I would like to ask if anybody could provide an example of web.config for the following situation:
I have a web (ASP.NET) with form authentification (login controls), which I would like to have connected to our corporate Active Directory. In AD, we have defined users as well as groups. Authentification for the users (allow users...) works like a charm, however, when I want to add role authentification (allow roles...) it doesn't work. I've tried to enable role manager but don't know exactly how to setup the provider to communicate with the AD.
Furthermore, I would like to have all the settings only in web.config, not to do group authentification in the code (I know it's possible but I would prefer config solution only).
Althought I went through several tutorials on the web, most of the role authentification was oriented on using a local sql server or windows authorization, but not AD.
The idea is to write a custom role provider which reads groups from the AD and exposes as user roles:
http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html
if that site is on your intranet then you don't need to use login controls or the roles provider. AD is already a provider out of the box. Your web.config file needs to have
<authentication mode="Windows"/>
<authorization>
<!--<allow roles="AD_GROUP" />-->
<!--<allow users="USERS"/-->
<deny users="?"/> <!-- Important if you want to force authentication-->
</authorization>
the somewhere in your code you can check to see the user is in a role like this:
HttpContext.Current.User.IsInRole("AD_GROUP_NAME")
Related
I have requirement to build windows authentication for our web applications. We plan to created local work groups (on Windows 2008 Server) to manage users instead of Active Directory. Our reason, it takes months to create groups and move users via AD (and our client would prefer we go this route). Is it possible to setup windows authentication for an asp.net application and validate the user credentials against the local workgroups? Keep in mind we would try to match their login names to our local workgroups.
You can use AspNetWindowsTokenRoleProvider. This makes ASP.net use the Windows Local groups.
In your web config do something like this.
<authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
--> <authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
</authorization>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"/>
then in your aspx you can check if user exists in role. I placed this in my master page.
If Not Roles.IsUserInRole(Context.Current.User.identity.name, "Managers") Then
'label1.Text = "You are not authorized to view user roles."
Response.Redirect(Request.ApplicationPath & "\logout.html")
end if
You can read more from this Link from Microsoft http://msdn.microsoft.com/en-us/library/ff647401.aspx
under Using WindowsTokenRoleProvider
I developed an ASP.NET Intranet application. Now I was asked to add authentication for the application - it should be based on Active Directory. The user should not fill in any login or password.
From within ASP.NET C# code I should be able to check something like this:
if (User.IsInRole("MyApplicationReaders"))
{
doSomething();
}
else if (User.IsInRole("MyApplicationAdmins"))
{
doSomethingElse();
}
MyApplicationReaders and MyApplicationAdmins are names of Active Directory groups.
Can you please point me to some easy step-by-step tutorial how to achieve this? I failed to find any :-(
Try to search harder.
You have to add to configuration file authentication method:
<authentication mode="Windows" />
And also add authorization rules:
<authorization>
<allow users="DomainName\Bob, DomainName\Mary" />
<allow roles="BUILTIN\Administrators, DomainName\Manager" />
<deny users="*" />
</authorization>
This this page for help.
PS: After you'll add windows authentication to your app you will be able to check User.IsInRole for authenticated users. But in some browsers your users will be promted to enter their's windows credentials.
You can set IIS to authenticate users automatically, but typically you implement your own authorization scheme. In the past, I have used a database to map my AD accounts to application roles/permissions.
In order to use the IsInRole(), you have to populate the User Principal object. The easiest place to do that is in the Global.asax event BeginRequest. Also take a look at creating a Custom Role Provider.
I've been searching around the internet and I can't find an exact solution. Sorry it's a bit long but I'm hoping someone can help me.
I'm working on a web-based system using ASP.Net (4.0). This system allows an administrator to add new roles. Apart from adding new roles, the administrator can also set permissions to a role to access different pages.
For example, by default the User role can only access the Home page and. Say the administrator decides to set a new permission to this role and allows it to access another page (for example: ManageUsers.aspx)
I am using the Forms Authentication via the web.config. The web-pages are in two separate folders, one for each role (Admin and User). In each folder another web.config defines which roles can access the pages in this folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="2"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
The problem is that if the administrator grants access to the User role for a page (for example: ManageUsers.aspx) that is allocated in the Admin folder, the User role is denied access to this page since only an Admin role can access these pages.
The first solution I thought of was changing the web.config on run-time but this will restart the application every time the web.config is changed.
The second solution is listing the pages each role can access from a database table or an XML file. I'm not sure if it will work if I still use the Forms Authentication. Shall I use locations in the web.config files? Or maybe there's another way to solve this? I can't get my head around it.
Thanks in advance for any help!
I currently have an ASP.NET 3.5 SP1 running on IIS 7. I have enabled forms authentication using .NET Membership and setup some folders that are restricted according to roles I have created. For instance, if an anonymous visitor tries to access the file http://www.example.com/restricted/foo.txt, he/she will be redirected to a login page, as expected. So far so good.
What I would like to do is provide access to protected files by allowing visitors to specify their login credentials in a query string, something alone the lines of:
http://www.example.com/foo.txt?user=username&pass=pwd
Is this possible at all?
you should be able to write an http module that intercepts the request and authenticates the user based on the querystring. However, just for the sake of completeness, I'd like to question whether it's a good idea to provide users their username and (in particular) password in plaintext.
You could easily create a download page that would authenticate the user and then forward them to the requested file. Something like navigating to Download.aspx?user=username&pass=pwd&file=foo.txt.
This however is NOT recommended. You should never require users to pass login information via a URL.
A secondary answer based on comments you've made to other questions is that you could simply put your download page in a directory. The subfolder could have a web.config that allows unauthenticated users access to the contents within :-)
something like:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).
Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?
I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.
I guess there are 2 major points I have to tackle:
1. authentication
2. authorization
I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?
Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you
add this to your web.config
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
To configure Windows authentication
Start Internet Information Services
(IIS).
Right-click your
application's virtual directory, and
then click Properties.
Click the
Directory Security tab.
Under
Anonymous access and authentication
control, click Edit.
Make sure the
Anonymous access check box is not
selected and that Integrated Windows
authentication is the only selected
check box.
You can then deal with the business or authorization using web.config again. for example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>
Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx
This problem is solved in detail by Mr. Scott Guthrie in
Link 1 and Link 2
I used windows security on some of my internal sites.
Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.
I'm not sure if this is the best practices, but it has always worked well for me.