If I am using Windows Authentication in an ASP.NET app, and I want to use custom roles instead of using Windows security groups as roles, do I need to write a custom Role provider? The solution needs to be able to map Windows users and groups to application specific roles.
If I understand your question - no you don't need to use roles from Active Directory security groups as roles for your ASP.NET application. And you dont need to implement a custom Role provider. The default one simply retrieves the Roles from the ASP.NET application database.
You can simply have application defined roles in this database, that you create with the aspnet_regsql.exe utility (in the .NET 2.0 framework folder).
Probably the greatest collections of resources/information on this topic:
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
Actually you CAN use the built in ASP.NET security configuration web site. You have to temporarily switch to Internet Mode, Then you can add users DOMAIN\username as username, enter some password (it won't be used once you switch back), you can then assign these to roles. Once you switch back to Windows mode these users will be used automatically.
Related
If I use windows authentication inside an asp.net mvc web project , I will not get any membership database, unlike form based authentication . But I can still use Roles. So i have the following questions:-
So where are these roles managed, and how I will be assigning users to roles when using windows authentication ?
are these roles managed and created only inside Active directory ? and if I want to add a user to specific role, I will be doing this inside the active directory ?
so can anyone advice ?
Edit
Now if i understand your point well, let say that i want to restrict calling an action method to only our company admininstrators. where currently inside active directory we have a group of users named "OurCompanyAdminsitrators"
so let say i create a new asp.net mvc5 web project , and i specify to use Windows authentication , then inside my action method i wrote the following:-
[Authorize(Roles = "OurCompanyAdminsitrators")]
will asp.net mvc5 recognize the OurCompnayAdministrators user group ? or i need to do extra work for my asp.net mvc web project to be able to read and check against the active directory groups ?
I think there are many ways to approach this, 2 I can think of off the top of my head:
Use Active Directory to manage your roles and add users to the Active Directory groups as required. You can then access them through the users Identity in which you can get from the http context.
Create a separate service/component to manage the security for you where you map user credentials to roles that you define yourself completely away from AD. Obviously there is more of a time investment here and you will need to duplicate some information.
We can use SimpleMembership provider. "SimpleMembership: The future of membership for ASP.NET".
http://weblogs.asp.net/jongalloway//simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates
http://www.codeproject.com/Articles/689801/Understanding-and-Using-Simple-Membership-Provider
http://www.mono-software.com/blog/post/Mono/226/Adding-ASP-NET-SimpleMembership-to-an-existing-MVC-4-application/
Edit:
We can use SqlRoleProvider.
http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.aspx
http://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server
I actually want to create/list/edit asp.net membership users from a page authenticating with Windows-Authentication, the website uses ASP.Net MVC4. This is the administration website for another website using the forms authentication with asp.net membership on an SQL database. So this should allow company users to administer external users.
I can't use Membership-API, because the actual context does not support the asp.net membership.
Using the stored procedures requires manually hashing the password etc and this is not recommended. Also inserting the users directly into the tables would have this problem.
So is there a working example for administering asp.net membership users from a windows forms authenticated website?
I just managed to solve this problem using a webservice to decouple Windows-Domain authentication from asp.net-Membership:
Windows Domain Website for administration uses Webservice
Webservice offers functionality to manage users of asp.net membership
Webservice access has to be restricted to local server (so only the Windows Domain website can use it) and allows anonymous access (or with a special account).
Webservice needs to be configured like an asp.net membership website and to use the same membership database like the "normal users Website"
We are looking at enhanching our current security access model which is basically a check if the user is logged in. We now require the acesss to modules and pages and possible certain sections in the page such as dropdown restrictions based on your role.
I'm not sure how to design but maybe a few pointers and writing the requirements here will help.
The user usually belongs to an company.
The user usually has a role within that company
The company is made up of 1 or more sub companies
The user/role can have access to some modules in the system
The user/role can have access to some or all sub companies.
A role must be completely configurable on the fly.
A interface is required to configure the access for the users and the roles.
The menu needs to be configured based on access rights
The page needs to be configured based on access rights
We are using asp.net 2.0 at the moment but could possibly upgrade.
So based on that I think we need
User, Group, Role ( but roles need to be configurable) and Modules
A role for one organisation may have same name but have access to completely different Modules.
I am not sure asp.net membership is suitable so would like some opinions as it seams that access to pages is all hardcoded in config etc?
Yes, you can use ASP.Net Membership Provider for what you have stated.
As you said you are using ASP.Net 2.0, you cannot use new ASP.NET Universal Providers which is based on Entity Framework.
However, Membership Provider is introduced in ASP.Net 2.0. So you can still use the old version which uses aspnet_regsql.exe to create tables with the correct schema.
Here is the link for step-by-step instruction -
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
Please note that you cannot migrate from old ASP.Net 2.0 Membership to new Universal Providers.
I have an ASP.NET MVC3 web application. I use Windows Authentication. I need to achieve the following:
create an admin Role
add specific user to admin Role.
create a database table to map users to their role to allow the application to check access permissions
The third point is the most important point. How do I do that?
If you want to use the default Membership and Role Provider please refer to this msdn article on how creating an intranet application with asp.net mvc 3. But if you want to implement your own membership and role provider i recommend to use this library.
Just insert in the web.config the call to the membershipRoleProvider.
than for implementing the roles just call the AddRole, while to check if a user is in a role just call IsUserInRole.
You can find samples and documentation here and here
I have a site where the vast majority of the content will be secured using Forms Authentication. However there is one sub folder that will be used internally by the administrative staff. I would like to secure this folder using Windows Authentication. Is that possible? Would I have to make the admin folder a virtual directory?
CLARIFICATION: There is no need for the administrative staff to access the main site. They are really two separate sites/apps. Regular users will access the main application via Forms Authentication (and never access the admin folder). And admin users will access the admin application via Windows Authentication (and never access the main site).
Thanks,
Corey
Yes, it's possible but you have to build a custom membership provider or an interface to allow for it. It is not possible to specify individual authentication methods on sub-folders unless they are in completely separate projects/application domains.
One method to accomplish this would be to use an LDAP membership provider and change the ldap connection based on the username (if there is a discernible method of doing this).
One other method would be to provide a separate website that uses the Windows authentication to perform the login and then constructs a custom cookie for the user and transfers them back to the original website identifying the individual as a member of the administrative staff.
Then the folder could be secured using the <location> elements in the web.config.
If I was going to build a site with Mixed authentication, I would setup the site to use webforms. I would then setup a virtual application inside of this application that consisted of the same forms auth web.config information but set to use Windows Auth.
On the login page of the windows auth site after you validate their credentials I would then manually call FormsAuthentication to create the auth token. At this point you can then redirect the user to the Forms Auth site and they should be logged in (as long as all the forms auth cookie information is the same for both sites, this might also include needing to setup the same machine keys for both applications).
I haven't done this specifically but this should definitely be a viable (and probably one of the most optimal) solutions.
It may be as simple as right-clicking on the admin folder in Windows Explorer and setting the rights in the Security tab.
Put the administration site in its own application - by right clicking on the folder in IIS manager and and choose convert to application.
Once that's done you can adjust the authentication method on the application by highlighting the application folder in IIS manager and then choosing authentication and adjusting them (or you can do it the hard way via web.config if you can't remote into the machine).