Wrox Programmer Forums
Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Basics
ASP.NET 2.0 Basics If you are new to ASP or ASP.NET programming with version 2.0, this is the forum to begin asking questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old May 1st, 2006, 04:58 PM
Registered User
Join Date: May 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Active Directory - groups and permissions

I'm creating an intranet site that uses Forms authentication to validate users against an Active Directory. Users need to be able to login both from work and remotely. Then I want to be able to do two things: (1) Check whether a user is in an AD group and (2) enforce NTFS permissions based on AD username.

First scenario: "Joe" logs in to the web site from home using his domain username and password. Joe should see certain content on the web site based on his AD group membership. Let's say he's in Marketing, so I'd like to be able to check whether User.IsInRole("Marketing"). Right now when I try that, I get a message saying: "Method is only supported if the user name parameter matches the user name in the current Windows Identity." Is this because I've set the app to use the AspNetWindowsTokenRoleProvider? Does that only work if he is physically logged into a computer on the AD domain? Is there a way to emulate the Windows Identity? Or should I be using a different role provider?

Second scenario: Joe has certain permissions to network resources that need to be enforced. For example, a web folder (WebDAV) with financial data allows members in group "Marketing" read access only. It is enforced when he physically logs into the AD domain at work, but it should also be enforced when he logs in from the road. Right now I'm using <identity impersonate="true"/> - hoping it will use his username "Joe" rather than the ASP.NET worker process to access that folder. Is that the right way to approach the problem?

Currently I'm developing the site on a Windows XP machine using VS2005 and the built-in ASP web server. The production web server will be Windows 2003, and the AD domain itself is Windows 2000. Any help is much appreciated. Here are the relevant snippets from my web.config file:

<add name="ADConnectionString" connectionString="LDAP://machine.domain.com/CN=Users,DC=machine,DC=domain,DC=com" />

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

<identity impersonate="true"/>

<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="10" />

<deny users="?" />
<allow users="*" />

<membership defaultProvider="MyADMembershipProvider">
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershi pProvider" connectionStringName="ADConnectionString" connectionUsername="domain\user" connectionPassword="password" attributeMapUsername="sAMAccountName" enableSearchMethods="true" />

Old May 16th, 2006, 01:18 PM
Registered User
Join Date: May 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts

Anyone have any tips on this? How about something in general about how to harness Active Directory on an ASP.NET 2.0 intranet?

Old May 17th, 2006, 03:20 PM
Authorized User
Join Date: Apr 2005
Posts: 94
Thanks: 0
Thanked 0 Times in 0 Posts

I haven't been able to get access to my company's LDAP server. That is kept under lock and key even from us hehe. I did do a work around but do not know how to help ya on the intranet side. Recently I was looking for help cause I was having issues with WindowsIdentity. The impersonate line fixed this. On the local domain if users are required to login and authenticate to your network then internally you can use WindowsIdentity to retrieve their login automatically and all their groups. Issue is it will be as a SID. But if you have the SIDs of your group anyway then you will be able to use that to control security.

Outside I cannot help you but if you turn windows Authentication on, it should prompt them from windows for login. Maybe some of the security experts can validate if trusting windows security is a cool idea or not. All my pages have been internal.

Similar Threads
Thread Thread Starter Forum Replies Last Post
get user groups from Active Directory PorcupineRabbit Classic ASP Professional 1 February 6th, 2007 08:09 PM
Users, Groups and Permissions owain SQL Language 17 November 3rd, 2006 07:44 PM
Creating directory with NTFS permissions eelisMX Pro VB.NET 2002/2003 0 May 10th, 2006 08:16 AM
Active Directory - Creating Groups r_ganesh76 ASP.NET 1.0 and 1.1 Professional 1 October 4th, 2004 06:43 AM
About Active Directory apalmero VS.NET 2002/2003 1 November 9th, 2003 01:06 PM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.