469,086 Members | 1,187 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,086 developers. It's quick & easy.

Forms Authentication +Active Directory +Roles

Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a
notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when
they log in whether there account is "not activated", "pending activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have
4 roles for an application so I need 4 groups whether they be nested or not.

thanks
Marty
Nov 17 '05 #1
4 2093
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:tWEnb.53544$e01.137681@attbi_s02...
Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when they log in whether there account is "not activated", "pending activation".
What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have 4 roles for an application so I need 4 groups whether they be nested or

not.

Marty, I don't understand: what's wrong with treating groups as roles?
--
John
Nov 17 '05 #2
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30 groups
for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.

Thanks
"John Saunders" <john.saunders at surfcontrol.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:tWEnb.53544$e01.137681@attbi_s02...
Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created
a
notification system to the application security administrator about a

new user if the user was not configured. The security administrator could then log into the application and Activate the account. The user is notified

when
they log in whether there account is "not activated", "pending

activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example,

if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I

have
4 roles for an application so I need 4 groups whether they be nested or

not.

Marty, I don't understand: what's wrong with treating groups as roles?
--
John

Nov 17 '05 #3
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:peWnb.58876$HS4.302857@attbi_s01...
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to a role. Keep in mind some of these people may be a member of 20 or 30 groups for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.


I haven't done much AD programming, so maybe I'm missing something obvious.
But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you
use them as is, or they're from different sets and you need to find the
correspondence.
--
John
Nov 17 '05 #4

"John Saunders" <john.saunders at surfcontrol.com> wrote in message
news:um**************@TK2MSFTNGP10.phx.gbl...
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:peWnb.58876$HS4.302857@attbi_s01...
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30

groups
for the organization. I really hate to get the groups, drop groups into an array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the

simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.


I haven't done much AD programming, so maybe I'm missing something

obvious. But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you use them as is, or they're from different sets and you need to find the
correspondence.
--
John


Long last couple of days, what you say is what I have to do. I was just
working on 3 different projects at the same time and guess I got my mind
sidetracked. I thought about a different way and that is to check the
members of a group against a username and see if that person is a member of
the group instead checking the groups that person is a member of.

Thanks for your time

Marty
Nov 17 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by naijacoder naijacoder | last post: by
11 posts views Thread by ElmoWatson | last post: by
3 posts views Thread by Kris van der Mast | last post: by
5 posts views Thread by V. Jenks | last post: by
2 posts views Thread by Nicolas Bottarini | last post: by
5 posts views Thread by Rory Becker | last post: by
1 post views Thread by Sean | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by kglaser89 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.