Link to home
Start Free TrialLog in
Avatar of KBSLPDev
KBSLPDevFlag for United States of America

asked on

Page level web security using AD

Hey all-
I'm using VS2005 (C#) and aspnet 2.x (.net 2.x). I'm creating a web site and would like to use active directory groups to determine site security. I'm limiting to admin, readonly and no access. There may be another level later. However, if implemented correctly, this wouldn't be a problem.

Has anybody done this? Would you use forms based authentication? If so, how would you do it? I'd like to get away from using a local database like forms based authentication does.  
Avatar of McExp
McExp
Flag of United Kingdom of Great Britain and Northern Ireland image
Try this site for starters

http://www.ddj.com/windows/184406424
Avatar of KBSLPDev
KBSLPDev
Flag of United States of America image

ASKER

I'm still having issues. I added the web.config to the directory I want to lock down but had to config it as an application in IIS for it to compile... Also, once it compiled, I'm having problems limiting users...

Ideas?

Here's my web.config (editted of course)


<configuration>
    <appSettings/>
  <connectionStrings>
    <add connectionString="LDAP:// <my ldap string>"
         name="ADConnString"/>
  </connectionStrings>
    <system.web>
      <authentication mode="Forms"></authentication>
      <authorization>
        <allow users ="domain\username"/>
      </authorization>
      <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
        <providers>
          <add name="AspNetActiveDirectoryMembershipProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider,
         System.Web, Version=2.0.3600.0, Culture=neutral,
         PublicKeyToken=b03f5f7f11d50a3a"
             connectionStringName="ADConnString"
             connectionUsername="computername\Administrator"
             connectionPassword="password" attributeMapUsername="SAMAccountName" />
        </providers>
      </membership>
     
    </system.web>
</configuration>

Avatar of McExp
McExp
Flag of United Kingdom of Great Britain and Northern Ireland image
Is Web.Config file should be in the root of your application?

You've currently got your authentication mode set to "Forms" The following items need to be set

<identity impersonate="true"/>
<authentication mode="Windows"/>

I have no way of testing against an AD from here so I'm not sure I can help much more

You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"
Avatar of KBSLPDev
KBSLPDev
Flag of United States of America image

ASKER

Okay, those changes helped. It's authenticating by user. How about roles. I'm still looking for documentation but am having trouble.

Also, (trying to stay on topic) is there a way to have a default  accss denied page? I'm not getting any intellisense in my web.config.
Avatar of McExp
McExp
Flag of United Kingdom of Great Britain and Northern Ireland image
You should be able to call user.IsInRole("Test") from your code to check if the current user is in the AD groups "Test"

or you can define certan directories to only be accessable to people in certan roles

              <location path="admin">
            <system.web>
                  <authorization>
                        <allow roles="admin"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
Avatar of McExp
McExp
Flag of United Kingdom of Great Britain and Northern Ireland image
The page below should give you exactly what you need

Redirecting to custom 401 page when "Access denied" occures within an ASP.NET application with Windows authentication

http://www.codeproject.com/aspnet/Custon401Page.asp?df=100&forumid=204516&exp=0&select=1196647
Avatar of McExp
McExp
Flag of United Kingdom of Great Britain and Northern Ireland image
Have you soved your problem, Can I be of any further assistance?
Avatar of KBSLPDev
KBSLPDev
Flag of United States of America image

ASKER

I'm getting the role to work but am having trouble limiting it to a directory.  Administration is my directory. I have this. When I use the location tag, i get  'Error 101 <location> sections are allowed only within <configuration> sections.'

Here's what I used...
 <location path="Administration">
      <authentication mode="Windows">
        <forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60" path="/" >
        </forms>
      </authentication>
      <authorization>
        <allow roles="domain\groupname"/>
        <deny users="*"/>
      </authorization>
    </location>


Is there a way to specify role permissions multiple directories and specify different groups for each directory? For example, group A and B have access to directory 1 but only B has access to directory 2.

Thanks!!!
Avatar of McExp
McExp
Flag of United Kingdom of Great Britain and Northern Ireland image
yes, the location settings need to be children of the configuration node.

And you can have multiple Location nodes

See below: -

      <location path="directory1">
            <system.web>
                  <authorization>
                        <allow roles="groupA"/>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>
      <location path="directory2">
            <system.web>
                  <authorization>
                        <allow roles="groupB"/>
                        <deny users="*"/>
                  </authorization>
            </system.web>
      </location>


ASKER CERTIFIED SOLUTION
Avatar of McExp
McExp
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of KBSLPDev
KBSLPDev
Flag of United States of America image

ASKER

Perfect!! Thanks for all the help!!!