472,334 Members | 1,492 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

home > topics > asp.net > questions > forms authentication +active directory +roles

Join Bytes to post your question to a community of 472,334 software developers and data experts.

Forms Authentication +Active Directory +Roles

Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a
notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when
they log in whether there account is "not activated", "pending activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have
4 roles for an application so I need 4 groups whether they be nested or not.

thanks
Marty
Nov 17 '05 #1
4 2196
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:tWEnb.53544$e01.137681@attbi_s02...
Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when they log in whether there account is "not activated", "pending activation".
What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have 4 roles for an application so I need 4 groups whether they be nested or

not.

Marty, I don't understand: what's wrong with treating groups as roles?
--
John
Nov 17 '05 #2
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30 groups
for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.

Thanks
"John Saunders" <john.saunders at surfcontrol.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:tWEnb.53544$e01.137681@attbi_s02...
Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created
a
notification system to the application security administrator about a

new user if the user was not configured. The security administrator could then log into the application and Activate the account. The user is notified

when
they log in whether there account is "not activated", "pending

activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example,

if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I

have
4 roles for an application so I need 4 groups whether they be nested or

not.

Marty, I don't understand: what's wrong with treating groups as roles?
--
John

Nov 17 '05 #3
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:peWnb.58876$HS4.302857@attbi_s01...
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to a role. Keep in mind some of these people may be a member of 20 or 30 groups for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.


I haven't done much AD programming, so maybe I'm missing something obvious.
But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you
use them as is, or they're from different sets and you need to find the
correspondence.
--
John
Nov 17 '05 #4

"John Saunders" <john.saunders at surfcontrol.com> wrote in message
news:um**************@TK2MSFTNGP10.phx.gbl...
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:peWnb.58876$HS4.302857@attbi_s01...
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30

groups
for the organization. I really hate to get the groups, drop groups into an array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the

simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.


I haven't done much AD programming, so maybe I'm missing something

obvious. But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you use them as is, or they're from different sets and you need to find the
correspondence.
--
John


Long last couple of days, what you say is what I have to do. I was just
working on 3 different projects at the same time and guess I got my mind
sidetracked. I thought about a different way and that is to check the
members of a group against a username and see if that person is a member of
the group instead checking the groups that person is a member of.

Thanks for your time

Marty
Nov 17 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
ASP.NET with ADirectory role based authentication
by: naijacoder naijacoder | last post by:
Hi Everyone, I have some Questions relating to Active Directory and Asp.net. 1)I have created a role based authorisation using SQL Server but i...
ASP / Active Server Pages
3
Combine Forms Authentication with Windows
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and...
.NET Framework
11
Forms Authentication Problem
by: ElmoWatson | last post by:
I tried on the Security newgroup, as well as other places, and haven't gotten an answer yet - - I'm pulling my hair out over this one. I'm trying...
ASP.NET
3
Forms authentication in a subfolder problem, please help
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain...
ASP.NET
5
Forms Auth. Question
by: V. Jenks | last post by:
Using forms authentication, can I control which pages and/or directories a user would have access to or is that only available with Windows...
ASP.NET
2
Multiple Logins in Forms Authentication??
by: Nicolas Bottarini | last post by:
Hi!! I have a site with a backend subdirectory with the backend of the site. I need that the site to have one login and the backend directory...
ASP.NET
1
windows integrated authentication and impersonation
by: Eric | last post by:
I trying to setup an intranet based on windows NT groups or roles. I have used windows integrated authentication with impersonation first but this...
ASP.NET
5
Forms Authentication vs MembershipProvider
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy...
ASP.NET
1
Forms Authentication for single directory
by: Sean | last post by:
Hi, I've taken over a website, which has an admin section that is currently open. I added Forms Authentication to the admin directory with the...
ASP.NET
0
The Top 5 Skills You Need in a PowerApps Developer
by: concettolabs | last post by:
In today's business world, businesses are increasingly turning to PowerApps to develop custom business applications. PowerApps is a powerful tool...
.NET Framework
0
List of Topmost 8 Electronics Engineering Forum Websites
by: teenabhardwaj | last post by:
How would one discover a valid source for learning news, comfort, and help for engineering designs? Covering through piles of books takes a lot of...
General
0
Benefits of Blockchain App Development for Enterprise Businesses
by: Kemmylinns12 | last post by:
Blockchain technology has emerged as a transformative force in the business world, offering unprecedented opportunities for innovation and...
General
0
Basic concepts of WebLogic Admin training?
by: Naresh1 | last post by:
What is WebLogic Admin Training? WebLogic Admin Training is a specialized program designed to equip individuals with the skills and knowledge...
Oracle Database
0
jalbright99669
https redirect with reverse proxy
by: jalbright99669 | last post by:
Am having a bit of a time with URL Rewrite. I need to incorporate http to https redirect with a reverse proxy. I have the URL Rewrite rules made...
IIS / Internet Information Server
0
Hyperconverged All-in-One Streaming Engine, ushering in new age for distributed database
by: antdb | last post by:
Ⅰ. Advantage of AntDB: hyper-convergence + streaming processing engine In the overall architecture, a new "hyper-convergence" concept was...
General
0
How to layout php header location with a variable as the location?
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. ...
PHP
0
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computer
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...
General
0
hi
by: WisdomUfot | last post by:
It's an interesting question you've got about how Gmail hides the HTTP referrer when a link in an email is clicked. While I don't have the specific...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2023
About Bytes
Advertise
Terms Of Use
Privacy Policy

Sitemap

Follow us! Get the Latest Bytes Updates