Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > RoleProvider for AD Group membership

Reply
Thread Tools

RoleProvider for AD Group membership

 
 
Olivier Matrot
Guest
Posts: n/a
 
      11-06-2006
Hello,
I'm in the process of writing my own Active Directory RoleProvider to be
able to check if a user is member of a given group. But maybe it already
exists somewhere in the community ? I do not want to use AzMan. Basically,
it should provide the same functionnality as the WindowsTokenRoleProvider
and should work with form authentification (and ActiveDirectoryMembership
Provider).
Any help appreciated.
TIA.


 
Reply With Quote
 
 
 
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      11-06-2006
Hello Olivier,

In .NET framework 2.0, there is a new role provider class
"AuthorizationStoreRoleProvider" Class:

http://msdn2.microsoft.com/en-us/lib...uthorizationst
oreroleprovider(VS.80).aspx

You can use AuthorizationStoreRoleProvider for role membership checks. The
benefit of using AuthorizationStoreRoleProvider is that it provides a
consistent set of APIs for role authorization

Here are also an article about it:

How To: Use Role Manager in ASP.NET 2.0
http://msdn.microsoft.com/library/de...us/dnpag2/html
/PAGHT000013.asp?_r=1

Hope this help,

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.



 
Reply With Quote
 
 
 
 
Dominick Baier
Guest
Posts: n/a
 
      11-06-2006
Ryan Dunn and me (and also Joe Kaplan) worked on an AD role provider.

mail me - and i send you the code (it is not final - but chances are high
it will work for you)

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Hello,
> I'm in the process of writing my own Active Directory RoleProvider to
> be
> able to check if a user is member of a given group. But maybe it
> already
> exists somewhere in the community ? I do not want to use AzMan.
> Basically,
> it should provide the same functionnality as the
> WindowsTokenRoleProvider
> and should work with form authentification (and
> ActiveDirectoryMembership
> Provider).
> Any help appreciated.
> TIA.



 
Reply With Quote
 
Olivier Matrot
Guest
Posts: n/a
 
      11-06-2006
Hello Luke,
Membership check is done via the AspNetActiveDirectoryMembershipProvider
I'm trying to use AuthorizationStoreRoleProvider, but it seems to be
difficult to use :
1) What is the format of the connection string ? I'm using the following :
MSLDAP://rtetest.private/CN=AzMan,OU=FaxBox,DC=rtetest,DC=private

But the following exception is thrown :
The service did not respond to the start or control request in a timely
fashion. (Exception from HRESULT: 0x8007041D)

Please note that I'm accessing a domain that is located in another forest.
This is working just fine with the membership provider.

Here is the content of my web.config file :
<connectionStrings>

<add name="MemberShipProvider"
connectionString="LDAP://rtetest.private/OU=FaxBox,DC=rtetest,dc=private"/>

<add name="AzmanRoleProvider"
connectionString="MSLDAP://rtetest.private/CN=AzMan,OU=FaxBox,DC=rtetest,DC=private"/>

</connectionStrings>



<roleManager

enabled="true"

cacheRolesInCookie="true" defaultProvider="AuthorizationStoreRoleProvider">

<providers>

<!-- Only on Windows 2003 by default !-->

<add

name="AuthorizationStoreRoleProvider"

type="System.Web.Security.AuthorizationStoreRolePr ovider"

connectionStringName="AzmanRoleProvider"

cacheRefreshInterval="60"

/>

</providers>

</roleManager>

<membership defaultProvider="AspNetActiveDirectoryMembershipPr ovider">
<providers>

<add name="AspNetActiveDirectoryMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershi pProvider,

System.Web, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="MemberShipProvider"/>

</providers>

</membership>

TIA.

