I'm creating an intranet site that uses Forms authentication to
validate users against an Active Directory. Users need to be able to
login both from work and remotely. Then I want to be able to do two
things: (1) Check whether a user is in an AD group and (2) enforce NTFS
permissions based on AD username.
First scenario: "Joe" logs in to the web site from home using his
domain username and password. Joe should see certain content on the web
site based on his AD group membership. Let's say he's in Marketing, so
I'd like to be able to check whether User.IsInRole("Marketing"). Right
now when I try that, I get a message saying: "Method is only supported
if the user name parameter matches the user name in the current Windows
Identity." Is this because I've set the app to use the
AspNetWindowsTokenRoleProvider? Does that only work if he is physically
logged into a computer on the AD domain? Is there a way to emulate the
Windows Identity? Or should I be using a different role provider?
Second scenario: Joe has certain permissions to network resources that
need to be enforced. For example, a web folder (WebDAV) with financial
data allows members in group "Marketing" read access only. It is
enforced when he physically logs into the AD domain at work, but it
should also be enforced when he logs in from the road. Right now I'm
using <identity impersonate="true"/> - hoping it will use his username
"Joe" rather than the ASP.NET worker process to access that folder. Is
that the right way to approach the problem?
Currently I'm developing the site on a Windows XP machine using VS2005
and the built-in ASP web server. The production web server will be
Windows 2003, and the AD domain itself is Windows 2000. Any help is
much appreciated. Here are the relevant snippets from my web.config
file:
<connectionStrings>
<add name="ADConnectionString"
connectionString="LDAP://machine.domain.com/CN=Users,DC=machine,DC=domain,DC=com"
/>
</connectionStrings>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider" />
<identity impersonate="true"/>
<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershi pProvi der"
connectionStringName="ADConnectionString"
connectionUsername="domain\user" connectionPassword="password"
attributeMapUsername="sAMAccountName" enableSearchMethods="true" />
</providers>
</membership>
