By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,301 Members | 1,741 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,301 IT Pros & Developers. It's quick & easy.

Windows Integrated Security - Restricting Users Without Groups

P: n/a
Hi,

Im in a situation where I need to restrict users, but I dont have access or
wont be allowed access to manage groups in the domain. How can I restrict
access is this case ?

--
Best Regards

The Inimitable Mr Newbie
Dec 3 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
I wonder then, how will you distinct a user at all?
I'm using roles, when the user get's authenticated i stamp it to 'user' :)

I think you'll need to elaborate the possiblities you have.
"Mr Newbie" <he**@now.com> schreef in bericht
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi,

Im in a situation where I need to restrict users, but I dont have access
or wont be allowed access to manage groups in the domain. How can I
restrict access is this case ?

--
Best Regards

The Inimitable Mr Newbie

Dec 3 '05 #2

P: n/a
The possibilities are slim

Windows Authentication
No ability to add and remove people from the active directory.

I want to restrict users from being able to access the site.

--

"Edwin Knoppert" <in**@pbsoft.speedlinq.nl> wrote in message
news:dm*********@azure.qinip.net...
I wonder then, how will you distinct a user at all?
I'm using roles, when the user get's authenticated i stamp it to 'user' :)

I think you'll need to elaborate the possiblities you have.
"Mr Newbie" <he**@now.com> schreef in bericht
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi,

Im in a situation where I need to restrict users, but I dont have access
or wont be allowed access to manage groups in the domain. How can I
restrict access is this case ?

--
Best Regards

The Inimitable Mr Newbie


Dec 3 '05 #3

P: n/a
Hi Mr. N,

It's not clear from your post whether or not it is a requirement that your
users are in fact, Active Directory user accounts, or whether, perhaps, they
could be some other form of "user."

That is, if the requirement is that they are Active Directory users, and you
have access to Active Directory via System.DirectoryServices and LDAP (read
only at least), you can create a separate database with an entry for each
user. Then you can mange the permissions that each user has via this
database, which would be entirely separate from Active Directory, other then
the user account name being in Active Directory, and the web requiring an
Active Directory login to access (disallow anonymous access, in other
words). If this is the case, all Active Directory user accounts would have
to have permission to log in to the web site (so that your ASP.Net app could
authenticate them via your database), and your app would handle allowing
access to different resources, or even all resources.

If, on the other hand, you can neither grant all domain users access to the
web, or you can't get read access to the Active Directory, you could allow
anonymous access, employ a web login (via a web page), and use a database to
manage the permissions in much the same way as described above.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Mr Newbie" <he**@now.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi,

Im in a situation where I need to restrict users, but I dont have access
or wont be allowed access to manage groups in the domain. How can I
restrict access is this case ?

--
Best Regards

The Inimitable Mr Newbie

Dec 3 '05 #4

P: n/a
Hi Kevin,

Thanks for your reply. I have managed to restrict access to roles by using
the following in the Authentication Event in global.asax. I have hard coded
it just for test purposes, but I can then add the allow
roles="Administrator" into the web.config and this works.

However, in my testing, I cant seem to get User.IsInRole("GroupName") to
work, it seems that the windows group membership does not correlate to this
function ( at least I cant get it to work. ) Do you know where these groups
needs to be ( Local machine, Domain, Universal group etc ? and do you
have to go get the memberships etc from those groups ??

Cheers - Mr N

If Request.IsAuthenticated Then

Dim rl As System.Collections.ArrayList

rl = DataAccess.getUserRoles(User.Identity.Name)

'Convert the roleList ArrayList to a String array

Dim roleListArray As String() = {"Administrator"}
'CType(rl.ToArray(GetType(String)), String())

'Add the roles to the User Principal

HttpContext.Current.User = _

New System.Security.Principal.GenericPrincipal(User.Id entity, roleListArray)

End If
--
Best Regards

The Inimitable Mr Newbie
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:u$****************@TK2MSFTNGP11.phx.gbl...
Hi Mr. N,

It's not clear from your post whether or not it is a requirement that your
users are in fact, Active Directory user accounts, or whether, perhaps,
they could be some other form of "user."

That is, if the requirement is that they are Active Directory users, and
you have access to Active Directory via System.DirectoryServices and LDAP
(read only at least), you can create a separate database with an entry for
each user. Then you can mange the permissions that each user has via this
database, which would be entirely separate from Active Directory, other
then the user account name being in Active Directory, and the web
requiring an Active Directory login to access (disallow anonymous access,
in other words). If this is the case, all Active Directory user accounts
would have to have permission to log in to the web site (so that your
ASP.Net app could authenticate them via your database), and your app would
handle allowing access to different resources, or even all resources.

If, on the other hand, you can neither grant all domain users access to
the web, or you can't get read access to the Active Directory, you could
allow anonymous access, employ a web login (via a web page), and use a
database to manage the permissions in much the same way as described
above.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Mr Newbie" <he**@now.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi,

Im in a situation where I need to restrict users, but I dont have access
or wont be allowed access to manage groups in the domain. How can I
restrict access is this case ?

--
Best Regards

The Inimitable Mr Newbie


Dec 3 '05 #5

P: n/a
Mr NewBie..
I blogged something very similar at:-
http://spaces.msn.com/members/naijacoder
Just look for :-How to configure and implement a Role based Windows
Authentication
Hope that helps
Patrick
"Mr Newbie" <he**@now.com> wrote in message
news:uP*************@TK2MSFTNGP09.phx.gbl...
Hi Kevin,

Thanks for your reply. I have managed to restrict access to roles by using the following in the Authentication Event in global.asax. I have hard coded it just for test purposes, but I can then add the allow
roles="Administrator" into the web.config and this works.

