We help IT Professionals succeed at work.

Page level web security using AD

KBSLPDev
KBSLPDev asked
on
278 Views
Last Modified: 2013-12-17
Hey all-
I'm using VS2005 (C#) and aspnet 2.x (.net 2.x). I'm creating a web site and would like to use active directory groups to determine site security. I'm limiting to admin, readonly and no access. There may be another level later. However, if implemented correctly, this wouldn't be a problem.

Has anybody done this? Would you use forms based authentication? If so, how would you do it? I'd like to get away from using a local database like forms based authentication does.  
Comment
Watch Question

Top Expert 2007

Commented:
Try this site for starters

http://www.ddj.com/windows/184406424
Top Expert 2007

Commented:

Author

Commented:
I'm still having issues. I added the web.config to the directory I want to lock down but had to config it as an application in IIS for it to compile... Also, once it compiled, I'm having problems limiting users...

Ideas?

Here's my web.config (editted of course)


<configuration>
    <appSettings/>
  <connectionStrings>
    <add connectionString="LDAP:// <my ldap string>"
         name="ADConnString"/>
  </connectionStrings>
    <system.web>
      <authentication mode="Forms"></authentication>
      <authorization>
        <allow users ="domain\username"/>
      </authorization>
      <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
        <providers>
          <add name="AspNetActiveDirectoryMembershipProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider,
         System.Web, Version=2.0.3600.0, Culture=neutral,
         PublicKeyToken=b03f5f7f11d50a3a"
             connectionStringName="ADConnString"
             connectionUsername="computername\Administrator"
             connectionPassword="password" attributeMapUsername="SAMAccountName" />
        </providers>
      </membership>
     
    </system.web>
</configuration>

Top Expert 2007

Commented:
Is Web.Config file should be in the root of your application?

You've currently got your authentication mode set to "Forms" The following items need to be set

<identity impersonate="true"/>
<authentication mode="Windows"/>

I have no way of testing against an AD from here so I'm not sure I can help much more

You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"

Author

Commented:
Okay, those changes helped. It's authenticating by user. How about roles. I'm still looking for documentation but am having trouble.

Also, (trying to stay on topic) is there a way to have a default  accss denied page? I'm not getting any intellisense in my web.config.
Top Expert 2007

Commented:
You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"

or you can define certan directories to only be accessable to people in certan roles

              <location path="admin">
            <system.web>
                  <authorization>
                        <allow roles="admin"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
Top Expert 2007

Commented:
The page below should give you exactly what you need

Redirecting to custom 401 page when "Access denied" occures within an ASP.NET application with Windows authentication

http://www.codeproject.com/aspnet/Custon401Page.asp?df=100&forumid=204516&exp=0&select=1196647
Top Expert 2007

Commented:
Have you soved your problem, Can I be of any further assistance?

Author

Commented:
I'm getting the role to work but am having trouble limiting it to a directory.  Administration is my directory. I have this. When I use the location tag, i get  'Error 101 <location> sections are allowed only within <configuration> sections.'

Here's what I used...
 <location path="Administration">
      <authentication mode="Windows">
        <forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60" path="/" >
        </forms>
      </authentication>
      <authorization>
        <allow roles="domain\groupname"/>
        <deny users="*"/>
      </authorization>
    </location>


Is there a way to specify role permissions multiple directories and specify different groups for each directory? For example, group A and B have access to directory 1 but only B has access to directory 2.

Thanks!!!
Top Expert 2007

Commented:
yes, the location settings need to be children of the configuration node.

And you can have multiple Location nodes

See below: -

      <location path="directory1">
            <system.web>
                  <authorization>
                        <allow roles="groupA"/>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
      <location path="directory2">
            <system.web>
                  <authorization>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>


Top Expert 2007
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Perfect!! Thanks for all the help!!!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.