473,893 Members | 1,651 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Forms Authentication +Active Directory +Roles

Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a
notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when
they log in whether there account is "not activated", "pending activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have
4 roles for an application so I need 4 groups whether they be nested or not.

thanks
Marty
Nov 17 '05 #1
4 2281
"Marty Underwood" <ma********@ins ightbb.com> wrote in message
news:tWEnb.5354 4$e01.137681@at tbi_s02...
Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when they log in whether there account is "not activated", "pending activation".
What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have 4 roles for an application so I need 4 groups whether they be nested or

not.

Marty, I don't understand: what's wrong with treating groups as roles?
--
John
Nov 17 '05 #2
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30 groups
for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.

Thanks
"John Saunders" <john.saunder s at surfcontrol.com > wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. ..
"Marty Underwood" <ma********@ins ightbb.com> wrote in message
news:tWEnb.5354 4$e01.137681@at tbi_s02...
Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created
a
notification system to the application security administrator about a

new user if the user was not configured. The security administrator could then log into the application and Activate the account. The user is notified

when
they log in whether there account is "not activated", "pending

activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example,

if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I

have
4 roles for an application so I need 4 groups whether they be nested or

not.

Marty, I don't understand: what's wrong with treating groups as roles?
--
John

Nov 17 '05 #3
"Marty Underwood" <ma********@ins ightbb.com> wrote in message
news:peWnb.5887 6$HS4.302857@at tbi_s01...
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to a role. Keep in mind some of these people may be a member of 20 or 30 groups for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.


I haven't done much AD programming, so maybe I'm missing something obvious.
But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you
use them as is, or they're from different sets and you need to find the
correspondence.
--
John
Nov 17 '05 #4

"John Saunders" <john.saunder s at surfcontrol.com > wrote in message
news:um******** ******@TK2MSFTN GP10.phx.gbl...
"Marty Underwood" <ma********@ins ightbb.com> wrote in message
news:peWnb.5887 6$HS4.302857@at tbi_s01...
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30

groups
for the organization. I really hate to get the groups, drop groups into an array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the

simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.


I haven't done much AD programming, so maybe I'm missing something

obvious. But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you use them as is, or they're from different sets and you need to find the
correspondence.
--
John


Long last couple of days, what you say is what I have to do. I was just
working on 3 different projects at the same time and guess I got my mind
sidetracked. I thought about a different way and that is to check the
members of a group against a username and see if that person is a member of
the group instead checking the groups that person is a member of.

Thanks for your time

Marty
Nov 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
1646
by: naijacoder naijacoder | last post by:
Hi Everyone, I have some Questions relating to Active Directory and Asp.net. 1)I have created a role based authorisation using SQL Server but i want to use Active Directory as a datastore now? 2)Now if i want to allow the user to login credentials against the Active directory and then implementing the roles i have in my Database would i need to have roles in my Active Directory?
3
2732
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and everything regarding security is transparent, however we will have brokers and customers that also need to connect and will require a username and password. In this case we were going to store their credentials in a SQL database. Internal users will have the ability to access the same resources...
11
3620
by: ElmoWatson | last post by:
I tried on the Security newgroup, as well as other places, and haven't gotten an answer yet - - I'm pulling my hair out over this one. I'm trying to get Forms Authentication working.....I can get any requested page to automatically go to the Login.aspx page, AND, the ReturnURL querystring is correct in the address bar, but no matter what, I can't get it, once the user is authenticated, to redirect to the new page. It ALWAYS refreshes the...
3
4877
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be protected by forms authentication. When I create forms authentication at root level it works but when I move my code up to the subfolder I get this error: Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.
5
1673
by: V. Jenks | last post by:
Using forms authentication, can I control which pages and/or directories a user would have access to or is that only available with Windows authentication? Thanks!
2
2899
by: Nicolas Bottarini | last post by:
Hi!! I have a site with a backend subdirectory with the backend of the site. I need that the site to have one login and the backend directory another one. Is this possible with Forms Authentication?? What can i do?? Thanks Nicolas
1
1903
by: Eric | last post by:
I trying to setup an intranet based on windows NT groups or roles. I have used windows integrated authentication with impersonation first but this include to use a user to access the database. I would prefer to use windows security based on groups or roles . If i set the impersonate attribute to false or simply remove the identity tag from my web.config file . how can i manage my security for database? I know i have first to setup...
5
3578
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the creation of content which adjusts based on the user. I have several pages which require a user to be logged on and several which do not. Prior to this point in time I have used 2 different master pages. one with a control which checks a session...
1
2590
by: Sean | last post by:
Hi, I've taken over a website, which has an admin section that is currently open. I added Forms Authentication to the admin directory with the using the location section in web.config: <location path="admin"> <system.web> <customErrors mode="Off"/> <authentication mode="Forms"> <forms name=".COOKIEDEMO" loginUrl="login.aspx" protection="All" timeout="60" path="/">
0
10839
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10927
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10469
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9645
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
8022
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7173
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5858
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4684
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3289
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.