Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > role-based security and ActiveDirectory

Reply
Thread Tools

role-based security and ActiveDirectory

 
 
SpaceMarine
Guest
Posts: n/a
 
      05-28-2009
hello,

im having a little problem w/ role-based security and ActiveDirectory
(AD), hoping someone can help. im trying to restrict access to my app
to only users within a particular AD group. details:

- ASP.NET 3.5 intranet app; Visual Studio 2008

- deployed to a Windows Server 2008 (IIS7) machine

- uses Windows authentication

- all desired domain users reside in a custom AD group, "FOO_BAR".

- requesting the User.Identity.Name yields: "OURDOMAIN\SomeUserName"

- requesting all group membership yields:

Everyone
OURDOMAIN\Domain Users
OURDOMAIN\FOO_BAR

....all looks good. so the problem? when i request:

User.IsInRole(@"OURDOMAIN\FOO_BAR") or
User.IsInRole("FOO_BAR") or

....i get False.

this is problematic because in my web.config im trying to restrict
access to the group-only:

<authorization>
<!-- Allow only group users -->
<allow roles="FOO_BAR"/>
<deny users="*"/>
<deny users="?"/>
</authorization>


any idea whats up? i read that ASP.NET's role-based security model
should be able to pick up a Windows-authenticated AD user's groups as
roles. is this not the case?


thanks!
sm


ps - here is how i get a loop of a user's group memberships...useful:

//convert user's groups to readable NT thang
IdentityReferenceCollection usersGroups = WindowsIdentity.GetCurrent
().Groups.Translate(System.Type.GetType
("System.Security.Principal.NTAccount"));

StringBuilder sb = new StringBuilder(200);

foreach (IdentityReference group in usersGroups)
sb.Append(group.Value + "<br/>");
 
Reply With Quote
 
 
 
 
Alexey Smirnov
Guest
Posts: n/a
 
      05-28-2009
On May 28, 11:49*pm, SpaceMarine <(E-Mail Removed)> wrote:

> any idea whats up? i read that ASP.NET's role-based security model
> should be able to pick up a Windows-authenticated AD user's groups as
> roles. is this not the case?


You need to use ADAM or similar
http://msdn.microsoft.com/en-us/library/ms998331.aspx


> * * * * //convert user's groups to readable NT thang
> * * * * IdentityReferenceCollection usersGroups = WindowsIdentity.GetCurrent
> ().Groups.Translate(System.Type.GetType
> ("System.Security.Principal.NTAccount"));
>
> * * * * StringBuilder sb = new StringBuilder(200);
>
> * * * * foreach (IdentityReference group in usersGroups)
> * * * * * * * * sb.Append(group.Value + "<br/>");


You can assign user to roles manually from the code.

In global.asax in Application_AuthenticateRequest you can use your
code from above as

string[] roles = new string[] { };

// your code here....

foreach (IdentityReference group in usersGroups)
roles.Add(group.Value);

//and then add our own custom principal to the request containing the
roles in the auth ticket
Context.User = new GenericPrincipal(Context.User.Identity, roles);
 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      05-29-2009
This should work. It may be the case that the group in question either is
not security enabled and thus would not be the user's token or it has a
different account name than you think it does.

What you should do is verify what's actually in the token. Write some code
that translates the User.Identity object to a WindowsIdentity and then use
the Translate method on the IdentityReferenceCollection to translate to
NTAccount objects. Then you can dump out the names and see what's in there.

