«

I am creating a web application for use on an intranet and am having
some problems understanding how to maintain web application user lists
with windows authentication. Adding domain users to a group on the web
server and utilizing <allow><deny> tags to restrict access is quite
nice. However this is really only feasible when the userbase is small.
If one of your apps has to allow 500+ people you would have to sit at
the server and add all these domain accounts to the windows group. Is
there a better way? This seems like an adminmistrative nightmare.

Thanks

Hello jfer,

just use domain groups in the <authorization> element or on the NTFS ACLs
of the aspx pages.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I am creating a web application for use on an intranet and am having
> some problems understanding how to maintain web application user lists
> with windows authentication. Adding domain users to a group on the
> web
> server and utilizing <allow><deny> tags to restrict access is quite
> nice. However this is really only feasible when the userbase is
> small.
> If one of your apps has to allow 500+ people you would have to sit at
> the server and add all these domain accounts to the windows group. Is
> there a better way? This seems like an adminmistrative nightmare.
>
> Thanks
>

The problem is not how to use <authorization> the problem is how do you
maintain the listing of windows users and groups which <authorization>
depends on. Sitting at the server and adding 500 users to a
"toolXUser" group for a toolX web application seems a bit much. I
would like to maintain this listing of groups in a SQL database so that
I can build my own front end for maintaining the users and groups. Is
this where I need to build up my own GenericPrincipal ? Any thoughts
are appreciated.

Thanks

Hello jfer,

what makes a SQL front end better than a (already provided) front end for
windows account management?? What do you mean by "sitting at the server"
- as is said you can use AD groups and this all works remotely.

Of course, you can do that - do you want to switch completely to sql based
user account management do you just want to store the roles in sql?
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> The problem is not how to use <authorization> the problem is how do
> you maintain the listing of windows users and groups which
> <authorization> depends on. Sitting at the server and adding 500
> users to a "toolXUser" group for a toolX web application seems a bit
> much. I would like to maintain this listing of groups in a SQL
> database so that I can build my own front end for maintaining the
> users and groups. Is this where I need to build up my own
> GenericPrincipal ? Any thoughts are appreciated.
>
> Thanks
>

Yes I want to store the roles in SQL but I am having problems
understanding how to attach the roles to the user. I was initially
using Forms Authentication and the new RoleManager aspect of ASP.NET
2.0 to pull roles from SQL for users. However I realized forms
authentication is not a viable solution to another aspect of my tool so
I need windows authentication with the rolemanager for authorization
elements. Is it possible to mix these? Thanks for insight

Just to clarify I want to use windows authentication in my web
application but I want to maintain and attach my own roles to the user
pulled from an SQL database. Theres plenty of examples on the web
showing how to do this with Forms Authentication but I cannot seem to
find any using Windows Authentication.

Thanks

Hello jfer,

in Authenticate_Request

// get the roles
string[] roles = _getRoles(Context.User.Identity.Name);

// create new prinicipal
GenericPrincipal p = new GenericPrincipal(Context.User.Identity, roles);

// set new user
Context.User = p;
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Yes I want to store the roles in SQL but I am having problems
> understanding how to attach the roles to the user. I was initially
> using Forms Authentication and the new RoleManager aspect of ASP.NET
> 2.0 to pull roles from SQL for users. However I realized forms
> authentication is not a viable solution to another aspect of my tool
> so I need windows authentication with the rolemanager for
> authorization elements. Is it possible to mix these? Thanks for
> insight
>

I am using the new asp.net role manager/provider to obtain and link a
user to roles. My problem is the authentication portion of the system
now. In asp.net 2.0 how do you hook into the Authenticate_Request
portion of the pipeline? Is this done through an HTTPModule? Again
appreciate the help. Thanks

Hello jfer,

ah ok - important info...

no -the sql role provide assumes forms authentication.

either you write your own role provider, or you disable role provider and
do it in authenticate_request as i showed you - the heavy lifting has to
be done in the getRoles method.

Just add a Authenticate_Request method to global.asax or write a HttpModule.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I am using the new asp.net role manager/provider to obtain and link a
> user to roles. My problem is the authentication portion of the system
> now. In asp.net 2.0 how do you hook into the Authenticate_Request
> portion of the pipeline? Is this done through an HTTPModule? Again
> appreciate the help. Thanks
>

I have created my own role provider by extending the SqlRoleProvider
class as I did not want to be stuck to Microsoft's backend database.
So far it seems I am able to mix Windows authentication with a role
provider (without using forms authentication) as my <allow
roles="someRole"> are correctly authorizing from the web.config. Just
thought I'd share that.

Cheers