locked
AD Authentication using Forms - dealing with roles.... RRS feed

  • Question

  • User-622324082 posted

    Hello all,

    I am not really sure if this post should go in the Security section or the Active Directory / LDAP section....with that being said....

    I am looking for advice on how to best accomplish my goal(s), I am working with FORMS authentication, using active directory (across 2 domains).  I have got authenticating working correctly based upon the article at: http://msdn.microsoft.com/en-us/library/ms180890.aspx - now - my questions:

    1.  What is the best way to deal with roles?  What I would like to do is restrict access to my application so that only the users that are authorized to use the application can login - not everyone in the AD.  My gut feeling tells me I would use an AD group for this.  Furthermore, a subset of these users in this group will be allowed to access the data maintenance forms


    2.  Ideally, in a perfect world, I would like to write this authentication piece as a separate project - this way it could be used for multiple projects - the only thing different would be the AD groups it would be checking.  Is there a way that I could set which AD groups or roles in each projects web.config??


    Am I approaching this the correct way?  What is typically done?


    Thanks in advance,

    sb



    Tuesday, March 2, 2010 10:45 AM

Answers

  • User681263371 posted

    As highlighted in the article if you are adding the groups to the "GenericPrincipal" object then you can restrict users by making use of the "location" tag in web.config. Using the "location" tag you can restrict users from accessing the resources in a website based on username or roles. Sample "location" tag is pasted below.

    //Restricting access to admin folder.
    <location path="admin"> 
         <system.web> 
              <authorization> 
                   <deny users="user5"/> 
                   <allow users="user1, user2"/> 
                   <deny roles="manager,accountant"/> 
                   <allow roles="admin"/>               
              </authorization> 
         </system.web> 
    </location>


    Also you can restrict users from accessing a particular file as well. Just substitute the path value with a file name with extensions.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 3, 2010 1:47 AM
  • User681263371 posted

    The answers to you two questions are as follows.

    Answer to Q-1: No, you don't need to enable role manager to allow/deny roles based denial. You can find code on how to add roles to a logged in user and details on the location tag in one of my blogs here. http://sandblogaspnet.blogspot.com/2008/09/tags-in-webconfig.html

    Answer to Q-2: According to MSDN this is what happens "At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule." So what you are trying to achieve is perfect. If you want to allow except for a particular role then in that case deny will precede allow tag. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 6, 2010 12:51 AM

All replies

  • User681263371 posted

    As highlighted in the article if you are adding the groups to the "GenericPrincipal" object then you can restrict users by making use of the "location" tag in web.config. Using the "location" tag you can restrict users from accessing the resources in a website based on username or roles. Sample "location" tag is pasted below.

    //Restricting access to admin folder.
    <location path="admin"> 
         <system.web> 
              <authorization> 
                   <deny users="user5"/> 
                   <allow users="user1, user2"/> 
                   <deny roles="manager,accountant"/> 
                   <allow roles="admin"/>               
              </authorization> 
         </system.web> 
    </location>


    Also you can restrict users from accessing a particular file as well. Just substitute the path value with a file name with extensions.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 3, 2010 1:47 AM
  • User-622324082 posted

    2 questions on your reply,


    1.  In order to allow / deny roles, do I have to enable the role manager?  I tried to do this but when I did, my project would not compile

    2.  I have been reading about authorization in the web config file, and a couple of articles I have read say that allow should always appear before deny because the web.config file is processed top-down.  Therefore, if I wanted to, for example, deny anonymous, and allow only those in the ApplicationAdmin group, I would:

    deny users="?"
    allow roles="ApplicationAdmin"
    deny roles="*"


    Thanks

    Monday, April 5, 2010 10:03 AM
  • User681263371 posted

    The answers to you two questions are as follows.

