Active Directory Authentication

>> For example, if someone is a member of a group they may continue, otherwise not?
Correct!!

>> DirectorySearcher and DirectoryEntry
Can you possible show me a quick example? Or do you know of any online tutorials that show you how to handle what you are explaining?

Thanks in advance!

Actually, if you just want to determine group membership even easier:

using System;
using System.Security.Principal;
 
public partial class Default2 : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        Response.Write(IsMemberOf("YOURDOMAIN\\Domain Admins"));
    }
 
    private bool IsMemberOf(string GroupName)
    {
        GroupName = GroupName.Trim().ToLower();
 
        foreach (IdentityReference group in Request.LogonUserIdentity.Groups)
        {
            if (group.Translate(typeof(NTAccount)).Value.ToLower() == GroupName)
                return true;
        }
 
        return false;
    }
}
                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:

Well, I will plan on having them login to the application but I plan on adding certain users to certain groups. So I will have an OU in Active Directory called My Company and then a Group called Admins which i will then add certain users to the Admins Group. I then will have another Group called Users which i will once again add certain users to this group. If they are not part of Active Directory then they should see a Error message if they are a member and verified their credentials then they can proceed to the page they normal requested.

I wouldn't bother having them login.  Windows will handle that security when they press CTRL-ALT-DEL; disable Anonymous access on your website and enable Integrated Windows Authentication.

Ok, how would I code the two pages with different Groups to only restrict users based on the Groups?

As shown, with the IsMemberOf function (VB.Net version below).  In the Page_Load event check that they're a member of the required group, and if not redirect them to a nice-looking error page.

Imports System.Security.Principal
Partial Class _Default
    Inherits System.Web.UI.Page
 
    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        If Not IsMemberOf("YOURDOMAIN\YourApp Admins") Then
            Response.Redirect("~/NotAuthorized.aspx")
        End If
    End Sub
 
    Private Function IsMemberOf(ByVal GroupName As String) As Boolean
        GroupName = GroupName.Trim().ToLower()
 
        For Each Group As IdentityReference In Request.LogonUserIdentity.Groups
            If Group.Translate(GetType(NTAccount)).Value.ToLower() = GroupName Then
                Return True
            End If
        Next
 
        Return False
    End Function
End Class
                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:

ok, i'm going to create an OU and two Groups to test this out with. Do i need to make any changes to the web.config file?

Do i need to add the Page_Load code for each page that needs to authenticate against a group?

No, you shouldn't need to make any changes to web.config as I recall - use a simple test page to make suer that Request.LogonUserIdentity.Name gives you the correct username.

And yes, you'll need to check this in each applicable page's Page_Load.  In my web app I used a global.asax, and inside of the Session_Start event I check username and group memberships, then set a Session variable - that way in the subsequent pages' Page_Load I can just check if Session["IsUser"] or Session["IsAdmin"] etc is set.

Hi tgerbert,

Ok, i ran the following code above after creating my OU along with two groups and two users per group. When i run the i first go to my index.aspx on the root of the application. I have a link called users.asxp and admin.aspx. If i select either link i get the following error message below.


The trust relationship between this workstation and the primary domain failed.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.SystemException: The trust relationship between this workstation and the primary domain failed.


Source Error:


Line 14:
Line 15:         For Each Group As IdentityReference In Request.LogonUserIdentity.Groups
Line 16:             If Group.Translate(GetType(NTAccount)).Value.ToLower() = GroupName Then
Line 17:                 Return True
Line 18:             End If
 

Source File: C:\inetpub\wwwroot\AD Authentication\admin\index.aspx.vb    Line: 16

Stack Trace:


[SystemException: The trust relationship between this workstation and the primary domain failed.
]
   System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed) +1243
   System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean& someFailed) +47
   System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) +50
   System.Security.Principal.SecurityIdentifier.Translate(Type targetType) +129
   admin_index.IsMemberOf(String GroupName) in C:\inetpub\wwwroot\AD Authentication\admin\index.aspx.vb:16
   admin_index.Page_Load(Object sender, EventArgs e) in C:\inetpub\wwwroot\AD Authentication\admin\index.aspx.vb:7
   System.Web.UI.Control.OnLoad(EventArgs e) +115
   System.Web.UI.Control.LoadRecursive() +49
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2207

 

Hello,

I was able to get this code above to work, i replaced the response.redrect with a label control  saying "Access Denied".

