Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Listing domain users

Reply
Thread Tools

Listing domain users

 
 
Felix_WafyTech
Guest
Posts: n/a
 
      02-18-2006
Hello,

I'm using windows authentication to authenticate users to my site. I now
want to

1. Add the ability of listing domain users (From Active Directory)
2. Filter the user list based on the roles (or groups) assigned to them (via
Active Directory).

Any help would be greatly appreciated.

Thanks,
Felix.J


 
Reply With Quote
 
 
 
 
Felix_WafyTech
Guest
Posts: n/a
 
      02-18-2006
Forgot to mention that the site is created using VS 2005 / ASP .NET 2.0.

"Felix_WafyTech" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Hello,
>
> I'm using windows authentication to authenticate users to my site. I now
> want to
>
> 1. Add the ability of listing domain users (From Active Directory)
> 2. Filter the user list based on the roles (or groups) assigned to them

(via
> Active Directory).
>
> Any help would be greatly appreciated.
>
> Thanks,
> Felix.J
>
>



 
Reply With Quote
 
 
 
 
MikeS
Guest
Posts: n/a
 
      02-18-2006
Maybe have a look at System.DirectoryServices, the DirectorySearcher,
SearchResult and DirectoryEntry.

 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      02-20-2006
I agree with Mike that you need to query AD with classes in
System.DirectoryServices. Here is a simple sample which may help you
understand:

http://support.microsoft.com/?id=326340

Hope this help,

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
Felix_WafyTech
Guest
Posts: n/a
 
      02-20-2006
Thanks for the reply.

The article that you quoted applies to ASP .NET 1.0 and 1.1. How about ASP
..NET 2.0? Are there any enhancements to the way AD Authentication is
performed using ASP .NET 2.0?

Thanks,
Felix.J


"Luke Zhang [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I agree with Mike that you need to query AD with classes in
> System.DirectoryServices. Here is a simple sample which may help you
> understand:
>
> http://support.microsoft.com/?id=326340
>
> Hope this help,
>
> Luke Zhang
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      02-20-2006
All of the binding code in ASP.NET 2.0 for S.DS is about the same. What
kind of enhancements were you looking for? If you explain more what your
app is trying to do and whose credentials you are trying to use to do it,
that would help.

The primary directory services enhancements in .NET 2.0 are a large number
of additional searching features, some cool enhancements for managing ACLs
on DS objects and the S.DS.ActiveDirectory namespace.

Joe K.

"Felix_WafyTech" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for the reply.
>
> The article that you quoted applies to ASP .NET 1.0 and 1.1. How about ASP
> .NET 2.0? Are there any enhancements to the way AD Authentication is
> performed using ASP .NET 2.0?
>
> Thanks,
> Felix.J
>
>
> "Luke Zhang [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I agree with Mike that you need to query AD with classes in
>> System.DirectoryServices. Here is a simple sample which may help you
>> understand:
>>
>> http://support.microsoft.com/?id=326340
>>
>> Hope this help,
>>
>> Luke Zhang
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>>

>
>



 
Reply With Quote
 
Felix
Guest
Posts: n/a
 
      02-20-2006
Thanks. I read the How To's listed in MSDN, and I'm quite clear about the
authentication.

I'm now trying to secure a page that allows users to view, insert and edit
data. I now want to secure this page using windows authentication role based
security. This is what I would like to do:

1. All users including anonymous users should be able to view data.
2. All users with the Managers role can view and insert data.
3. All users with the Administrators role can view, insert and edit data.

I've seen examples that create three different folders (and .aspx files) for
each of these actions and use the web.config file to allow or deny access to
those pages based on roles. I would like to do the same but with a single
page. I do not want to duplicate web pages. Any help would be greatly
appreciated.

Thanks,
Felix.J

"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:%(E-Mail Removed)...
> All of the binding code in ASP.NET 2.0 for S.DS is about the same. What
> kind of enhancements were you looking for? If you explain more what your
> app is trying to do and whose credentials you are trying to use to do it,
> that would help.
>
> The primary directory services enhancements in .NET 2.0 are a large number
> of additional searching features, some cool enhancements for managing ACLs
> on DS objects and the S.DS.ActiveDirectory namespace.
>
> Joe K.
>
> "Felix_WafyTech" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thanks for the reply.
>>
>> The article that you quoted applies to ASP .NET 1.0 and 1.1. How about
>> ASP
>> .NET 2.0? Are there any enhancements to the way AD Authentication is
>> performed using ASP .NET 2.0?
>>
>> Thanks,
>> Felix.J
>>
>>
>> "Luke Zhang [MSFT]" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> I agree with Mike that you need to query AD with classes in
>>> System.DirectoryServices. Here is a simple sample which may help you
>>> understand:
>>>
>>> http://support.microsoft.com/?id=326340
>>>
>>> Hope this help,
>>>
>>> Luke Zhang
>>> (This posting is provided "AS IS", with no warranties, and confers no
>>> rights.)
>>>

>>
>>

>
>



 
Reply With Quote
 
MikeS
Guest
Posts: n/a
 
      02-20-2006
The simple answer may be that you may need to use of a rolemanager and
make use of calls to User.IsInRole to determine what you will allow
your users see and do.

