Authorization for an entire Group in ActiveDirectory RRS feed

  • Question

  • User176308419 posted
    I have successfully setup the ActiveDirectoryMembershipProvider.  I am able to login to the application and it successfully checks passwords against AD.  However, rather then specify a long list of users in the <allow users=> tag of the web.config, I would rather have something like <allow roles=..>
     and grant authorization based on UserGroups that are setup in ActiveDirectory.  Has anyone ever done this or know of a way how?
    Monday, February 13, 2006 8:29 PM

All replies

  • User1354132231 posted
    Are you using ADAM or AD?  I thought you could use "<allow roles="domain\group name"/>" for AD and for ADAM, you would probably use the CN <allow roles="group cn" />

    Tuesday, February 14, 2006 11:34 AM
  • User176308419 posted

    I tried the syntax you suggested for allowing roles, but still no luck.  I am using AD.  Here is a snippet of my web.config.

    <compilation debug="true" />
    authentication mode="Forms">
    forms name=".ADAuthCookie" timeout="60"/>

    <allow roles="khs\exceed"/>
    deny users="*"/>

    membership defaultProvider="MyADMembershipProvider">
    type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=,
    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 


    I know that it is authenticating because if I allow only authenticated users, it works just fine, I just can't seem to give access to one group.  Also, I noticed that after I do authenticate and I check User.IsInRole("rolename"), it will always return false.  It is like it is not retrieving all of the users information.  Any ideas?

    Tuesday, February 14, 2006 2:29 PM
  • User1354132231 posted
    The easiest way to figure out what it is looking for is to check the User object in the debugger.  It is probably a GenericPrincipal object and it should have a private 'm_roles' variable you can check to see what it is.  Just use the same format.  If it has stripped off the domain name and only uses the group name, you will see it here.

    Tuesday, February 14, 2006 2:34 PM
  • User225542415 posted

    I have the same problem/challange :)

    The login control works fine against AD, but the user gets logged in, nomatter which group he/she is in. I have to make like only members of certain groups are allowed to login.

    I tried with the allow roles in the web.config, but when I try to log in, it just reloads the login page with no errors. Does it matter where the group is made in AD, does it have to be in the root level?

    The problem is that i cannot debug it, because it is on another server..so I cant' get the GenericPrincipal object at runtime.. 

    Wednesday, October 4, 2006 8:50 AM