Re: NT based roles using forms authentication

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Sharat Koya (Koya_at_discussions.microsoft.com)
Date: 08/13/04 

Date: Fri, 13 Aug 2004 11:37:03 -0700

The reason I am using this method is that it allows users to be logged in on
a secure locked down account whilst allowing them the option to log in as
them selves and change between users without logging off the account. Is
there a way of perserving this idea without implementing database stored
roles?

thanks

"Scott Allen" wrote:

> Hi Sharat:
>
> I'm not sure what the requirements are for your application, but I'm
> thinking you could save yourself a good deal of code if you let
> Windows manage the authentication and impersonation with a web.config
> along the lines of:
>
> <system.web>
> <authentication mode="Windows"/>
> <identity impersonate="true"/>
> <authorization>
> <deny users="?"/>
> <allow users="*"/>
> </authorization>
> </system.web>
>
> This will avoid you having to use LogonUser in your code. If you do go
> this way - you need to use the token given out by LogonUser to do the
> impersonation, and pass the token to CloseHandle for proper cleanup
> afterwards.
>
> --
> Scott
> http://www.OdeToCode.com
>
>
> On 13 Aug 2004 08:12:33 -0700, sharat.koya@addenbrookes.nhs.uk (Sharat
> Koya) wrote:
>
> >Please can you help with a problem I am having.
> >
> >My web config is set to...
> ><authorization><deny users="?"/>
> ><authentication mode="Forms">
> ><forms name=".COOKIE" loginUrl="login.aspx" protection="All"
> >timeout="5" path="/"/>
> ></authentication>
> ><identity impersonate="true"/>
> >
> >login.aspx uses advapi32.dll to create the token and authenticate the
> >user
> >using the code..
> >if(LogonUser(TextBoxUsername.Text,
> > "HILLSRD",
> > TextBoxPassword.Text,
> > LOGON32_LOGON_INTERACTIVE,
> > LOGON32_PROVIDER_DEFAULT,
> > ref token) != 0)
> > {
> >
> > FormsAuthentication.RedirectFromLoginPage(TextBoxUsername.Text,
> >CBoxRememberMe.Checked);
> >
> > }
> >
> >but when I want to enable NT group security but when I go to access
> >User.IsInRole it always returns false? I digged a little deeper by
> >live debugging and found that m_roles array is always empty. What am I
> >doing wrong - why aren't the roles avaialble that are on the domain?
> >
> >
> >many thanks for any help on this.
> >
> >Sharat Koya
>
>

Relevant Pages

  • Re: NT based roles using forms authentication
    ... Windows manage the authentication and impersonation with a web.config ... This will avoid you having to use LogonUser in your code. ... >Sharat Koya ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Impersonation through HttpModule
    ... Programmatic impersonation on IIS5 is painful because normal accounts can't ... call the LogonUser API on Win2K. ... have a process account for each app as there is only one process. ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... You can definitely impersonate a token created with LogonUser. ... the token returned by the API will either be an Impersonation ... >> privilege. ... By default, only the SYSTEM account ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... You can definitely impersonate a token created with LogonUser. ... the token returned by the API will either be an Impersonation ... >> privilege. ... By default, only the SYSTEM account ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation and UNC network resources
    ... You definitely need to have your laptop be a domain member if you want to ... authenticate a domain account using LogonUser. ... 1314 if the account you are running under really has "act as OS" privilege. ... to run as the required domain user (and turn off impersonation). ...
    (microsoft.public.dotnet.framework.aspnet.security)