What you want to achieve here is 2 different things:
The first thing is Authentication
The other thing is Authorization
The solution involves merging Windows Integrated Authentication with Role
Bases Authorization
Role-based Authorization is built on the premise that users are
authenticated, which is the process of identifying the user. Once identified,
the user can be authorized or, assigned roles and permissions. Credentials
like a username and password are usually provided to authenticate users, and
this information is used to create a security principal representing this
user's identity at runtime. The .NET Framework object model includes built-in
support to work with Windows
To understand how this security principal is used by the runtime it is
important to consider the relationship between the running process, the
application domain, and the assemblies loaded within that application domain
By default the process runs under the logged in user's Windows identity, and
this governs what resources can be accessed by any thread of execution within
that process, yet, each thread of execution can also be assigned an identity
which governs how role-based security checks are evaluated at runtime
ASP.NET process identity is identified by the <processModel> section of the
machine.config. Unless the worker process is asked to impersonate another
account, this is the identity that governs your Web application's access to
system resources such as the file system, the Windows registry, and the
database if integrated Windows accounts are used
When your application uses Windows authentication, ASP.NET automatically
constructs a WindowsPrincipal that is attached to the context of the current
Web request (using HttpContext.User). After the authentication process is
complete and ASP.NET has attached to object to the current request, it is
used for all subsequent .NET role-based authorization.
The Windows group membership of the authenticated caller is used to
determine the set of roles. With Windows authentication, .NET roles are the
same as Windows groups.
You can get the groups using code like this
void WindowsAuthentication_Authenticate(object sender,
WindowsAuthenticationEventArgs e)
{
String[] roleStrng = GetUserRoles();
e.User = new GenericPrincipal(e.Identity, roleStrng);
}
private string[] GetUserRoles()
{
AppDomain myDomain = Thread.GetDomain();
myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
ArrayList al = new ArrayList();
WindowsPrincipal myPrincipal = (WindowsPrincipal)Thread.CurrentPrincipal;
Array wbirFields = Enum.GetValues(GetType(WindowsBuiltInRole));
foreach (object roleName in wbirFields)
{
try
{
if (myPrincipal.IsInRole((WindowsBuiltInRole)roleName))
al.Add(roleName.ToString());
}
catch{};
}
return (string[])(al.ToArray(typeof(string)));
}
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch03.asp
http://www.15seconds.com/issue/041208.htm
http://www.eggheadcafe.com/articles/20020418.asp
Best Regards,
Waleed K. Mallouk
Solutions Architect
YRao said:
I am going to create intranet application using Windows Authentication
[W2k Active Directory users] using C# asp.net
I am having following problem:
1 setting windows Authentication, it will validate for all users, user name
and password from ADSI before entering into application this is working fine.
Problem Is I am going to categorize users based on their Title properties
value
Eg: if Title = Accounts that user going to Access that related pages
Likewise different users going to access different pages.
I need solution for this how to do this using windows
Authentication
- How to retrieve Active Directory users properties into intranet
application using asp.net.
Any suggestion or related link,
any help would be greatly appreciated.
Thanks
