Active Directory - groups and permissions
I'm creating an intranet site that uses Forms authentication to validate users against an Active Directory. Users need to be able to login both from work and remotely. Then I want to be able to do two things: (1) Check whether a user is in an AD group and (2) enforce NTFS permissions based on AD username.
First scenario: "Joe" logs in to the web site from home using his domain username and password. Joe should see certain content on the web site based on his AD group membership. Let's say he's in Marketing, so I'd like to be able to check whether User.IsInRole("Marketing"). Right now when I try that, I get a message saying: "Method is only supported if the user name parameter matches the user name in the current Windows Identity." Is this because I've set the app to use the AspNetWindowsTokenRoleProvider? Does that only work if he is physically logged into a computer on the AD domain? Is there a way to emulate the Windows Identity? Or should I be using a different role provider?
Second scenario: Joe has certain permissions to network resources that need to be enforced. For example, a web folder (WebDAV) with financial data allows members in group "Marketing" read access only. It is enforced when he physically logs into the AD domain at work, but it should also be enforced when he logs in from the road. Right now I'm using <identity impersonate="true"/> - hoping it will use his username "Joe" rather than the ASP.NET worker process to access that folder. Is that the right way to approach the problem?
Currently I'm developing the site on a Windows XP machine using VS2005 and the built-in ASP web server. The production web server will be Windows 2003, and the AD domain itself is Windows 2000. Any help is much appreciated. Here are the relevant snippets from my web.config file:
<add name="ADConnectionString" connectionString="LDAP://machine.domain.com/CN=Users,DC=machine,DC=domain,DC=com" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<forms name=".ADAuthCookie" timeout="10" />
<deny users="?" />
<allow users="*" />
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershi pProvider" connectionStringName="ADConnectionString" connectionUsername="domain\user" connectionPassword="password" attributeMapUsername="sAMAccountName" enableSearchMethods="true" />