KBSLPDev
asked on
Page level web security using AD
Hey all-
I'm using VS2005 (C#) and aspnet 2.x (.net 2.x). I'm creating a web site and would like to use active directory groups to determine site security. I'm limiting to admin, readonly and no access. There may be another level later. However, if implemented correctly, this wouldn't be a problem.
Has anybody done this? Would you use forms based authentication? If so, how would you do it? I'd like to get away from using a local database like forms based authentication does.
I'm using VS2005 (C#) and aspnet 2.x (.net 2.x). I'm creating a web site and would like to use active directory groups to determine site security. I'm limiting to admin, readonly and no access. There may be another level later. However, if implemented correctly, this wouldn't be a problem.
Has anybody done this? Would you use forms based authentication? If so, how would you do it? I'd like to get away from using a local database like forms based authentication does.
ASKER
I'm still having issues. I added the web.config to the directory I want to lock down but had to config it as an application in IIS for it to compile... Also, once it compiled, I'm having problems limiting users...
Ideas?
Here's my web.config (editted of course)
<configuration>
<appSettings/>
<connectionStrings>
<add connectionString="LDAP:// <my ldap string>"
name="ADConnString"/>
</connectionStrings>
<system.web>
<authentication mode="Forms"></authenticat ion>
<authorization>
<allow users ="domain\username"/>
</authorization>
<membership defaultProvider="AspNetAct iveDirecto ryMembersh ipProvider ">
<providers>
<add name="AspNetActiveDirector yMembershi pProvider"
type="System.Web.Security. ActiveDire ctoryMembe rshipProvi der,
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d 50a3a"
connectionStringName="ADCo nnString"
connectionUsername="comput ername\Adm inistrator "
connectionPassword="passwo rd" attributeMapUsername="SAMA ccountName " />
</providers>
</membership>
</system.web>
</configuration>
Ideas?
Here's my web.config (editted of course)
<configuration>
<appSettings/>
<connectionStrings>
<add connectionString="LDAP:// <my ldap string>"
name="ADConnString"/>
</connectionStrings>
<system.web>
<authentication mode="Forms"></authenticat
<authorization>
<allow users ="domain\username"/>
</authorization>
<membership defaultProvider="AspNetAct
<providers>
<add name="AspNetActiveDirector
type="System.Web.Security.
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d
connectionStringName="ADCo
connectionUsername="comput
connectionPassword="passwo
</providers>
</membership>
</system.web>
</configuration>
Is Web.Config file should be in the root of your application?
You've currently got your authentication mode set to "Forms" The following items need to be set
<identity impersonate="true"/>
<authentication mode="Windows"/>
I have no way of testing against an AD from here so I'm not sure I can help much more
You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"
You've currently got your authentication mode set to "Forms" The following items need to be set
<identity impersonate="true"/>
<authentication mode="Windows"/>
I have no way of testing against an AD from here so I'm not sure I can help much more
You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"
ASKER
Okay, those changes helped. It's authenticating by user. How about roles. I'm still looking for documentation but am having trouble.
Also, (trying to stay on topic) is there a way to have a default accss denied page? I'm not getting any intellisense in my web.config.
Also, (trying to stay on topic) is there a way to have a default accss denied page? I'm not getting any intellisense in my web.config.
You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"
or you can define certan directories to only be accessable to people in certan roles
<location path="admin">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
or you can define certan directories to only be accessable to people in certan roles
<location path="admin">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
The page below should give you exactly what you need
Redirecting to custom 401 page when "Access denied" occures within an ASP.NET application with Windows authentication
http://www.codeproject.com/aspnet/Custon401Page.asp?df=100&forumid=204516&exp=0&select=1196647
Redirecting to custom 401 page when "Access denied" occures within an ASP.NET application with Windows authentication
http://www.codeproject.com/aspnet/Custon401Page.asp?df=100&forumid=204516&exp=0&select=1196647
Have you soved your problem, Can I be of any further assistance?
ASKER
I'm getting the role to work but am having trouble limiting it to a directory. Administration is my directory. I have this. When I use the location tag, i get 'Error 101 <location> sections are allowed only within <configuration> sections.'
Here's what I used...
<location path="Administration">
<authentication mode="Windows">
<forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60" path="/" >
</forms>
</authentication>
<authorization>
<allow roles="domain\groupname"/>
<deny users="*"/>
</authorization>
</location>
Is there a way to specify role permissions multiple directories and specify different groups for each directory? For example, group A and B have access to directory 1 but only B has access to directory 2.
Thanks!!!
Here's what I used...
<location path="Administration">
<authentication mode="Windows">
<forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60" path="/" >
</forms>
</authentication>
<authorization>
<allow roles="domain\groupname"/>
<deny users="*"/>
</authorization>
</location>
Is there a way to specify role permissions multiple directories and specify different groups for each directory? For example, group A and B have access to directory 1 but only B has access to directory 2.
Thanks!!!
yes, the location settings need to be children of the configuration node.
And you can have multiple Location nodes
See below: -
<location path="directory1">
<system.web>
<authorization>
<allow roles="groupA"/>
<allow roles="groupB"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="directory2">
<system.web>
<authorization>
<allow roles="groupB"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
And you can have multiple Location nodes
See below: -
<location path="directory1">
<system.web>
<authorization>
<allow roles="groupA"/>
<allow roles="groupB"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="directory2">
<system.web>
<authorization>
<allow roles="groupB"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect!! Thanks for all the help!!!
http://www.ddj.com/windows/184406424