1

I have a different access role for each of the pages in my application (using Windows Authentication) to restrict users from access, using SqlRoleProvider. So to add users to role, I would go,

Roles.AddUserToRole(userName, roleName);

Now, I need integrate the company's AD groups into my application, such that each AD groups will be assigned these access roles as well, and users part of a certain AD group will automatically "inherit" the roles.

My questions are:

Can I continue to use my SQL tables like aspnet_Users, aspnet_Roles etc?

How do I go about integrating AD groups? And how do I assign roles to AD groups? (So far, I can check all the AD groups a user is part of using Directory Entry).

As a user logs in to the application using Windows Authentication, after I check that they are part of a particular AD group, how do I "give" or "assign" them the roles as per AD group?

Would deeply appreciate your help with these questions.

viv_acious
  • 2,429
  • 9
  • 34
  • 55

1 Answers1

0

The AD ASP.NET Membership and Roles system ties directly into AD, your database tables are ignored. An AD Group becomes an ASP.NET Membership Role.

The rest of my post is concerned with applications modifying AD groups directly:

You can, with great difficulty, but in that case it is not recommended.

Active Directory group membership is assigned by another user who is a member of the Domain Admins group, or is delegated the permission to assign users to other groups.

In order to do this from code (using ADSI) your program would then need to run under (or use an impersonation token of) a user identity that is a member of the Domain Admins group or is delegated that user right.

...this means that your program is suddenly trusted with an ability that if hacked or abused, can wreck havok in your security domain. I do not recommend doing this.

Documentation is available on MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa706022%28v=vs.85%29.aspx

Dai
  • 141,631
  • 28
  • 261
  • 374
  • Thanks so much for your response - I am not quite sure about the 2nd part of your response. I don't really need to modify AD groups..I just need to allow users who are PART OF certain AD groups to have certains "roles" (created by me). These "roles" determine whether they have access to pages within the application. could you please advice how you'd go about accomplishing this? :) – viv_acious Sep 25 '12 at 04:41
  • Just check the `.IsInRole()` method. See here: http://stackoverflow.com/questions/4366090/c-sharp-check-if-the-user-member-of-a-group – Dai Sep 25 '12 at 04:43
  • Hmm maybe I am not getting something? – viv_acious Sep 25 '12 at 04:47
  • When I use SqlRoleProvider, I use .IsInRole() to check whether user is part of the roles I created. However, when I switched to using AD groups (WindowsTokenRoleProvider), it ignore the roles I created, and now when I use .IsInRole() it only checks for AD groups. I guess what I'm trying to do is somehow link the AD groups to the SQL roles? So users part of AD group can be assigned to those SQL roles? – viv_acious Sep 25 '12 at 04:49
  • I'm afraid you can't do that by default. You would have to implement your own RoleProvider that includes that functionality. – Dai Sep 25 '12 at 05:32
  • hmm okay! Do you know of any good examples of custom RoleProvider? Thx – viv_acious Sep 25 '12 at 05:49
  • I should still be able to use the SQL Membership Provider right? Don't have to create a custom one as well? Thx and sorry for bombaring you with all these qu. – viv_acious Sep 25 '12 at 05:56
  • I'd wrap both SqlMembershipProvider and ADMembershipProvider and mish-mash the two together, or something. – Dai Sep 25 '12 at 06:07