Group membership authentication against Active Directory? 1

[DanEvansJr]

First off, let me say in advance that I am EXTREMELY new to .NET, C#, ASP and true object oriented programming in general. My background is relational databases/Xbase, so be gentle and feel free to dumb it down for me. I won't be offended.

Secondly, Thank you for viewing this thread. Any help that you can give will be greatly appreciated.

Currently, we're using LDAP to authenticate users through a web page. We are upgrading our applications to authenticate against Active Directory and I have been tasked to do this. I have a login page that accepts a standard user/pass. I can successfully detect the Active Directory server and confirm the user id and password against my two input fields. And I can get group membership status for the logged in user, but if the logged in user is different than the user ID in the text field my code is only looking for the user that is physically logged into the machine, ignoring the input field.

EX: If JSMITH is logged into the machine, and he types HIS user/pass, assuming he is a member of that ADMINS group, he will proceed to the application main page. But if TJONES types his user/pass while on JSMITH's machine, TJONES will be granted access regardless of his group membership because the code is searching based on the machine user and not the user ID text field.

I've included the code below. I'm assuming that it has something to do with the foreach line, but I don't know enough to be sure.

Thank you,
Dan Evans Jr.

//***** begin C# code ***********
public bool GetGroups()
{
bool groupfound = false;
string GroupString;
foreach (System.Security.Principal.IdentityReference group in System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups)
{
GroupString = group.Translate(typeof(System.Security.Principal.NTAccount)).ToString();

if (GroupString.Contains("ADMINS"))
{
groupfound = true;
}
}
return groupfound;
}
//******************************

 

[jmeckley]

you don't need to do too much coding for this.
in the webconfig set authentication mode=Windows. add the Identity node. set the impersonate attribute=true.

then you can use location nodes to set access using usernames and/or roles (groups). very little code required.

....
<system.web>
   ...
   <authentication Mode="Windows" />
   <Identity Impersonate="true" />
<system.web>
<location path="~/ADirectory">
   <authorization>
      <allow 
          users="Domain\username,Domain\username ..."
          Roles="BuiltIn\name"
      <deny
          users="Domain\username,Domain\username ..."
          Roles="BuiltIn\name"
   </authorization>
</location>
...

using this model users do not need to login/out. this is done automatically. Note: IIS Windows Integrated Authentication must be activated.

also IIdentity has a member to verify roles for you. You should never need to down cast to a concrete type.

bool authorized  = Context.CurrentUser.Identity.IsInRole("full name of role");

if you on a webform you can do this

bool authorized  = User.Identity.IsInRole("full name of role");

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[DanEvansJr]

Thank you for the quick response, Jason. Can anyone expand on this, and if possible, dumb it down even more.

I'm getting some errors. First of all, the changes that I've made to the webconfig file give me this:

The element 'system.web' has invalid child element 'location'. List of possible elements expected: 'anonymousIdentification, authentication, authorization, browserCaps, clientTarget, compilation, customErrors, deployment, deviceFilters, globalization, healthMonitoring, hostingEnvironment, httpCookies, httpHandlers, httpModules, httpRuntime, identity, machineKey, membership, mobileControls, pages, processModel, profile, roleManager, securityPolicy, sessionPageState, sessionState, siteMap, trace, trust, urlMappings, webControls, webParts, webServices, xhtmlConformance, caching'.

And now that I look at it, User.Identity is getting the name of the logged in user for the machine. I need the userid from the input text box.

 

[jmeckley]

your error is because system.web doesn't belong in a location node.

yes, User.Identity get the name of the user from the thread, not the textbox. it has no idea about the textbox. The idea is that if you're validating users against AD, why have them log in? use single sign on instead. when they log into the work station (laptop) they are already validated. no need to login a second time.

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[DanEvansJr]

Yknow what . . . you're absolutely right. Why are we jumping through hoops programming for a situation that's not supposed be happening?

Thanks, Jason.

 

[DanEvansJr]

Ok, after some discussions with people that know a heck of a lot more about this than me, apparently what I was trying to do was not only unwise, it's basically UNpossible. Single sign-on is the preferred and only method to authenticate using Wind/Auth.

Now we have a different issue. When building and running the login form from my desktop IDE, it works. It authenticates my logged in user ID to Active Directory and let's me in the door. But when we deploy the app to our web server, it's attempting to authenticate against 'NETWORK SERVICE'. I'm assuming that this is the ID of the web server machine, but like I said, I don't know enough about all of this to be sure what's happening. Is there a way to 'pass' my credentials to the web server and then authenticate from there? Actually, I'm sure that there is, I just don't know how. Can anyone point me in the right direction? Thanks in advance.

 

[jmeckley]

make sure impersonation is enabled in the web.config
make sure the IIS virtual directory uses Windows Integrated Authentication only.

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[jmeckley]

almost forgot. this works locally on your machine because the server and the client are the same box and you are logged in under your credentials.

Jason Meckley
Programmer
Specialty Bakers, Inc.