However, in my testing, I cant seem to get User.IsInRole("GroupName") to
work, it seems that the windows group membership does not correlate to this function ( at least I cant get it to work. ) Do you know where these groups needs to be ( Local machine, Domain, Universal group etc ? and do you
have to go get the memberships etc from those groups ??

Cheers - Mr N

If Request.IsAuthenticated Then

Dim rl As System.Collections.ArrayList

rl = DataAccess.getUserRoles(User.Identity.Name)

'Convert the roleList ArrayList to a String array

Dim roleListArray As String() = {"Administrator"}
'CType(rl.ToArray(GetType(String)), String())

'Add the roles to the User Principal

HttpContext.Current.User = _

New System.Security.Principal.GenericPrincipal(User.Id entity, roleListArray)
End If
--
Best Regards

The Inimitable Mr Newbie
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:u$****************@TK2MSFTNGP11.phx.gbl...
Hi Mr. N,

It's not clear from your post whether or not it is a requirement that your users are in fact, Active Directory user accounts, or whether, perhaps,
they could be some other form of "user."

That is, if the requirement is that they are Active Directory users, and
you have access to Active Directory via System.DirectoryServices and LDAP (read only at least), you can create a separate database with an entry for each user. Then you can mange the permissions that each user has via this database, which would be entirely separate from Active Directory, other
then the user account name being in Active Directory, and the web
requiring an Active Directory login to access (disallow anonymous access, in other words). If this is the case, all Active Directory user accounts
would have to have permission to log in to the web site (so that your
ASP.Net app could authenticate them via your database), and your app would handle allowing access to different resources, or even all resources.

If, on the other hand, you can neither grant all domain users access to
the web, or you can't get read access to the Active Directory, you could
allow anonymous access, employ a web login (via a web page), and use a
database to manage the permissions in much the same way as described
above.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Mr Newbie" <he**@now.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi,

Im in a situation where I need to restrict users, but I dont have access or wont be allowed access to manage groups in the domain. How can I
restrict access is this case ?

--
Best Regards

The Inimitable Mr Newbie



Dec 4 '05 #6

P: n/a
Patrick, thanks for your reply.

Through investigation, I have discovered that you dont need impersonation to
check the group membership. What I was missing was the domain name
DOMAINNAME\GroupName

The only caviat here is that if you change the groups the user needs to log
off an on again to make the changes effective. Using the windows security
permissions principal has no real value in my case, and impersonation
carries additional overhead not to mention the extra risk of failure of the
application when those permissions are not taken into account.

--
Best Regards

The Inimitable Mr Newbie

"Patrick.O.Ige" <na********@toughguy.net> wrote in message
news:O7***************@TK2MSFTNGP11.phx.gbl...
Mr NewBie..
I blogged something very similar at:-
http://spaces.msn.com/members/naijacoder
Just look for :-How to configure and implement a Role based Windows
Authentication
Hope that helps
Patrick
"Mr Newbie" <he**@now.com> wrote in message
news:uP*************@TK2MSFTNGP09.phx.gbl...
Hi Kevin,

Thanks for your reply. I have managed to restrict access to roles by

using
the following in the Authentication Event in global.asax. I have hard

coded
it just for test purposes, but I can then add the allow
roles="Administrator" into the web.config and this works.

However, in my testing, I cant seem to get User.IsInRole("GroupName")
to
work, it seems that the windows group membership does not correlate to

this
function ( at least I cant get it to work. ) Do you know where these

groups
needs to be ( Local machine, Domain, Universal group etc ? and do you
have to go get the memberships etc from those groups ??

Cheers - Mr N

If Request.IsAuthenticated Then

Dim rl As System.Collections.ArrayList

rl = DataAccess.getUserRoles(User.Identity.Name)

'Convert the roleList ArrayList to a String array

Dim roleListArray As String() = {"Administrator"}
'CType(rl.ToArray(GetType(String)), String())

'Add the roles to the User Principal

HttpContext.Current.User = _

New System.Security.Principal.GenericPrincipal(User.Id entity,

roleListArray)

End If
--
Best Regards

The Inimitable Mr Newbie
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:u$****************@TK2MSFTNGP11.phx.gbl...
> Hi Mr. N,
>
> It's not clear from your post whether or not it is a requirement that your > users are in fact, Active Directory user accounts, or whether, perhaps,
> they could be some other form of "user."
>
> That is, if the requirement is that they are Active Directory users,
> and
> you have access to Active Directory via System.DirectoryServices and LDAP > (read only at least), you can create a separate database with an entry for > each user. Then you can mange the permissions that each user has via this > database, which would be entirely separate from Active Directory, other
> then the user account name being in Active Directory, and the web
> requiring an Active Directory login to access (disallow anonymous access, > in other words). If this is the case, all Active Directory user
> accounts
> would have to have permission to log in to the web site (so that your
> ASP.Net app could authenticate them via your database), and your app would > handle allowing access to different resources, or even all resources.
>
> If, on the other hand, you can neither grant all domain users access to
> the web, or you can't get read access to the Active Directory, you
> could
> allow anonymous access, employ a web login (via a web page), and use a
> database to manage the permissions in much the same way as described
> above.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> You can lead a fish to a bicycle,
> but you can't make it stink.
>
> "Mr Newbie" <he**@now.com> wrote in message
> news:%2****************@TK2MSFTNGP11.phx.gbl...
>> Hi,
>>
>> Im in a situation where I need to restrict users, but I dont have access >> or wont be allowed access to manage groups in the domain. How can I
>> restrict access is this case ?
>>
>>
>>
>> --
>> Best Regards
>>
>> The Inimitable Mr Newbie
>>
>
>



Dec 4 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.