Alexey suggested using ADAM or creating a GenericPrincipal object but
neither of these are needed. I can't actually see why ADAM would help with
this scenario at all. The WindowsPrincipal should do exactly what you want
it to.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"SpaceMarine" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> hello,
>
> im having a little problem w/ role-based security and ActiveDirectory
> (AD), hoping someone can help. im trying to restrict access to my app
> to only users within a particular AD group. details:
>
> - ASP.NET 3.5 intranet app; Visual Studio 2008
>
> - deployed to a Windows Server 2008 (IIS7) machine
>
> - uses Windows authentication
>
> - all desired domain users reside in a custom AD group, "FOO_BAR".
>
> - requesting the User.Identity.Name yields: "OURDOMAIN\SomeUserName"
>
> - requesting all group membership yields:
>
> Everyone
> OURDOMAIN\Domain Users
> OURDOMAIN\FOO_BAR
>
> ...all looks good. so the problem? when i request:
>
> User.IsInRole(@"OURDOMAIN\FOO_BAR") or
> User.IsInRole("FOO_BAR") or
>
> ...i get False.
>
> this is problematic because in my web.config im trying to restrict
> access to the group-only:
>
> <authorization>
> <!-- Allow only group users -->
> <allow roles="FOO_BAR"/>
> <deny users="*"/>
> <deny users="?"/>
> </authorization>
>
>
> any idea whats up? i read that ASP.NET's role-based security model
> should be able to pick up a Windows-authenticated AD user's groups as
> roles. is this not the case?
>
>
> thanks!
> sm
>
>
> ps - here is how i get a loop of a user's group memberships...useful:
>
> //convert user's groups to readable NT thang
> IdentityReferenceCollection usersGroups = WindowsIdentity.GetCurrent
> ().Groups.Translate(System.Type.GetType
> ("System.Security.Principal.NTAccount"));
>
> StringBuilder sb = new StringBuilder(200);
>
> foreach (IdentityReference group in usersGroups)
> sb.Append(group.Value + "<br/>");


 
Reply With Quote
 
SpaceMarine
Guest
Posts: n/a
 
      05-29-2009
On May 28, 11:26*pm, "Joe Kaplan"
<(E-Mail Removed)> wrote:
> This should work. *It may be the case that the group in question eitheris
> not security enabled and thus would not be the user's token or it has a
> different account name than you think it does.


i see. if i ask our admins whether the group is "security enabled"
will that mean something to them, something they can check?


sm
 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      05-29-2009
I hope so. It is radio button in the normal AD GUI. If the AD admins
don't know what you are talking about, I would lobby for qualified people to
take their positions.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"SpaceMarine" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
On May 28, 11:26 pm, "Joe Kaplan"
<(E-Mail Removed)> wrote:
> This should work. It may be the case that the group in question either is
> not security enabled and thus would not be the user's token or it has a
> different account name than you think it does.


i see. if i ask our admins whether the group is "security enabled"
will that mean something to them, something they can check?


sm

 
Reply With Quote
 
SpaceMarine
Guest
Posts: n/a
 
      05-29-2009
On May 29, 10:50*am, "Joe Kaplan"
<(E-Mail Removed)> wrote:
> I hope so. It is radio button in the normal AD GUI.


ok it wasnt that . they sent me a screenshot -- Security was
selected, Distribution was not.

so it looks like this is next:

> What you should do is verify what's actually in the token. Write some code
> that translates the User.Identity object to a WindowsIdentity and then use
> the Translate method on the IdentityReferenceCollection to translate to
> NTAccount objects. Then you can dump out the names and see what's in there.


....is that something substainally different than my group looping
above?


thanks,
sm
 
Reply With Quote
 
SpaceMarine
Guest
Posts: n/a
 
      05-29-2009
On May 28, 6:04*pm, Alexey Smirnov <(E-Mail Removed)> wrote:

> You can assign user to roles manually from the code.
>
> // your code here....
>
> foreach (IdentityReference group in usersGroups)
> roles.Add(group.Value);
>
> //and then add our own custom principal to the request containing the
> roles in the auth ticket
> Context.User = new GenericPrincipal(Context.User.Identity, roles);


assuming i cant get this to work 100% out-of-the-box (users' AD Group
memberships equating to ASP.NET's Roles), you are right -- i could
always loop thru my above group collection and all each to the Roles
collection.

just seems kinda silly.


sm



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      05-31-2009
It should work fine. Normally a problem like this is that either:

