locked
Form Authendication with AD Groups RRS feed

  • Question

  • User-845854015 posted

    Hi

    I have configured my web.config to use form mode authendication, but with a AD provider. It working great, people can log in with there AD account.

    But now i have to built some more secure, because some extra pages have been done, and not all should could locate the new sites.

    This example is working

      <location path="Default.aspx">
        <system.web>
          <authorization>
            <allow users="user" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

    This is not working, i think it because it can't look up the users membership or something?

      <location path="Default.aspx">
        <system.web>
          <authorization>
            <allow roles="domain\group" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

    Friday, July 11, 2014 4:56 AM

Answers

  • User1508394307 posted

    no its not.

    Well, I'm not sure how you configured it but this is not the Windows Authentication. In order to use domain\user and domain\group you should use 

    <authentication mode="Windows">

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 14, 2014 11:30 AM

All replies

  • User475983607 posted

    It sounds like roles level security is needed.   Add users to AD groups and use the groups for determining code level and directory access.  

    Saturday, July 12, 2014 11:04 AM
  • User-845854015 posted

    i alreayd maked my ad groups, but the code dosent seem to work...

    Monday, July 14, 2014 4:51 AM
  • User475983607 posted

    I've used this method many times.  Create a folder, place ASPX pages in folder, secure the folder with a web.config file which allow access to one of the SD groups and not the other.  The same type of functionality is available in code.

    i alreayd maked my ad groups, but the code dosent seem to work...

    Post your problematic code.

    Monday, July 14, 2014 7:16 AM
  • User1508394307 posted

    Kristian, is your group a security group, not distribution list? Is it a nested group?

    Monday, July 14, 2014 7:30 AM
  • User-845854015 posted

    it is security group

    the code there is not working are this.

      <location path="Default.aspx">
        <system.web>
          <authorization>
            <allow roles="domain\group" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

    if i logged in with a user in the definded ad security group for allow roles, i get access denied

    Monday, July 14, 2014 7:57 AM
  • User1508394307 posted

    When you say it is working with <allow users="user" /> is user also specified in format of "domain\user"?

    Monday, July 14, 2014 8:24 AM
  • User-845854015 posted

    no its not.

    but i also tried with allo roles without the domain name, no luck

    Monday, July 14, 2014 8:26 AM
  • User-845854015 posted

    but i log in with my ad credentials :)

    Monday, July 14, 2014 8:26 AM
  • User-845854015 posted

    i think i should change to windows authendication instead

    Monday, July 14, 2014 8:27 AM
  • User1508394307 posted

    no its not.

    Well, I'm not sure how you configured it but this is not the Windows Authentication. In order to use domain\user and domain\group you should use 

    <authentication mode="Windows">

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 14, 2014 11:30 AM
  • User475983607 posted

    i think i should change to windows authendication instead

    Yes, you need Windows Auth configured to use the default functionality.

    I've done it the other other way as well where an AD group is authenticated to access the application.   Application access was very granular.  The application admin created and assigned roles to the users.  

    Monday, July 14, 2014 12:03 PM