Re: Windows Integrated Security - Restricting Users Without Groups

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Patrick, thanks for your reply.

Through investigation, I have discovered that you dont need impersonation to
check the group membership. What I was missing was the domain name
DOMAINNAME\GroupName

The only caviat here is that if you change the groups the user needs to log
off an on again to make the changes effective. Using the windows security
permissions principal has no real value in my case, and impersonation
carries additional overhead not to mention the extra risk of failure of the
application when those permissions are not taken into account.

--
Best Regards

The Inimitable Mr Newbie º¿º



"Patrick.O.Ige" <naijacoder@xxxxxxxxxxxx> wrote in message
news:O7ihazH%23FHA.740@xxxxxxxxxxxxxxxxxxxxxxx
> Mr NewBie..
> I blogged something very similar at:-
> http://spaces.msn.com/members/naijacoder
> Just look for :-How to configure and implement a Role based Windows
> Authentication
> Hope that helps
> Patrick
>
>
> "Mr Newbie" <here@xxxxxxx> wrote in message
> news:uPNOLRE#FHA.360@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi Kevin,
>>
>> Thanks for your reply. I have managed to restrict access to roles by
> using
>> the following in the Authentication Event in global.asax. I have hard
> coded
>> it just for test purposes, but I can then add the allow
>> roles="Administrator" into the web.config and this works.
>>
>> However, in my testing, I cant seem to get User.IsInRole("GroupName")
>> to
>> work, it seems that the windows group membership does not correlate to
> this
>> function ( at least I cant get it to work. ) Do you know where these
> groups
>> needs to be ( Local machine, Domain, Universal group etc ? and do you
>> have to go get the memberships etc from those groups ??
>>
>> Cheers - Mr N
>>
>> If Request.IsAuthenticated Then
>>
>> Dim rl As System.Collections.ArrayList
>>
>> rl = DataAccess.getUserRoles(User.Identity.Name)
>>
>> 'Convert the roleList ArrayList to a String array
>>
>> Dim roleListArray As String() = {"Administrator"}
>> 'CType(rl.ToArray(GetType(String)), String())
>>
>> 'Add the roles to the User Principal
>>
>> HttpContext.Current.User = _
>>
>> New System.Security.Principal.GenericPrincipal(User.Identity,
> roleListArray)
>>
>> End If
>>
>>
>> --
>> Best Regards
>>
>> The Inimitable Mr Newbie º¿º
>> "Kevin Spencer" <kevin@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:u$2ap9C%23FHA.2324@xxxxxxxxxxxxxxxxxxxxxxx
>> > Hi Mr. N,
>> >
>> > It's not clear from your post whether or not it is a requirement that
> your
>> > users are in fact, Active Directory user accounts, or whether, perhaps,
>> > they could be some other form of "user."
>> >
>> > That is, if the requirement is that they are Active Directory users,
>> > and
>> > you have access to Active Directory via System.DirectoryServices and
> LDAP
>> > (read only at least), you can create a separate database with an entry
> for
>> > each user. Then you can mange the permissions that each user has via
> this
>> > database, which would be entirely separate from Active Directory, other
>> > then the user account name being in Active Directory, and the web
>> > requiring an Active Directory login to access (disallow anonymous
> access,
>> > in other words). If this is the case, all Active Directory user
>> > accounts
>> > would have to have permission to log in to the web site (so that your
>> > ASP.Net app could authenticate them via your database), and your app
> would
>> > handle allowing access to different resources, or even all resources.
>> >
>> > If, on the other hand, you can neither grant all domain users access to
>> > the web, or you can't get read access to the Active Directory, you
>> > could
>> > allow anonymous access, employ a web login (via a web page), and use a
>> > database to manage the permissions in much the same way as described
>> > above.
>> >
>> > --
>> > HTH,
>> >
>> > Kevin Spencer
>> > Microsoft MVP
>> > .Net Developer
>> > You can lead a fish to a bicycle,
>> > but you can't make it stink.
>> >
>> > "Mr Newbie" <here@xxxxxxx> wrote in message
>> > news:%23JJTRa$9FHA.2320@xxxxxxxxxxxxxxxxxxxxxxx
>> >> Hi,
>> >>
>> >> Im in a situation where I need to restrict users, but I dont have
> access
>> >> or wont be allowed access to manage groups in the domain. How can I
>> >> restrict access is this case ?
>> >>
>> >>
>> >>
>> >> --
>> >> Best Regards
>> >>
>> >> The Inimitable Mr Newbie º¿º
>> >>
>> >
>> >
>>
>>
>
>


.

Relevant Pages

  • Re: User Logins and passwords and Notes History
    ... Active Directory is a kind of database on the Primary Domain ... I can't find 'Users and Group Permissions' on 'Database Tools' tab. ...
    (comp.databases.ms-access)
  • Re: Windows Integrated Security - Restricting Users Without Groups
    ... That is, if the requirement is that they are Active Directory users, and you ... database, which would be entirely separate from Active Directory, other then ... all Active Directory user accounts would have ... manage the permissions in much the same way as described above. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: NTDS ISAM DataBase Corruption
    ... Did you tried the recover the corrupted Active Directory process that a gave ... This is brand new IBM Server. ... using symantec livestate recovery. ... Active Directory database is unavailable because it is damaged, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cant assign calendar permissions to a group
    ... to be able to use a security group so that I can manage membership of ... By testing I have verified that a resource calendar's permissions can ... integral concept within Active Directory. ... Only individual users can be granted membership. ...
    (microsoft.public.exchange.admin)
  • RE: AD Repair Possible? Event ID 474s
    ... You receive the Active Directory database ntds.dit checksum mismatch error ... Exchange server) seems to work correctly without any problem. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)