How does the user enter there Username/Password. I don't see a box that pops up asking the user to enter there credentials, I have seen applications that use Integrated Authentication with a Widows Login box but this doesn't happen.

Also, I would like to COMPLETELY restrict access to the Admin/index.aspx and Users/index.aspx if a user is not part of the pages group in AD.

Hi tgerbert,

Are you still able to help me with this post?

Yup, just crawling outta bed. ;)

They enter their username/password when they press CTRL-ALT-DEL and log onto the computer; their Internet Explorer's are configured to automatically logon with their Windows username/password for web sites in the "Intranet Zone" (that behavior can be changed, on the client side, which is why you might see logon prompts for web sites using integrated Windows authentication).

You can use NTFS file permissions on the Admin/index.aspx and Users/index.aspx pages.

>> Yup, just crawling outta bed. ;)
Sorry :)

I'm going to send you a .txt file with the changes that i added to my web.config file along with the pages code and maybe you can take a look to see if i'm missing something.

Also, in IIS i enabled Windows Authentication and Anonymous Authentication and have all other authentications disabled. Is this okay or do i need to change something in IIS?

I also would like to ALWAYS prompt the user to enter there login credentials using the windows popup form when they try to access a restricted area.

Is there a way or place that i can also set a cookie for windows authentication?

>>  i enabled Windows Authentication and Anonymous Authentication and have all other authentications disabled. Is this okay or do i need to change something in IIS?

Make sure the pages you want to restrict access to have appropriate NTFS permissions set (i.e. the anonymous user can't read them). If you want to support browsers other than Internet Explorer I think you'll need to enable Basic authentication.



>> I also would like to ALWAYS prompt the user to enter there login credentials using the windows popup form when they try to access a restricted area.

Not gonna happen (not easily).  Even if you wrote your own authentication system using Web Forms, the clients' Internet Explorer will happily save the username/password, meaning a passer-by could still sit-down at an admins workstation and get access without knowing the password.  Although, if you want to pursue that route you can forcibly set some of the options in Internet Explorer to prevent automatic logon for sites in the Local Intranet or Trusted Zones (whichever the case may be).  Your other option would be to prompt for the users' current Windows password and then either using the LogonUser API function, or attempting to start a process (like notepad.exe) as that user with the supplied password.  Or, lastly, if you want to get away from using the Active Directory user database, create your own forms-based authentication system.



>> Is there a way or place that i can also set a cookie for windows authentication?

What do you mean by this?

ok, is there a way that i can display an error page if the user trys to access a restricted page but does not succeed?

For example, user visits index.aspx and clicks on the link labeled Admin which is located admin/index.aspx the windows logon box pops up and the user enters invalid credentials can i then send them to an error page stating that they supplied incorrect credentials or will the application just not allow them to access this page?

I'm use to useing SQL for authenication along with the SQL membership and Roles provider but my network admin wants me to use AD instead.

Hi tgerbert,

Well, i thought i had it working but i don't now :( I'm not even sure where to begin as for setting this up. Any help would be greatly appreciated.

are you able to help any further??

Yup, got my own stuff to take care of too. ;)

You can use ASP.Net's built-in Role Management system, I prefer not to as a matter of personal preference, but you may/may not find it easier to grant/deny access to pages; although doing so makes the pretty error page slightly more tricky, you can find more on that here: http://flimflan.com/blog/HttpModuleToAllowACustomErrorPageFor4012AccessDeniedInASPNET.aspx


In IIS you want Anonymous Access and Integrated Windows Authentication enabled.  Use NTFS file permissions to restrict pages that should be restricted.  This way anonymous users will still be able to get things like the "access denied" page.  Put a shared class in the App_Code folder, with a shared method: IsMemberOf.

Do i need the following information in my web.config ?

1.)  <authentication mode="Windows" />

2.) <location path="admin">
         <system.web>
             <authorization>
                 <allow roles="Leopards\Admins-Test"/>
             </authorization>
         </system.web>
      </location>

1.)  <authentication mode="Windows" />


If you do end up using the Role Manager then this is definitely necessary...

I don't know what the hell im doing wrong but i followed your examples and code perfectly and it still doesn't work.