Verify User Group from ASP.NET

Hello,

I'm a little uncertain about what I'm asking so please be gentle.

I (think) I want to be able to identify and authenticate the currently
logged on user against the Active Directory. We have a 2000 domain server
and 2000 clients on our network.

The idea behind it all is am storing documents in a SQL database and have a
list of groups who can view them. If the currently logged on user is not in
one of those groups then they should not be permitted to open the document.

I'm using VB.NET in ASP.NET to develop with and would appreciate any ideas
of where to look for examples of what to do.

Thanks,

<M>ike

[Joe Kaplan \(MVP - ADSI\)]

If you are using Windows authentication with IIS and ASP.NET (anonymous
disabled in IIS, authentication set to Windows in web.config), then all you
have to do is call Context.User.IsInRole("domain\group name")

That will return true or false if the currently authenticated user is in the
group you specified. The Windows security system does all the heavy lifting
for you.

If you aren't using Windows auth, this is vastly more painful, but can be
done by looking up the user's groups programmatically.

Joe K.

"<M>ike" <mikedotdinnisatabraxas-ukdotcom> wrote in message
news:ecv9ZtfWEHA.556@tk2msftngp13.phx.gbl...

> Hello,
>
> I'm a little uncertain about what I'm asking so please be gentle.
>
> I (think) I want to be able to identify and authenticate the currently
> logged on user against the Active Directory. We have a 2000 domain server
> and 2000 clients on our network.
>
> The idea behind it all is am storing documents in a SQL database and have

a

> list of groups who can view them. If the currently logged on user is not

in

> one of those groups then they should not be permitted to open the

document.

>
> I'm using VB.NET in ASP.NET to develop with and would appreciate any ideas
> of where to look for examples of what to do.
>
> Thanks,
>
> <M>ike
>
>

Wow,

That's pretty simple. Compared to the old classic ASP days, it's a doddle!

Cheers,

<M>ike

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:et7p0JhWEHA.1380@TK2MSFTNGP09.phx.gbl...

> If you are using Windows authentication with IIS and ASP.NET (anonymous
> disabled in IIS, authentication set to Windows in web.config), then all

you

> have to do is call Context.User.IsInRole("domain\group name")
>
> That will return true or false if the currently authenticated user is in

the

> group you specified. The Windows security system does all the heavy

lifting

> for you.
>
> If you aren't using Windows auth, this is vastly more painful, but can be
> done by looking up the user's groups programmatically.
>
> Joe K.
>
> "<M>ike" <mikedotdinnisatabraxas-ukdotcom> wrote in message
> news:ecv9ZtfWEHA.556@tk2msftngp13.phx.gbl...

> > Hello,
> >
> > I'm a little uncertain about what I'm asking so please be gentle.
> >
> > I (think) I want to be able to identify and authenticate the currently
> > logged on user against the Active Directory. We have a 2000 domain

server

> > and 2000 clients on our network.
> >
> > The idea behind it all is am storing documents in a SQL database and

have

> a

> > list of groups who can view them. If the currently logged on user is not

> in

> > one of those groups then they should not be permitted to open the

> document.

> >
> > I'm using VB.NET in ASP.NET to develop with and would appreciate any

ideas

> > of where to look for examples of what to do.
> >
> > Thanks,
> >
> > <M>ike
> >
> >

>
>

Ok,

A slight variant of the same theme, if (for example) that I (current logged
on user) am a member of the Administrators group and I use the IsInRole test
against a subgroup that I have not been explicity added to but still have
higher permissions than I will get 'False' as the result. Is there a way of
testing overall permissions rather than explicit group names, or does this
then start to get into problems?

<M>ike

[Joe Kaplan \(MVP - ADSI\)]

It sounds like what you want to do is roll up your AD groups into
application-specific role descriptions. For example, you might want to put
domain\admins1, domain\admins2 and domain\admins3 into a role in your
application call Administrators.

If that is what you want and you are using Win2K3 server for your web
server, the best thing to check out is Authorization Manager (AzMan). It
allows you to build application specific roles, tasks and operations and map
them to users and groups at runtime.

You could also build something similar in ASP.NET, but you'd have to write
it yourself. One thing you might do is write an HttpModule that examines
the WindowsPrincipal returned by the Windows authentication module and maps
the user name and Windows groups into application specific roles. You would
then create a new IPrincipal object (probably based on the GenericPrincipal
class, but you can write your own easily if you want) that contains your
application specific roles. Then, you would test against those roles in
your application instead of the groups directly.

Such a thing is more work, but might be worth it. Unfortunately I don't
have a sample to point you towards. However, the .NET role-based
authorization framework is very flexible and doing this kind of stuff is not
very hard.

Joe K.

"<M>ike" <mikedotdinnisatabraxas-ukdotcom> wrote in message
news:OkAS$epWEHA.1368@TK2MSFTNGP10.phx.gbl...

> Ok,
>
> A slight variant of the same theme, if (for example) that I (current

logged

> on user) am a member of the Administrators group and I use the IsInRole

test

> against a subgroup that I have not been explicity added to but still have
> higher permissions than I will get 'False' as the result. Is there a way

of

> testing overall permissions rather than explicit group names, or does this
> then start to get into problems?
>
> <M>ike
>
>