I wonder about some other things...

Are you using the WindowsTokenRoleProvider, that is, are the roles you
mentioned defined as NT groups?

Do you have your sql procs locked down with grants based on these same
roles so that you need to impersonate the callers role back to the
database? If so you may want to use different connection strings based
on each type of user. ...Or is there a (nother can of worms) middle
tier...

Me, I think it is probably more trouble to manage different views in a
single page than to just create the three pages that know exactly who
they are dealing with and isolate as much common functionality using
web controls and master pages. But otherwise maybe look at the
multiview control.

Note that location tag lock downs using windows auth and NT group names
don't need a full blown rolemanger but as soon as you want to call any
Roles.* method or anything like it you need the rolemanager.

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      02-20-2006
Agreed. Don't do any LDAP for this. Windows does all of the group lookup
stuff for you with WindowsPrincipal.IsInRole (for any version of ASP.NET)
and the new membership stuff for 2.0.

Joe K.

"MikeS" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> The simple answer may be that you may need to use of a rolemanager and
> make use of calls to User.IsInRole to determine what you will allow
> your users see and do.
>
> I wonder about some other things...
>
> Are you using the WindowsTokenRoleProvider, that is, are the roles you
> mentioned defined as NT groups?
>
> Do you have your sql procs locked down with grants based on these same
> roles so that you need to impersonate the callers role back to the
> database? If so you may want to use different connection strings based
> on each type of user. ...Or is there a (nother can of worms) middle
> tier...
>
> Me, I think it is probably more trouble to manage different views in a
> single page than to just create the three pages that know exactly who
> they are dealing with and isolate as much common functionality using
> web controls and master pages. But otherwise maybe look at the
> multiview control.
>
> Note that location tag lock downs using windows auth and NT group names
> don't need a full blown rolemanger but as soon as you want to call any
> Roles.* method or anything like it you need the rolemanager.
>



 
Reply With Quote
 
Felix_WafyTech
Guest
Posts: n/a
 
      02-21-2006
Hi,

Thanks for the reply.

I'm getting an error "Logon failure: unknown user name or bad password." when using the following code to retrieve the users list from Active Directory. The error occurs in the line mySearcher.FindAll(). I'm using windows authentication role based security. The site map menus hide/unhide based on the user logged into windows. I do not understand why the below code says unknown user name when the sitemap menu's work as expected. Any help is very much appreciated.

DirectoryEntry entry = new DirectoryEntry("LDAP://" + domainName);

DirectorySearcher mySearcher = new DirectorySearcher(entry);

mySearcher.Filter = ("(objectClass=user)");

foreach (System.DirectoryServices.SearchResult resEnt in mySearcher.FindAll())

Thanks,

Felix.J



"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Agreed. Don't do any LDAP for this. Windows does all of the group lookup
> stuff for you with WindowsPrincipal.IsInRole (for any version of ASP.NET)
> and the new membership stuff for 2.0.
>
> Joe K.
>
> "MikeS" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
> > The simple answer may be that you may need to use of a rolemanager and
> > make use of calls to User.IsInRole to determine what you will allow
> > your users see and do.
> >
> > I wonder about some other things...
> >
> > Are you using the WindowsTokenRoleProvider, that is, are the roles you
> > mentioned defined as NT groups?
> >
> > Do you have your sql procs locked down with grants based on these same
> > roles so that you need to impersonate the callers role back to the
> > database? If so you may want to use different connection strings based
> > on each type of user. ...Or is there a (nother can of worms) middle
> > tier...
> >
> > Me, I think it is probably more trouble to manage different views in a
> > single page than to just create the three pages that know exactly who
> > they are dealing with and isolate as much common functionality using
> > web controls and master pages. But otherwise maybe look at the
> > multiview control.
> >
> > Note that location tag lock downs using windows auth and NT group names
> > don't need a full blown rolemanger but as soon as you want to call any
> > Roles.* method or anything like it you need the rolemanager.
> >

>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Making a server on one domain the domain controller of a new domain Limited Wisdom MCSA 7 09-13-2006 02:18 AM
Reg. Listing Only Online Users in a Seperate JTree from the Total Users. Sunil Miriyala Java 0 03-01-2004 04:58 PM



Advertisments