    Answer to Q-1: No, you don't need to enable role manager to allow/deny roles based denial. You can find code on how to add roles to a logged in user and details on the location tag in one of my blogs here. http://sandblogaspnet.blogspot.com/2008/09/tags-in-webconfig.html

    Answer to Q-2: According to MSDN this is what happens "At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule." So what you are trying to achieve is perfect. If you want to allow except for a particular role then in that case deny will precede allow tag. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 6, 2010 12:51 AM
  • User-622324082 posted

    Thank you for the post.  The blogpost was very interesting, however, I am still having problems....

    I am using Forms Authentication to validate against our active directory - which - at the moment works fine.

    Currently, in my web config - without any location tag because I want it to apply to my entire application:

    <authentication mode="Forms">
    			<forms loginUrl="~/login.aspx" name="adAuthCookie" timeout="30" slidingExpiration="true"/>
    		</authentication>
    		<authorization>
          <allow roles="ApplicationUsers"/>
          <deny users="?"/>
    		</authorization>
    		<identity impersonate="true"/>

    When a user clicks the Login button on my login form, I have:

     

    Dim adPath As String = "LDAP://" & DomainDropDown.SelectedValue
            Dim adAuth As New ADAuthentication(adPath)
    
            Dim domain As String = DomainDropDown.SelectedValue
            Dim username As String = UsernameTextbox.Text
            Dim password As String = PasswordTextbox.Text
    
            Try
                If adAuth.IsAuthenticated(domain, username, password) Then
                    Dim groups As String() = adAuth.GetGroups()
                    Dim displayName As String = adAuth.GetName()
    
                    ' create the ticket, ad add the groups
                    Dim isCookiePersistent As Boolean = True
                    Dim authTicket As New FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups.ToString())
    
                    ''
                    ' from sand blog..
                    Dim fi As New FormsIdentity(authTicket)
                    ' get the roles and assign the string values to the generic principal
                    Dim gp As New GenericPrincipal(fi, groups)
                    ''
    
                    ' encrypt the ticket
                    Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
                    ' create a cookie, and then add the encrypt ticket to the cookie as data
                    Dim authCookie As New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
    
                    If isCookiePersistent Then
                        authCookie.Expires = authTicket.Expiration
                    End If
    
                    ' add the cookie to the outgoing cookies collection
                    Response.Cookies.Add(authCookie)
                    ' mark the user as current user
                    HttpContext.Current.User = gp
                    ' save the display name in the session
                    Session("DisplayName") = displayName
                    ' redirect the user now..
                    Response.Redirect(FormsAuthentication.GetRedirectUrl(username, False))
    
                Else
                    ErrorLabel.Text = "Authentication failed.  Check user name and password"
                End If
    
    
            Finally
                ' ??
            End Try



    The issue - I have not added myself to an AD Security Group "ApplicationUsers" - yet, when I authenticate with a valid username and password (still not in that security group), I am still redirected to the page when that is not what I want to happen.

    If the user trying to authenticate is not a member of "ApplicationUsers" AD Security Group, they should be denied access.

    Once I get this working, I have a specific area of my application that will be locked down to ApplicationAdmin users - where I will use the location element in the web.config file.


    Am I doing something wrong here?  I have tried using a deny roles="*" before and after I allow roles and the project will not even run.


    Thanks again

    sb

    Tuesday, April 6, 2010 4:14 PM
  • User-622324082 posted

    Not sure why I am getting all of the <br> tags in my code....


    sorry.

    Tuesday, April 6, 2010 4:20 PM
  • User-622324082 posted

    I finally got this.


    In my web config, I needed -


    <allow roles="AppUsers"/>
    <deny users="*"/>


    And this worked fine.  Thank you for the direction

    Monday, April 12, 2010 4:24 PM
  • User681263371 posted

    Sorry man, I was not in town so couldn't reply to your post. Went to attend the Microsoft Tech-Ed in Bangalore.  Anyways, I am happy that you solved the issue. Great work man.

    Friday, April 16, 2010 12:19 AM