ASP.NET Membership - Which user is authenticated and which user is impersonated? - asp.net

i'm a little confused while trying to find out how ActiveDirectory and ASP.NET Membership work... I've created a new MVC project and removed the AccountController / Views. I've changed the Web.Config so that it uses ActiveDirectory and automatically authenticates users based on their current Windows login:
Web.Config
<authentication mode="Windows">
<forms
name=".ADAuthCookie"
timeout="10" />
</authentication>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<clear/>
<add
name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="MYDOMAIN\myuser"
connectionPassword="xxx"
/>
</providers>
</membership>
This works nicely, as I can do the following to get the users username like this:
User.Idenity.Name() 'Gives MYDOMAIN\myuser
Looking at the following, actually makes me confused:
Threading.Thread.CurrentPrincipal.Identity.Name() 'Gives MYDOMAIN\myuser
1. Shouldn't the thread identity be IUSR_WORKSTATION or ASPNET_WP username?
2. What's the difference between Authentication and Impersonation?

myuser is the Authenticated user on that application, that's why your CurrentPrincipal is giving you MYDOMAIN/myuser. The application impersonates IUSR_WORKSTATION when it uses resources like the database, and is a completely different issue.
If you go to Project on your toolbar, and select ASP.NET Configuration, it will open a website that lets you access these settings and create users, roles etc.

Related

ldap Novell authentication in asp .net

I'm trying to develop a web application with Novell LDAP Authentication.
I have added in my form login.aspx the Login control and I have configured the web.config in this way:
<connectionStrings>
<add connectionString="LDAP://10.0.0.100:389/cn=admin,o=pippo" name="myConnectionString"/>
</connectionStrings>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880"/>
</authentication>
<membership defaultProvider="MembershipADProvider">
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="myConnectionString"
port="389"
useSSL="false"
connectionProtection="None"
connectionUsername="cn=admin,o=pippo"
connectionPassword="admin"
enableSearchMethods="true"
/>
</providers>
</membership>
But when I click on login button i receive this error:
"This provider can target only Active Directory and ADAM directories."
I noticed that if I'm wrong password the error message changes to:
"Logon failure: unknown user name or bad password". So I think that in some way the application is connected with ldap server and communicate with it.
Now the questions...
Which kind of provider I must choose? Or how can I setup the ActiveDirectoryMembershipProvider in order to make login against LDAP Novell?
In other word, how can develop LDAP Authentication Code to Look Up the User in Novell's LDAP?
Thanks to all in advance
Regards
You will need to create a custom membership provider. There's an example here:
http://forums.asp.net/t/970391.aspx/1

How can build a basic logon page using ASP.NET 4.0 using Active Directory?

I am trying to build a very basic website using ASP.NET to allow users access the private information by logging into the company Active Directory. Any help is really appreciated.
You will want to set up configuration in the web.config file to tell the ASP.Net app to use forms authentication:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" cookieless="UseCookies" />
</authentication>
Then you will need to create a membership provider that will connect to AD for authentication. Fortunately Microsoft has provided an AD membership provider out of the box, so you can use that. If you set it as the defaultProvider, ASP.Net will automatically use it for authentication.
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="<domainName>\administrator"
connectionPassword="password"/>
</providers>
</membership>
Finally, you will need to set up a connection string to connect to your domain controller:
<connectionStrings>
<add name="ADService" connectionString="LDAP://myCompany.com/DC=myCompany,DC=com"/>
</connectionStrings>
Look here for a good reference with more details.

