473,395 Members | 1,720 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > windowstokenroleprovider anyone?

Join Bytes to post your question to a community of 473,395 software developers and data experts.

WindowsTokenRoleProvider Anyone?

Hey All, I'm attempting to put together a "secure" ASP.NET 2.0
application with one requirement that has given me a bit of grief: In a
nutshell, if the user's session expires then they should be forced to
re-authenticate with the application by providing logon credentials.
These credentials are currently Active Directory domain accounts. This
is to prevent the user from walking away from their workstation and
another user walking up and accessing the application using their
perhaps still unexpired session. Yes, I know there are better ways to
enforce this kind of security but lets pretend the web app has to do it
all, 'kay?

In my experience, the easy way to implement security with domain users
is to use the Windows Authentication model built in to ASP.NET. The
problem with this is that the browser, IE6, caches any previously
supplied credentials until it is closed. So, once they log in to the app
the first time they never get prompted to do it again...even if their
session expires. Only way to clear the credential cache is to close the
browser. That won't work as it needs to be implicit. They just
carelessly walked away, remember?

So, to have the programmatic control over the authentication mechanism
seems to leave only one choice in this scenario: Forms Authentication.
Hmm, how to get Forms Auth to secure an app so that only domain users in
a given global group are permitted to log in? 2.0 Membership provider to
the rescue! Well, not exactly. "ActiveDirectoryMembershipProvider" and
"WindowsTokenRoleProvider" seem to be up to the task, but I'm hitting an
error not even the mighty Google Search can shed any light on:

[Begin Error]
Method is only supported if the user name parameter matches the user
name in the current Windows Identity.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.

Exception Details: System.Configuration.Provider.ProviderException:
Method is only supported if the user name parameter matches the user
name in the current Windows Identity.

[Clip]

Stack Trace:

[ProviderException: Method is only supported if the user name parameter
matches the user name in the current Windows Identity.]

System.Web.Security.WindowsTokenRoleProvider.GetCu rrentWindowsIdentityAndCheckName(String
userName) +2182633

[End Error]

I don't know what to make of this. The error seems to imply the need for
impersonation, which would be bad if true. Problem is, even with
impersonation turned on there is still no joy (same error). Another
thought is that it wants the full domain\account syntax in the login
control. No, that just fails to authenticate entirely. It's probably
something obvious and I'm just too tired to think straight.

My implementation is straight out of MSDN AFAIKT. So, before I go down
the custom-provider road which overrides the offending method into
oblivion, does anybody have any other ideas? Thanks for reading this far!

-Lee

Here is my web.config for those patient enough to endure all this:

<!-- ***BEGIN SECURITY CONFIGURATION*** -->
<authentication mode="Forms">
<forms name=".AMSFORMSAUTH"
loginUrl="~/Logon.aspx"
defaultUrl="~/Default.aspx"
protection="All"
timeout="10"
path="/"
requireSSL="true"
slidingExpiration="true"
cookieless="UseDeviceProfile"
domain=""
enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users="?" />
<allow roles="[The domain group for this app]" />
<deny users="*" />
</authorization>
<membership
defaultProvider="ExtranetActiveDirectoryMembership Provider">
<providers>
<add name="ExtranetActiveDirectoryMembershipProvider"
connectionStringName="ActiveDirectoryConnectionStr ing"
connectionUsername="[Removed domain account]"
connectionPassword="[Removed account password]"
attributeMapUsername="sAMAccountName"
type="System.Web.Security.ActiveDirectoryMembershi pProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager defaultProvider="ExtranetActiveDirectoryRoleProvid er"
enabled="true"
cacheRolesInCookie="false">
<providers>
<add name="ExtranetActiveDirectoryRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider " />
</providers>
</roleManager>
<!-- ***END SECURITY CONFIGURATION*** -->

The connection string:

<add name="ActiveDirectoryConnectionString" connectionString="[Removed
perfectly good LDAP path to domain]" />
Mar 23 '06 #1
2 4529
On Thu, 23 Mar 2006 13:41:41 -0800, progrock wrote:
I don't know what to make of this. The error seems to imply the need for
impersonation, which would be bad if true. Problem is, even with
impersonation turned on there is still no joy (same error). Another
thought is that it wants the full domain\account syntax in the login
control. No, that just fails to authenticate entirely. It's probably
something obvious and I'm just too tired to think straight.


