ASP.NET role management with windows authentication - asp.net

I am working on an intranet website using ASP.NET and was wondering what exactly I can gain by enabling roles when Windows authentication is enabled for my website. I can check if users belong to groups with the User object so why would I need to enable roles given that windows authentication is enabled?

It is often the case that someone in the "Adminstrators" group on active directory is not an administrator on a specific system. The "Administrators" group on your Windows network will point to the network administrators, but what you really want is a different administrators group specific to your application. If you had a system that handled some numbers for the Finance department, you wouldn't want the network administrators to also be the administrators for the Finance system.
That's where the role manager comes in. The role manager allows you to continue to use Windows Authentication, but create your own roles, separate from your network, and assign a different set of users to that role. On your intranet for example, you might want managers to be able to edit pages, so you assign them to the "Page Editor" role.

Related

Log in to website using Active Directory with a two-way trust

We have an ASP.NET website set up using Active Directory as the Membership Provider. The site uses the Forms authentication mode and the .NET Login control. We recently merged with another company and now they also need access to the site, but they are of course on a different domain. Our IT people have set up the two Active Directories in a two-way trust.
I can log on to their domain using a test account from our network. But when I use the same DOMAIN\username + password combo on my website it does not work.
How can I make our site able to see users on the second domain? Is this not possible using the Login control? Or is there something else I'm missing?
I don't think it's possible to authenticate against a remote AD domain, via a trust with the built-in provider. You could setup a second provider which is configured to point at the other domain, and then add addition logic to your Login control to pick the right provider to authenticate against. I use a similar approach to support "pass-through" authentication of domain users while also support non-domain users with standard forms authentication.

ASP.NET / IIS Security (Windows Authentication)

This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx

Approve multiple applications with single sql membership provider

I have an asp.net application that uses the SQL membership provider. I know how to get multiple applications using the same membership provider so a user can go to multiple sites and login using the same credentials. However the requirement on my current project is that each user is given access only to certain applications. For example, the user is given credentials to access Site 1, then at some point in the future, the user needs access to Site 2 and a manager/admin has to allow the user to access Site 2. Or when the manager creates the user's account initially, he/she approves access to the 3 sites (or whatever) the user needs to access.
So my question is what is the best way to use 1 membership provider for many applications, but only allows users to access applications they're approved for (so a manager can manage access to applications, but give users 1 username and password)? I've thought about using roles, but I already use roles in the application for allowing access to certain features in the application. It seems like that would get messy.
I've read about 50 similar questions on SO but none of them addressed the application approval requirement. Thanks in advance.
The easiest straight forward method here is to use roles.
If you add more roles (one for each app) for this purpose it is no big deal. You have a basic role for each app that must be available and check this on Application_AuthenticateRequest or Application_AuthorizeRequest . There are other ways to do it, but this is the least impact, easiest to code (nothing required but a role check), and easy to follow.

asp.net application with windows authentication and custom membership provider advice

I’ve been asked to upgrade a few applications and I’m planning on merging all of them into one asp.net application. I’m fine with this decision and have spoken with fellow workers and they also think it’s the best option to go with.
The application will be accessed from a small group of users which belong to a larger domain. I’m currently planning on using Windows authentication and only allow this small set of users to access the asp.net application. Also there must be some role management, so that only certain users can view certain functionality.
I really don’t want to have many different windows groups; so I want to avoid having to assign different windows groups to different folders and control permissions in the web.config.
What I’d like to do is:
- Assign one windows group to the small group of users who will access the page.
- Create a custom membership provider and control the user who accesses the application. Depending on the user I will then assign his current set of roles.
- Add an application setting to the web.config, with the name of the current administrator, so if he logs in, he will be assigned all roles, and will be able to create and assign roles to other users.
I’d appreciate some advice if this would be the correct way to go about this.
Thanks!
I would check out the AccountManagement Namespace.
I like to use this. You can create a global security group (one for each 'role'). The account management namespace will allow you to fetch the UserPrincipal from AD with their logon name from the http context. Then you can check them for memebership in the security groups you created using the .IsMemberOf Method.

Narrowing Integrated Windows Authentication to a subset of users for an intranet ASP.Net application

Scenario: An intranet ASP.Net application using Integrated Windows Authentication and a SqlRoleProvider for authorization. The application is used by a small subset of users within the domain.
If there are only a few users within the domain that should be able to access the application, can IWA be narrowed to allow authentication for that subset of users only, say via a domain group? Is this possible or even logical? This would certainly be the case if you predefined user accounts and used forms authentication. I understand that you can manage authorization within the application but wonder if the above is possible to add some security in depth. Appreciate your thoughts.
With anonymous access disabled, you can set the NTFS permissions on the web application directory to let only specific users in.
IWA will authenticate all valid users. But you can do the following,
allocate the subset of users into a group, and use role rrovider for them. Then you can allow only this group to use the application.
Or use forms authentication instead and write your own membership provider to authenticate users. Then you have all the controls and can block unwanted users.
You can also try some of the more traditional authorization techniques I outlined here:
Is it possible to restrict windows authenticated users in an ASPNet app to specific domains?

Resources