RE: ActiveDirectory and user page Access

Hi Alex,

Thanks for your reply.

Now I have understood your scenario. In my opinion, the easiest way is
using WindowsTokenRoleProvider, since you are going to use AD memberships
and roles (Like Domain\Administrators). However, the provider is target to
Windows Integrated Authentication instead of Form. Is it possible for you
to change authentication type to Windows?

If Form authentication is a must requirement, only
AuthorizationStoreRoleProvider in those 3 providers works for this
scenario. According to
http://msdn.microsoft.com/en-us/library/aa478950.aspx, it says that:
" the fact that GetClientContext abstracts the authentication type means
that AuthorizationStoreRoleProvider works equally well with Windows
authentication and forms authentication. "

The basic idea of AuthorizationStoreRoleProvider is that it connect ASP.net
role manager with Authorization Manager (AzMan) tool, which is included in
W2k03 Administration Tools Pack. AzMan gets role information from AzMan
policy store, which can be configured from XML file, Active Directory and
ADAM. Apparently, we should configure it from AD in this case.

To do this job, please follow the steps below:
1. Install AzMan
Please follow the link you have mentioned before:
http://msdn.microsoft.com/en-us/library/ms998336.aspx#paght000019_rtf%20form
atting_step1 to install windows updates or download Windows Server 2003
Administration Tools Pack.

2. Create an authorization store
Follow this link: http://technet.microsoft.com/en-us/library/cc737065.aspx
Create an authorization store in Active Directory.

3. Configure ActiveDirectoryMembershipProvider and
AuthorizationStoreRoleProvider in web.config file
-----------------------
<connectionStrings>
<add name ="ADConnectionString"
connectionString="LDAP://server/DC=domain,DC=com"/>
<add name ="AzManPolicyStoreConnectionString"
connectionString="LDAP://server/CN=UserStore,DC=domain,DC=com"/>
</connectionStrings>

<system.web>

<membership defaultProvider="MembershipADProvider">
<providers>
<add name ="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
connectionUsername ="username"
connectionPassword="password"/>
</providers>
</membership>

<roleManager
enabled="true"
cacheRolesInCookie="true"
defaultProvider ="ActiveDirectory"
cookieName =".ASPXROLES"
cookiePath="/"
cookieTimeout="30"
cookieRequireSSL="false"
cookieSlidingExpiration="true"
createPersistentCookie="false"
cookieProtection ="All">

<providers>
<add name="ActiveDirectory"
type="System.Web.Security.AuthorizationStoreRoleProvider"
connectionStringName="AzManPolicyStoreConnectionString"
/>
</providers>

</roleManager>

<authentication mode ="Forms">
<forms loginUrl ="Login.aspx"
protection ="All"
timeout="30"
name ="MyCookie"
requireSSL ="false"
defaultUrl ="Default2.aspx"
/>
</authentication>

<authorization>
<allow roles="MyUsers" />
<deny users="?"/>
</authorization>
-----------------------

4. Configure role authorization in web.config
A typical use for roles is to establish rules that allow or deny access to
pages or folders. You can set up such access rules in the <authorization>
section of the Web.config file. The following example allows users in the
role of members to view pages in the folder named memberPages and denies
access to anyone else.
-----------------------
<configuration>
<location path="memberPages">
<system.web>
<authorization>
<allow roles="Manager" />
<deny users="*" />
</authorization>
</system.web>
</location>
<!-- other configuration settings here -->
</configuration>
-----------------------

5. Use Role API
If you want to manage role in the code, please use APIs:
Roles.IsUserInRole("roleName")
Roles.GetRolesForUser()
Roles.IsUserInRole("username", "roleName")

Please have a try and let me know if it works. Thanks.

Regards,
Hongye Sun (hongyes@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • asp.net vulnerability
    ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ...
    (microsoft.public.sharepoint.portalserver)
  • RE: ActiveDirectory and user page Access
    ... From the code you just gave can you please revised it to use windows ... Windows Integrated Authentication instead of Form. ... role manager with Authorization Manager (AzMan) tool, ... Create an authorization store ...
    (microsoft.public.vsnet.general)
  • Re: Windows GSSAPI ssh connection via cross-realm authentication problems
    ... } Subject: Re: Windows GSSAPI ssh connection via cross-realm authentication ... with Windows kerberos tickets, regardless of presence of a local account. ... to use that for some authorization decisions, ...
    (comp.protocols.kerberos)
  • Allow anonymous access to subdirectory
    ... I have a windows authentication-based Intranet application. ... the root application authentication is integrated windows ... prevent the login prompt from showing up. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.windows.server.security)