I don't think you understand what impersonation does in this context. With
FormsAuthentication, impersonation either impersonates Worker process or
the user credentials supplied in the web.config. It doesn't impersonate
the user logging in. That's why you get the error even when using
impersonation.

WindowsTokenRoleProvider doesn't work very well with FormsAuthenitcation.

A better approach is to use Authorization Manager (aka AzMan), though this
is a little more complex to set up and requires support from your
administrator.
Mar 24 '06 #2
I had this same issue and with a few lines of code was able to overcome it. Create a new class named MyWindowsTokenRoleProvider and inherit WindowsTokenRoleProvider. Then simply override the GetRolesForUser and create your own ActiveDirectory search to retrieve the user groups. In doing this, keep in mind that the groups returned may not have the domain extention if you don't attach the domain to it.

web.config entry:
<roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="WindowsProvider" type="MyWindowsTokenRoleProvider" />
</providers>
</roleManager>

the override method should look something like the following:

public override string[] GetRolesForUser(string username)
{
List<string> roles = new List<string>();
string[] user = username.Split(new char[] { '@' });
SearchResult result;
DirectorySearcher search = new DirectorySearcher();
search.Filter = String.Format("(SAMAccountName={0})", user[0]);
// member contains list of users identified by distinguishedName
search.PropertiesToLoad.Add("memberof");
result = search.FindOne();
if (result != null)
{
// search through members of group
for (int counter = 0; counter < result.Properties["memberof"].Count; counter++)
{
SearchResult srUser;
search = new DirectorySearcher();
// Filter on distinguishedName to find user
search.Filter = string.Format("(distinguishedName={0})", (string)result.Properties["memberof"][counter]);
// samaccountname is login id without domain qualifier
search.PropertiesToLoad.Add("SAMAccountName");
srUser = search.FindOne();
if (srUser != null)
{
roles.Add((string)srUser.Properties["samaccountname"][0].ToString());
}
}
}
return roles.ToArray();
}

Good Luck!
Apr 26 '06 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
does anyone declare a different data type on every input in a form?
by: lawrence | last post by:
I'm trying to read up on the rfc's that govern form inputs. Much of what I'm reading is stuff I didn't know before and some of it is alarming. This one left with me questions: ...
PHP
1
Team Remote ASP Debugger - anyone use it?
by: Harag | last post by:
Hi all Classic ASP, Textpad Local "test" WebServer. IIS5 Well my MS script debugger isn't running and I can't findout why. I'm sick of it failing on me so was looking for an alternative. I...
ASP / Active Server Pages
13
Anyone still not upgrading from 97?
by: penguin732901 | last post by:
Checking back for discussions, there was a lot of talk about 2000 being slower than 97, but not so much lately. What is the latest opinion? Anyone care to set up a poll for how many NG members...
Microsoft Access / VBA
4
VB to C sharp anyone can point out which is the equivalent
by: Hai Nguyen | last post by:
I'm learning C sharp and do not like vb much. I'm creatiing a wepage using panel to test myself. I tried to use these code below, which is written in VB, and to transform them to c sharp but I got...
C# / C Sharp
7
RentACoder - Anyone tried this?
by: Skc | last post by:
Hullo Just like to check whether anyone has tried RentACoder. I intend to farm out a small job that must use C#, WinForms, ADO.Net for around US$400, but don't know whether RentACoder is...
C# / C Sharp
8
Has anyone typed up an index for the O'Reilly book "C# and VB.NET Conversion?"
by: Dgates | last post by:
Has anyone typed up an index for the O'Reilly book "C# and VB.NET Conversion?" I'm just learning C#, and often using this little book to see which VB.NET terms translate directly to some term in...
C# / C Sharp
0
Has anyone actually managed to create a Forms Authenticated web app with login over SSL?
by: Gareth | last post by:
I cannot find a reference anywhere to anyone having done this successfully... can anyone enlighten me on how you get a SSL login page working with ASP.NET and forms authentication. I have...
ASP.NET
2
does anyone know where is it?
by: Bruno Alexandre | last post by:
Hi guys, does anyone know where is the Website used in the MSDN "Lear ASP.NET 2.0 with Jeff Prosise" (http://msdn.microsoft.com/asp.net/beta2/multimedia/default.aspx) events? The website used...
ASP.NET
5
Can anyone explain PHP slowing down please ?
by: tony | last post by:
I'm using PHP 5 on Win-98 command line (ie no web server involved) I'm processing a large csv file and when I loop through it I can process around 275 records per second. However at around...
PHP
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!