Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 248
  • Last Modified:

Page level web security using AD

Hey all-
I'm using VS2005 (C#) and aspnet 2.x (.net 2.x). I'm creating a web site and would like to use active directory groups to determine site security. I'm limiting to admin, readonly and no access. There may be another level later. However, if implemented correctly, this wouldn't be a problem.

Has anybody done this? Would you use forms based authentication? If so, how would you do it? I'd like to get away from using a local database like forms based authentication does.  
0
KBSLPDev
Asked:
KBSLPDev
  • 8
  • 4
1 Solution
 
McExpCommented:
Try this site for starters

http://www.ddj.com/windows/184406424
0
 
KBSLPDevAuthor Commented:
I'm still having issues. I added the web.config to the directory I want to lock down but had to config it as an application in IIS for it to compile... Also, once it compiled, I'm having problems limiting users...

Ideas?

Here's my web.config (editted of course)


<configuration>
    <appSettings/>
  <connectionStrings>
    <add connectionString="LDAP:// <my ldap string>"
         name="ADConnString"/>
  </connectionStrings>
    <system.web>
      <authentication mode="Forms"></authentication>
      <authorization>
        <allow users ="domain\username"/>
      </authorization>
      <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
        <providers>
          <add name="AspNetActiveDirectoryMembershipProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider,
         System.Web, Version=2.0.3600.0, Culture=neutral,
         PublicKeyToken=b03f5f7f11d50a3a"
             connectionStringName="ADConnString"
             connectionUsername="computername\Administrator"
             connectionPassword="password" attributeMapUsername="SAMAccountName" />
        </providers>
      </membership>
     
    </system.web>
</configuration>

0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
McExpCommented:
Is Web.Config file should be in the root of your application?

You've currently got your authentication mode set to "Forms" The following items need to be set

<identity impersonate="true"/>
<authentication mode="Windows"/>

I have no way of testing against an AD from here so I'm not sure I can help much more

You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"
0
 
KBSLPDevAuthor Commented:
Okay, those changes helped. It's authenticating by user. How about roles. I'm still looking for documentation but am having trouble.

Also, (trying to stay on topic) is there a way to have a default  accss denied page? I'm not getting any intellisense in my web.config.
0
 
McExpCommented:
You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"

or you can define certan directories to only be accessable to people in certan roles

              <location path="admin">
            <system.web>
                  <authorization>
                        <allow roles="admin"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
0
 
McExpCommented:
The page below should give you exactly what you need

Redirecting to custom 401 page when "Access denied" occures within an ASP.NET application with Windows authentication

http://www.codeproject.com/aspnet/Custon401Page.asp?df=100&forumid=204516&exp=0&select=1196647
0
 
McExpCommented:
Have you soved your problem, Can I be of any further assistance?
0
 
KBSLPDevAuthor Commented:
I'm getting the role to work but am having trouble limiting it to a directory.  Administration is my directory. I have this. When I use the location tag, i get  'Error 101 <location> sections are allowed only within <configuration> sections.'

Here's what I used...
 <location path="Administration">
      <authentication mode="Windows">
        <forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60" path="/" >
        </forms>
      </authentication>
      <authorization>
        <allow roles="domain\groupname"/>
        <deny users="*"/>
      </authorization>
    </location>


Is there a way to specify role permissions multiple directories and specify different groups for each directory? For example, group A and B have access to directory 1 but only B has access to directory 2.

Thanks!!!
0
 
McExpCommented:
yes, the location settings need to be children of the configuration node.

And you can have multiple Location nodes

See below: -

      <location path="directory1">
            <system.web>
                  <authorization>
                        <allow roles="groupA"/>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
      <location path="directory2">
            <system.web>
                  <authorization>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>


0
 
McExpCommented:
Extension of the example in last solution, you can put all the generic stuff in a system.web node and then have specifics in location nodes below

<system.web>
     <httpRuntime maxRequestLength="8192" executionTimeout="900"/>
     <authorization>
         <allow users="*"/>
     </authorization>
     <authentication mode="Forms">
          <forms loginUrl="~/Membership/Login.aspx" defaultUrl="index.aspx"/>
     </authentication>
     ....More stuff...
</system.web>
      <location path="directory1">
            <system.web>
                  <authorization>
                        <allow roles="groupA"/>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
      <location path="directory2">
            <system.web>
                  <authorization>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
0
 
KBSLPDevAuthor Commented:
Perfect!! Thanks for all the help!!!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now