Using Windows Authentication in ASP.NET - Adding properties to users

On Feb 27, 9:32 am, "Matt Adamson" <Adamson_Matt...@hotmail.com>
wrote:

Guys,

I'm unsure how to use windows authentication in an intranet application. I'd
like to user existing windows account to identify users however the issue I
have is how to then add settings to those users and map them to roles.

If I'd like to restrict the windows users which log on and what tasks they
can perform in the application how should I do this? Presumably I'd need one
user to log in initially and perform admin type tasks e.g. assign windows
users permissions to use the application, how should I do this? How do I
create the first user who can log in?

Best Regards

Matt

It depends on where do you want to have the user roles.

If you want to have the roles in the intranet application

Set the authentication mode to "Windows" and use the
User.Identity.Name property to identify your user. In the application
make a database with users/roles and query that database to set the
roles. For example it can be done in the global.asax within the
AuthenticateRequest

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)

If Request.IsAuthenticated = True Then

Dim roles() As String

..... code to assign roles() here........

Context.User = New GenericPrincipal(Context.User.Identity, roles)

End If

End Sub

After that you will be able to find if the user has rights or not
using if User.IsInRole("marketing_admin") then....

Something like this.

Thanks Alexey

However how would I use the existing user store from the membership API i.e.
there are user tables

1) aspnet_Membership
2) aspnet_Users

Should I create a new User table which contains the windows log in name e.g.
MICROSOFT\BGATES and then use a record in the member ship tables for other
data such as full name / email address e.t.c.?

Let me know your thoughts as I haven't seen any good examples showing a user
system set up with windows authentication

Best Regards

Matt

"Alexey Smirnov" <al************@gmail.comwrote in message
news:11**********************@8g2000cwh.googlegrou ps.com...

On Feb 27, 9:32 am, "Matt Adamson" <Adamson_Matt...@hotmail.com>
wrote:

>Guys,

I'm unsure how to use windows authentication in an intranet application.
I'd
like to user existing windows account to identify users however the issue
I
have is how to then add settings to those users and map them to roles.

If I'd like to restrict the windows users which log on and what tasks
they
can perform in the application how should I do this? Presumably I'd need
one
user to log in initially and perform admin type tasks e.g. assign windows
users permissions to use the application, how should I do this? How do I
create the first user who can log in?

Best Regards

Matt

It depends on where do you want to have the user roles.

If you want to have the roles in the intranet application

Set the authentication mode to "Windows" and use the
User.Identity.Name property to identify your user. In the application
make a database with users/roles and query that database to set the
roles. For example it can be done in the global.asax within the
AuthenticateRequest

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)

If Request.IsAuthenticated = True Then

Dim roles() As String

.... code to assign roles() here........

Context.User = New GenericPrincipal(Context.User.Identity, roles)

End If

End Sub

After that you will be able to find if the user has rights or not
using if User.IsInRole("marketing_admin") then....

Something like this.

On Feb 27, 2:08 pm, "Matt Adamson" <Adamson_Matt...@hotmail.com>
wrote:

Thanks Alexey

However how would I use the existing user store from the membership API i.e.
there are user tables

1) aspnet_Membership
2) aspnet_Users

No, I suggested to use "Windows authentication", not a "Form
authentication".

Should I create a new User table which contains the windows log in name e.g.
MICROSOFT\BGATES and then use a record in the member ship tables for other
data such as full name / email address e.t.c.?

Yes, my idea was to use such tables like AspNetAccessProvider does,
where you can assign MICROSOFT\BGATES to his roles. At the same time,
all information like full name / email address and so on is available
in Active Directory (AD) and this can be a second approach you have to
think of. I said nothing about it in the first post because this way
could be more complex to implement. In this case you can call the
information about group membership, and user profile directly from AD.
How to do that - please google for "ASP.NET Active Directory" - I'm
sure you can find many simple examples you can test. In my experience,
it is better to work with AD through a custom COM+ (can be developed
e.g. in VB6) because of the security reasons. All AD-related functions
could be included in this COM+ and used from ASP.NET. I can give you
more details later on if you'll decide to go this way...

I'm confused as AspNetAccessProvider is for microsoft Access.

I don't actually want to extract any information from active directory I
just wanted to use the windows log in name and associate this with user
details held within the application. I presume I could have done this using
a combination of the records in aspnet_Membership aspnet_Users with another
user table.

"Alexey Smirnov" <al************@gmail.comwrote in message
news:11*********************@h3g2000cwc.googlegrou ps.com...

On Feb 27, 2:08 pm, "Matt Adamson" <Adamson_Matt...@hotmail.com>
wrote:

>Thanks Alexey

However how would I use the existing user store from the membership API
i.e.
there are user tables

1) aspnet_Membership
2) aspnet_Users

No, I suggested to use "Windows authentication", not a "Form
authentication".

>Should I create a new User table which contains the windows log in name
e.g.
MICROSOFT\BGATES and then use a record in the member ship tables for
other
data such as full name / email address e.t.c.?

Yes, my idea was to use such tables like AspNetAccessProvider does,
where you can assign MICROSOFT\BGATES to his roles. At the same time,
all information like full name / email address and so on is available
in Active Directory (AD) and this can be a second approach you have to
think of. I said nothing about it in the first post because this way
could be more complex to implement. In this case you can call the
information about group membership, and user profile directly from AD.
How to do that - please google for "ASP.NET Active Directory" - I'm
sure you can find many simple examples you can test. In my experience,
it is better to work with AD through a custom COM+ (can be developed
e.g. in VB6) because of the security reasons. All AD-related functions
could be included in this COM+ and used from ASP.NET. I can give you
more details later on if you'll decide to go this way...

On Feb 27, 5:40 pm, "Matt Adamson" <Adamson_Matt...@hotmail.com>
wrote:

I'm confused as AspNetAccessProvider is for microsoft Access.

take a look here

http://weblogs.asp.net/scottgu/pages...QL-Server.aspx

Thanks, how would you give the first ever user though who could be an
adminstrator and log in to assign new roles to existing windows users. This
bit is unclear to me.

"Alexey Smirnov" <al************@gmail.comwrote in message
news:11**********************@a75g2000cwd.googlegr oups.com...

On Feb 27, 5:40 pm, "Matt Adamson" <Adamson_Matt...@hotmail.com>
wrote:

>I'm confused as AspNetAccessProvider is for microsoft Access.

take a look here

http://weblogs.asp.net/scottgu/pages...QL-Server.aspx