"Luke Zhang [MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hello Olivier,
>
> In .NET framework 2.0, there is a new role provider class
> "AuthorizationStoreRoleProvider" Class:
>
> http://msdn2.microsoft.com/en-us/lib...uthorizationst
> oreroleprovider(VS.80).aspx
>
> You can use AuthorizationStoreRoleProvider for role membership checks. The
> benefit of using AuthorizationStoreRoleProvider is that it provides a
> consistent set of APIs for role authorization
>
> Here are also an article about it:
>
> How To: Use Role Manager in ASP.NET 2.0
> http://msdn.microsoft.com/library/de...us/dnpag2/html
> /PAGHT000013.asp?_r=1
>
> Hope this help,
>
> Sincerely,
>
> Luke Zhang
>
> Microsoft Online Community Support
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...ult.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscripti...t/default.aspx.
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      11-06-2006
Yes, I just gave it to someone else and it seemed to work pretty well for
them. I think Ryan and I will try to finish it up and publish it on our
book's website once he gets back from vacation.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
message news:(E-Mail Removed) om...
> Ryan Dunn and me (and also Joe Kaplan) worked on an AD role provider.
>
> mail me - and i send you the code (it is not final - but chances are high
> it will work for you)
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
>> Hello,
>> I'm in the process of writing my own Active Directory RoleProvider to
>> be
>> able to check if a user is member of a given group. But maybe it
>> already
>> exists somewhere in the community ? I do not want to use AzMan.
>> Basically,
>> it should provide the same functionnality as the
>> WindowsTokenRoleProvider
>> and should work with form authentification (and
>> ActiveDirectoryMembership
>> Provider).
>> Any help appreciated.
>> TIA.

>
>



 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      11-07-2006
The general format for the Connection string is as follows:

msldap://ServerNameort//DistinguishedNameForTheStore

The server name and the port are optional. If a server name is not
provided, the default domain controller is used. If a port is not
specified, the default LDAP port (LDAP_PORT, 389) is used. The
distinguished name (DN) for the store begins with the relative
distinguished name (RDN) of the AzAuthorizationStore object. For example,
if the RDN of the AzAuthorizationStore object is MyStore and MyStore is in
an organizational unit (OU) named AzMan, a possible connction string for
the Active Directory store is as follows:

msldap://MyServer/CN=MyStore,OU=AzMan,DC=MyDomain,DC=Fabrikam,DC=Com

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.



 
Reply With Quote
 
Olivier Matrot
Guest
Posts: n/a
 
      11-07-2006
Luke,
Is this provider working in an out of domain scenario, which is accessing a
domain in another forest ? In this case, we must probably give proper
credentials to make it work.


"Luke Zhang [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The general format for the Connection string is as follows:
>
> msldap://ServerNameort//DistinguishedNameForTheStore
>
> The server name and the port are optional. If a server name is not
> provided, the default domain controller is used. If a port is not
> specified, the default LDAP port (LDAP_PORT, 389) is used. The
> distinguished name (DN) for the store begins with the relative
> distinguished name (RDN) of the AzAuthorizationStore object. For example,
> if the RDN of the AzAuthorizationStore object is MyStore and MyStore is in
> an organizational unit (OU) named AzMan, a possible connction string for
> the Active Directory store is as follows:
>
> msldap://MyServer/CN=MyStore,OU=AzMan,DC=MyDomain,DC=Fabrikam,DC=Com
>
> Sincerely,
>
> Luke Zhang
>
> Microsoft Online Community Support
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...ult.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscripti...t/default.aspx.
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>



 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      11-08-2006
Hello Olivier,

This provider will work between trusted domains.

Sincerely,

Luke Zhang

Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting RolePrincipal to use RoleProvider.IsInRole rather than RoleProvider.GetRolesForUser Keith Patrick ASP .Net Security 1 08-20-2006 09:23 AM
RoleProvider question -- help please (.NET 2.0) Burak Gunay ASP .Net 4 03-22-2006 08:45 PM
connectionStringName for RoleProvider Chris ASP .Net 0 03-06-2006 12:40 PM
Debugging Custom MembershipProvider/RoleProvider Classes Mark Olbert ASP .Net 0 01-10-2006 04:42 PM
MembershipProvider/RoleProvider Problems Mark Olbert ASP .Net 1 01-10-2006 12:41 PM



Advertisments