[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

asp.net web site with AD authentication

Posted on 2009-02-09
8
Medium Priority
?
332 Views
Last Modified: 2013-12-24
I wrote and maintain an internal company asp.net web app that uses the SQL Server membership provider. My users and my bosses want me to convert this to use our company's Active Directory for authentication so they don't have to log in.  I'm really having a hard time trying to figure out where to start.

First of all, I have complete control over the app and the SQL database.  I do not have any control over our Active Directory server.  As a start, what will I need from our IT department so that I can proceed?  ...at the moment I don't even know the proper questions to ask: the hostname of the AD server? The users will all already have accounts in the Active Directory, but what about assigning them to roles for my app?  Is this something that IT administrators will have to do?

I dont know if this complicates matters, but the server my app runs on is not on the domain and there's no way my boss is going to join it to the domain.  Does it need to be on the domain to be able to query AD?

What do I need to ask IT for?  Can any computer query AD?  Does it need an account (machine or user)?

As you can probably see from my questions, I can't figure out where to start.  Any help will be much appreciated.
0
Comment
Question by:CoderNotIT
  • 4
  • 4
8 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 23593270
If it's internal, and you can force users to use IE (or manually configure Firefox browsers), enable integrated windows authentication in IIS, and be done with it!
0
 

Author Comment

by:CoderNotIT
ID: 23593325
It is internal.  And I can force them to use IE.

But if the server is not on the domain, isn't it only going to try to authenticate them against the server's own user list?
0
 
LVL 33

Expert Comment

by:raterus
ID: 23593356
Probably, which isn't going to work very well.  Any reason you can't add it to the domain?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:CoderNotIT
ID: 23593413
My boss has a bunch of his own apps on that server and he has had all kinds of problems with things like group policy and AV software settings every time he has tried to join it to the domain.  He's pretty much sworn off joining his servers to our IT's domains.
0
 
LVL 33

Expert Comment

by:raterus
ID: 23593793
There is an Active Directory Provider in asp.net, but you'd still have to log in every time, kind of defeating the purpose of what you are trying to do here.

There really is no other "secure" solution available, if you want to be authenticated to an internal site, and not have to log in, you must use Integrated Windows Authentication, and that will require the server to be on the domain.  Once you have that, security is as easy as NTFS permissions on the webserver, and you can check membership by the User.IsInRole("MYDOMAIN\some group") function.
0
 

Author Comment

by:CoderNotIT
ID: 23594986
OK, I clarified this.  I guess not having to log in again is not a big issue.  Just so user's credentials are the same as in the AD.  Sorry for the detour.

So, if I use the ActiveDirectoryMembershipProvider in asp.net, I'm still not clear on what I need to ask our IT department for.  I'm guesing here (correct me if I'm wrong), that I will need AD Groups defined for "RicksWebUsers" and "RicksWebAdmins".  In addition to this, it looks like I need to configure the provider with a connectionUsername and password, which I presume may need to be a new account they set up because they're not going to give me any kind of admin account on the AD.  Also, I am trying to figure out what kind of UI to give administrators to add users since they really wouldn't be adding users at all -- just adding or deleting them to/from the above mentioned groups.

So is this what I go to IT with:
  1) I need the address of the DC or AD server.
  2) I need the 2 groups created.
  3) I need an admin account in AD capable of adding/removing existing users to/from the 2 groups.

Is that all I need?  (That, and to figure out a UI for admins to add/delete people while not having their credentials to validate and possibly not being able to list usernames.)
0
 
LVL 33

Accepted Solution

by:
raterus earned 2000 total points
ID: 23595195
1) yes, server name to the DC.  There are other ways to enter this where you just put the domain name, but I imagine this only works if the server is on the domain already, which in case you'll be using the DC's DNS servers.

2) Should be easy enough under Active Directory Users and Groups

3)  Yes, though not knowing the provider, don't know if it does this for you or not.  I should hope so.
0
 

Author Closing Comment

by:CoderNotIT
ID: 31544676
Thanks for your help raterus.  That got me started.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
What we learned in Webroot's webinar on multi-vector protection.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question