> >

[Timothy Parez]

Hey,

Thnx for all the information.

I would like to ask you for some more help :)

I tried using the following in my web.config file but it doesn't really work

<system.web>
<authentication mode="Windows"/>
<authorization>
<allow roles="Admins" />
<deny users="*" />
</authorization>
</system.web>

I have also played with these values, but either I get a logon screen
but I can never logon, or I don't get a logon screen and get a page that
I'm not authorized to view that page right away.

In any case I don't think this will be the best option for me.

Using the DirectoryServices namespace, can I take a username and
password and validate it against the AD from my code

ie. is there something like (I know seems stupid but I must ask)

if (User.Authenticate("username","password"))
{
MessageBox.Show("Welcome");
}
else
{
MessageBox.Show("Try again m8");
}

This would be a lot better than the logon provided by ASP.NET (more
compatible and usable in code)

Thnx for you help.

Timothy.

[Joe Kaplan \(MVP - ADSI\)]

When you are using Windows authentication in IIS and ASP.NET, the roles in
the IPrincipal that gets created will be Windows groups, so they will be of
the form Domain\Group Name.

I order to make sure you are using Windows authentication in IIS, you must
disable anonymous access and enable Basic, Digest or Integrated
authentication. Don't use Basic without SSL or you will be passing
credentials in plain text over the network. In ASP.NET, you need to make
sure the authentication tag in web.config is set to Windows (which is the
default).

In order to authenticate users in Active Directory, the IIS server must be a
member of the Active Directory domain.

If you want to build your own authentication scheme using
System.DirectoryServices or something, then you will also be responsible for
building the IPrincipal object that contains the user's roles. This sample
of Forms authentication with System.DirectoryServices is an okay starting
point.

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url]

HTH,

Joe K.

"Timothy Parez" <tpsoftware@users.sourceforge.net> wrote in message
news:40D67AC6.7030502@users.sourceforge.net...

> Hey,
>
> Thnx for all the information.
>
> I would like to ask you for some more help :)
>
> I tried using the following in my web.config file but it doesn't really

work

>
> <system.web>
> <authentication mode="Windows"/>
> <authorization>
> <allow roles="Admins" />
> <deny users="*" />
> </authorization>
> </system.web>
>
> I have also played with these values, but either I get a logon screen
> but I can never logon, or I don't get a logon screen and get a page that
> I'm not authorized to view that page right away.
>
> In any case I don't think this will be the best option for me.
>
> Using the DirectoryServices namespace, can I take a username and
> password and validate it against the AD from my code
>
> ie. is there something like (I know seems stupid but I must ask)
>
> if (User.Authenticate("username","password"))
> {
> MessageBox.Show("Welcome");
> }
> else
> {
> MessageBox.Show("Try again m8");
> }
>
> This would be a lot better than the logon provided by ASP.NET (more
> compatible and usable in code)
>
> Thnx for you help.
>
> Timothy.

[Timothy Parez]

Joe Kaplan (MVP - ADSI) wrote:

> When you are using Windows authentication in IIS and ASP.NET, the roles in
> the IPrincipal that gets created will be Windows groups, so they will be of
> the form Domain\Group Name.
>
> I order to make sure you are using Windows authentication in IIS, you must
> disable anonymous access and enable Basic, Digest or Integrated
> authentication. Don't use Basic without SSL or you will be passing
> credentials in plain text over the network. In ASP.NET, you need to make
> sure the authentication tag in web.config is set to Windows (which is the
> default).
>
> In order to authenticate users in Active Directory, the IIS server must be a
> member of the Active Directory domain.
>
> If you want to build your own authentication scheme using
> System.DirectoryServices or something, then you will also be responsible for
> building the IPrincipal object that contains the user's roles. This sample
> of Forms authentication with System.DirectoryServices is an okay starting
> point.
>
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url]
>
> HTH,
>
> Joe K.
>
> "Timothy Parez" <tpsoftware@users.sourceforge.net> wrote in message
> news:40D67AC6.7030502@users.sourceforge.net...
>

>>Hey,
>>
>>Thnx for all the information.
>>
>>I would like to ask you for some more help :)
>>
>>I tried using the following in my web.config file but it doesn't really

>
> work
>

>><system.web>
>> <authentication mode="Windows"/>
>> <authorization>
>> <allow roles="Admins" />
>> <deny users="*" />
>> </authorization>
>></system.web>
>>
>>I have also played with these values, but either I get a logon screen
>>but I can never logon, or I don't get a logon screen and get a page that
>>I'm not authorized to view that page right away.
>>
>>In any case I don't think this will be the best option for me.
>>
>>Using the DirectoryServices namespace, can I take a username and
>>password and validate it against the AD from my code
>>
>>ie. is there something like (I know seems stupid but I must ask)
>>
>>if (User.Authenticate("username","password"))
>>{
>>MessageBox.Show("Welcome");
>>}
>>else
>>{
>>MessageBox.Show("Try again m8");
>>}
>>
>>This would be a lot better than the logon provided by ASP.NET (more
>>compatible and usable in code)
>>
>>Thnx for you help.
>>
>>Timothy.

>
>
>

Hey,

I've got that working now
and I now am able to get the name from User.Identity in my ASP.NET page
but methods like IsInRole() seem to have no effect on it.

Any suggestions?

[Joe Kaplan \(MVP - ADSI\)]

How are you testing the IsInRole method? With Windows/Domain logins, the
groups you use must be in the form "domain\group name".

Joe K.

>
> Hey,
>
> I've got that working now
> and I now am able to get the name from User.Identity in my ASP.NET page
> but methods like IsInRole() seem to have no effect on it.
>
> Any suggestions?