locked
Can we get a logged in user's AD groups without need for a password. RRS feed

  • Question

  • User1719096532 posted

    An intranet app has a requirement that we get the logged in user's AD groups when they first navigate to the site without the user having to supply their password. I currently have this working by impersonating a privileged user in web.config, and by checking "integrated windows authentication" and unchecking "anonymous access" in IIS so that we are able to get to the logged in user's domain and user name. However the sponsor of the project believes we shouldn't have to provide any other credentials, like for impersonation in the config file.

    Is anybody doing this, or know if it can be done? I've been trying differnet things now for a day and a half and nothing seems to work without impersonating a specific credentialed user.

    Thanks,

    David

     

    Friday, November 14, 2008 10:08 AM

Answers

  • User1719096532 posted

    This is from Ryan Dunn:   

        protected string GetGroups()
        {
            string grps = string.Empty;

            WindowsIdentity user = (WindowsIdentity)User.Identity;
           
            IdentityReferenceCollection ntgroups = user.Groups.Translate(typeof(NTAccount));
           
            foreach (IdentityReference group in ntgroups)
            {
                if (group is NTAccount)
                {
                    grps += group.ToString() + "<br />";
                }
            }

            return grps;
        }

    Works very well.

    David

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, November 20, 2008 2:52 PM

All replies

  • User1510022551 posted

    Check out Scott Guthrie:s excellent recipe of how to enable Windows Authentication for an ASP.NET application:

    http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx

    Friday, November 14, 2008 10:44 AM
  • User1719096532 posted

    Ok. Thanks, Andreas.

     David

    Friday, November 14, 2008 11:06 AM
  • User1719096532 posted

    OK, that's a great article, but it doesn't really address our situation. The requirement is to get the currently logged on user's AD groups without having the user re-enter their password on the web site, and without having to impersonate a more credentialled user name and password in web.config.

    The web page in question is a portal page that will have links to many different applications, each of which will have its own set of AD groups that determine who can access and do and see what. When a user goes to the portal page, the plan is to get a list of the logged on user's AD groups, write it to a session variable, then check the variable for authorizations/memberships at the link destination page. The portal page also will give the user the opportunity to log in it as someone else, say a more privileged user, and this list of groups would then overwrite the group list first obtained for the logged on (to the computer) user. 

    Thanks for any insight or suggestion.

    David 

     

     

    Friday, November 14, 2008 12:12 PM
  • User1719096532 posted

    This is from Ryan Dunn:   

        protected string GetGroups()
        {
            string grps = string.Empty;

            WindowsIdentity user = (WindowsIdentity)User.Identity;
           
            IdentityReferenceCollection ntgroups = user.Groups.Translate(typeof(NTAccount));
           
            foreach (IdentityReference group in ntgroups)
            {
                if (group is NTAccount)
                {
                    grps += group.ToString() + "<br />";
                }
            }

            return grps;
        }

    Works very well.

    David

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, November 20, 2008 2:52 PM