- You have an incorrect name and the string match is failing as a result
- You have a domain local group from a domain in a different domain than
the web server
- You have a nested group and are still in Win2K mixed mode with AD
- The group isn't security enabled

You've already eliminated the last one and the other two seem less likely.
The idea behind looping through the groups is just for debug purposes to see
what's actually in the user's token. That will give you a better clue what's
going on and you can go from there.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"SpaceMarine" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
On May 28, 6:04 pm, Alexey Smirnov <(E-Mail Removed)> wrote:

> You can assign user to roles manually from the code.
>
> // your code here....
>
> foreach (IdentityReference group in usersGroups)
> roles.Add(group.Value);
>
> //and then add our own custom principal to the request containing the
> roles in the auth ticket
> Context.User = new GenericPrincipal(Context.User.Identity, roles);


assuming i cant get this to work 100% out-of-the-box (users' AD Group
memberships equating to ASP.NET's Roles), you are right -- i could
always loop thru my above group collection and all each to the Roles
collection.

just seems kinda silly.


sm



 
Reply With Quote
 
SpaceMarine
Guest
Posts: n/a
 
      06-01-2009
On May 30, 9:27*pm, "Joe Kaplan"
<(E-Mail Removed)> wrote:
> The idea behind looping through the groups is just for debug purposes to see
> what's actually in the user's token. That will give you a better clue what's
> going on and you can go from there.


ah...my initial thought was that by looping thru the current
WindowsIdentity's Groups and translating to NTAccounts as I am doing
(first post) was doing exactly that. but now i see the User.Identity
is NOT the same as the WindowsIdentity.GetCurrent(). (seems the
WindowsIdentity represents the thread running the ASP.NET code,
whereas User.Identity just represents the "client" identity. im still
learning the diffs!)

thus youre suggesting I "translate" the User.Identity to a
WindowsIdentity. so i did this:

WindowsIdentity winIdentity2 = (WindowsIdentity)User.Identity;

.....and re-created winIdentity2's groups collection, translating to
NTAccount. results -- group membership is *the same* as when i used:

WindowsIdentity.GetCurrent(true); //true = app is using
impersonation

....same exact groups when looped thru.


the plot thickens!!


btw i really appreciate your knowledge & help.
sm
 
Reply With Quote
 
SpaceMarine
Guest
Posts: n/a
 
      06-01-2009
On May 30, 9:27*pm, "Joe Kaplan"
<(E-Mail Removed)> wrote:
> It should work fine. *Normally a problem like this is that either:
>
> *- You have an incorrect name and the string match is failing as a result
> *- You have a domain local group from a domain in a different domain than
> the web server
> *- You have a nested group and are still in Win2K mixed mode with AD
> *- The group isn't security enabled
>
> You've already eliminated the last one and the other two seem less likely..


....yep, last is eliminated. first: i hope not, but that would be
easiest. ive tried w/ "FOO_BAR" (my group name, w/ an underscore in
it), as well as copying the full "OURDOMAIN\FOO_BAR" out of the group
collection -- i had to add the @ sign for csharp, so its @"OURDOMAIN
\FOO_BAR". both return False....

that leaves the middle two. im going to ask w/ my admin about them.

on #2 - while my group memberships say "OURDOMAIN\XXX", on the web
server the "My Computer->Properties" say "Domain: ourdomain.com". (the
server is hit internally via ("http://boxname.ourdomain.com")


sm
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP Error: Current security context is not associated with an ActiveDirectory domain or forest. Raj ASP .Net 0 07-10-2009 07:17 PM
role-based security and ActiveDirectory SpaceMarine ASP .Net 18 06-02-2009 08:46 PM
Get UserPassword in ActiveDirectory ruca ASP .Net 4 07-13-2004 02:54 PM
List users and groups from ActiveDirectory in ASP.NET page? TK ASP .Net 2 04-20-2004 08:01 AM
enumerate Users in Activedirectory group shiv ASP .Net 3 12-03-2003 08:55 PM



Advertisments