RE: ActiveDirectory and user page Access

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Alex,

Thanks for your replies.

ASP.net has three role management providers:
1. SqlRoleProvider
2. WindowsTokenRoleProvider
3. AuthorizationStoreRoleProvider

You questions have covered two of them: WindowsTokenRoleProvider and
AuthorizationStoreRoleProvider. Here is their detail explanations:
WindowsTokenRoleProvider:
This is a read-only provider that retrieves role information for a Windows
user account based on the account's Windows security group membership. You
cannot create, add to, or delete roles with this provider.
http://msdn.microsoft.com/en-us/library/system.web.security.windowstokenrole
provider.aspx

AuthorizationStoreRoleProvider: (The one you mentioned in your link)
This is used if your application uses Authorization Manager (AzMan). It
uses an AzMan policy store in an XML file, in Active Directory, or in
Active Directory Application Mode (ADAM) as its role store. It is typically
used in an intranet or extranet scenario where Windows authentication and
Active Directory is used for authentication.
http://msdn.microsoft.com/en-us/library/system.web.security.authorizationsto
reroleprovider.aspx

In my opinion, WindowsTokenRoleProvider has a big limitation that it is
read-only and you cannot add or modify roles. It actually uses AD user
group as role.
AuthorizationStoreRoleProvider is required to install additional components
and its benefit is group operations into tasks and assign tasks to
different roles.

SqlRoleProvider is the most commonly used role provider, and it can work
together with both SQL and AD membership provider.

To choose one which most meets your business requirement. Can you tell us
your business scenario so that we can provide you suggestions on that.

Another one is Web site admin tool. This tool uses the membership provider
and role manager provider in web.config file. That is to say, there is no
restriction that you must use SQL membership provider. You can also use AD
membership provider, however, like WindowsTokenRoleProvider, it is
read-only and you cannot add or modify users. You can only add or modify AD
user from outside.

In order to figure out your requirement, can you provide following three
questions to us?
1. What authentication method you are using? Form or Windows?
2. Where the users and roles come from? AD or user defined.
3. What operations you want to control by role?

Anything unclear please let us know. Have a nice day.

Regards,
Hongye Sun (hongyes@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: newbie help - Active Directory Membership Provider
    ... WindowsTokenRoleProvider, but that provider requires that you use ... Windows/IIS for authentication instead of forms auth. ... and perform more granular control w/i my app's custom roles, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
    ... but meanwhile i came to the conclusion that all the optimization is also done by the LSA - so i really not see the point of this provider at all. ... If I run with RoleManager enabled in ASP.NET (<roleManager ... If I add myself to a BUILTIN group, and change the ... RoleManager enalbed for the WindowsTokenRoleProvider, ...
    (microsoft.public.dotnet.framework.aspnet.security)