ASP.NET role based security with AzMan and AD roles

I'm trying to evaluate AzMan for one of my ASP.NET applications but I have a strange problem. My test application expects three roles:
User
Owner
Admin
I created XML Authorization store located in application's App_Data and added these role definitions. I configured my test ASP.NET application to use AuthorizationStoreRoleProvider and I added some test code wich uses Principal.IsInRole and PrincipalPermission. Everything worked well on my local computer with local accounts assigned to roles in AzMan.
Then I moved my test application to the server and a I assigned Active Directory users and Groups to AzMan's roles. Now PrincipalPermission and Principal.IsInRole don't work any more. Interesting is that if I assign builtin Everyone group into any role it works so there is some problem with AD users and groups assigned to roles. Can I use XML authorization store with AD groups and users? What else can cause such problems?
Check the security settings on your asp.net application.
It sounds like annonymous authentication is on, so your users are coming in as annonymous users, not themselves, therefore it works for the everyone group.
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" defaultProvider="AspNetWindowsTokenRoleProvider" createPersistentCookie="false" maxCachedResults="25">
<providers>
<clear/>
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>

ASP.NET Login Control with Active Directory Membership Provider

I have setup a basic application which uses the ActiveDirectoryMembershipProvider to talk to our AD and authenticate users. It's a simple login page with the control which redirects me to a simple output of who is logged in and associated ticket information, this works great and when I test it on my development machine it just works.
However if I deploy this to the webserver under a virtual directory, it simple refuses to direct or even acknowledge that there ticket is a valid ticket, it just refreshes back to the login page. If I type in rubbish credentials it actually recognises this and tells me there';s an error, but if I login successfully it just refreshes the page. When I manually go the information page it treats me as an unauthenticated user!
This is most puzzling! Any help would be greatly appreciated!
Thanks
Jon
As requested a section of the Web.config
<connectionStrings>
<add name="ActiveDirectory" connectionString="LDAP://x.x.x.117:389/OU=Users,DC=BC,DC=Local"/>
</connectionStrings>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ActiveDirectory" connectionUsername="xxxxxx" connectionPassword="xxxxxxx" attributeMapUsername="sAMAccountName" applicationName="/"/>
</providers>
</membership>
Have you turned on impersonation in the web.config file? I belive there are some issues revolving the membership provider that need impersonation to work properly.
<forms slidingExpiration="true" **path="/Search"** name=".ADAuthCookie" timeout="10"/>
It was also helpful to include a 'path' attribute!!!!
Jon

ASP.NET Membership - Which RoleProvider to use so User.IsInRole() checks ActiveDirectory Groups?

Very simple question actually:
I currently have IIS anonymous access disabled, users are automatically logged on using their Windows login. However calling User.IsInRole("Role name") returns false. I double-checked User.Identity.Name() and the "Role name" and it should return true.
I currently have this in my Web.Config:
UPDATE
I was calling User.IsInRole("Role name") where I should call User.IsInRole("DOMAIN\Role name")
However I still like to know if the <membership> entry is needed at all?
What should I change? (and is the <membership> entry needed at all?)
<authentication mode="Windows">
<forms
name=".ADAuthCookie"
timeout="10" />
</authentication>
<membership defaultProvider="ADMembershipProvider">
<providers>
<clear/>
<add
name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="XXX\specialAdUser"
connectionPassword="xx"
/>
</providers>
</membership>
<roleManager enabled="true" defaultProvider="WindowsProvider">
<providers>
<clear />
<add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
If you use Windows authentication IsInRole will work with no extra configuration, as long as you remember to prefix the role with the domain, i.e. DOMAIN\groupName.
In addition you can role (pun intended) your own and use Windows auth against, for example, a SQL Role Provider, where you don't want your AD littered with custom roles for your application.
So no, you don't need the provider configuration at all.
The membership provider here isn't going to help. The ActiveDirectoryMembershipProvider seems to best(only?) fit with Forms authentication.
BlogEngine.NET has an Active Directory role provider.
Pretty sure the only thing you need in there is the roleManager group (along with the base authentication mode='windows' setting)
Out of the box, there's no role provider to use Active Directory directly. You can use the role table in the ASP.NET membership- and role-system, or you can use Authorization Manager (AzMan).
There's an article on CodeProject which shows the implementation of a role provider which works against the Active Directory - with full source code. Maybe this helps?
Marc

Resources