We help IT Professionals succeed at work.

asp.net web site with AD authentication

Medium Priority
347 Views
Last Modified: 2013-12-24
I wrote and maintain an internal company asp.net web app that uses the SQL Server membership provider. My users and my bosses want me to convert this to use our company's Active Directory for authentication so they don't have to log in.  I'm really having a hard time trying to figure out where to start.

First of all, I have complete control over the app and the SQL database.  I do not have any control over our Active Directory server.  As a start, what will I need from our IT department so that I can proceed?  ...at the moment I don't even know the proper questions to ask: the hostname of the AD server? The users will all already have accounts in the Active Directory, but what about assigning them to roles for my app?  Is this something that IT administrators will have to do?

I dont know if this complicates matters, but the server my app runs on is not on the domain and there's no way my boss is going to join it to the domain.  Does it need to be on the domain to be able to query AD?

What do I need to ask IT for?  Can any computer query AD?  Does it need an account (machine or user)?

As you can probably see from my questions, I can't figure out where to start.  Any help will be much appreciated.
Comment
Watch Question

Top Expert 2005

Commented:
If it's internal, and you can force users to use IE (or manually configure Firefox browsers), enable integrated windows authentication in IIS, and be done with it!

Author

Commented:
It is internal.  And I can force them to use IE.

But if the server is not on the domain, isn't it only going to try to authenticate them against the server's own user list?
Top Expert 2005

Commented:
Probably, which isn't going to work very well.  Any reason you can't add it to the domain?

Author

Commented:
My boss has a bunch of his own apps on that server and he has had all kinds of problems with things like group policy and AV software settings every time he has tried to join it to the domain.  He's pretty much sworn off joining his servers to our IT's domains.
Top Expert 2005

Commented:
There is an Active Directory Provider in asp.net, but you'd still have to log in every time, kind of defeating the purpose of what you are trying to do here.

There really is no other "secure" solution available, if you want to be authenticated to an internal site, and not have to log in, you must use Integrated Windows Authentication, and that will require the server to be on the domain.  Once you have that, security is as easy as NTFS permissions on the webserver, and you can check membership by the User.IsInRole("MYDOMAIN\some group") function.

Author

Commented:
OK, I clarified this.  I guess not having to log in again is not a big issue.  Just so user's credentials are the same as in the AD.  Sorry for the detour.

So, if I use the ActiveDirectoryMembershipProvider in asp.net, I'm still not clear on what I need to ask our IT department for.  I'm guesing here (correct me if I'm wrong), that I will need AD Groups defined for "RicksWebUsers" and "RicksWebAdmins".  In addition to this, it looks like I need to configure the provider with a connectionUsername and password, which I presume may need to be a new account they set up because they're not going to give me any kind of admin account on the AD.  Also, I am trying to figure out what kind of UI to give administrators to add users since they really wouldn't be adding users at all -- just adding or deleting them to/from the above mentioned groups.

So is this what I go to IT with:
  1) I need the address of the DC or AD server.
  2) I need the 2 groups created.
  3) I need an admin account in AD capable of adding/removing existing users to/from the 2 groups.

Is that all I need?  (That, and to figure out a UI for admins to add/delete people while not having their credentials to validate and possibly not being able to list usernames.)
Top Expert 2005
Commented:
1) yes, server name to the DC.  There are other ways to enter this where you just put the domain name, but I imagine this only works if the server is on the domain already, which in case you'll be using the DC's DNS servers.

2) Should be easy enough under Active Directory Users and Groups

3)  Yes, though not knowing the provider, don't know if it does this for you or not.  I should hope so.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thanks for your help raterus.  That got me started.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.