Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

[Question] ASP.NET (VB) - test logon users AD groups

Options
  • 15-10-2009 3:43pm
    #1
    Ping Chow Chi
    Registered Users Posts: 3,779 ✭✭✭


    I would like to write an application that has different levels of security depending on the current logon users AD groups.

    Using LogonUserIdentity I can get a handle on the user logged on, how do I test if they are in a particular group? ... I'm looking for something along the libes of .IsInRole, but as of yet can not find anything that works :/


Comments

  • Options
    #2
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    not sure this is what you're looking for, but what about an LDAP query based on the user id?

    found something here

    [PHP]private void Page_Load(object sender, System.EventArgs e)
    {
    StringCollection groups = this.GetUserGroupMembership("foo");
    foreach (string gp in groups)
    {
    Response.Write("<br><b>" + gp + "</b>");
    }
    }

    private StringCollection GetUserGroupMembership(string strUser)
    {
    StringCollection groups = new StringCollection();
    try
    {
    DirectoryEntry obEntry = new DirectoryEntry("LDAP://CN=users,DC=pardesifashions,DC=com");
    DirectorySearcher srch = new DirectorySearcher(obEntry, "(sAMAccountName=" + strUser + ")");
    SearchResult res = srch.FindOne();
    if (null != res)
    {
    DirectoryEntry obUser = new DirectoryEntry(res.Path);
    // Invoke Groups method.
    object obGroups = obUser.Invoke("Groups");
    foreach (object ob in (IEnumerable)obGroups)
    {
    // Create object for each group.
    DirectoryEntry obGpEntry = new DirectoryEntry(ob);
    groups.Add(obGpEntry.Name);
    }
    }
    }
    catch (Exception ex)
    {
    Trace.Write(ex.Message);
    }
    return groups;
    }[/PHP]

    you'd have to change distinguishedName parameter in LDAP string, but that would work?


  • Options
    #3
    Ginger
    Registered Users Posts: 2,931 ✭✭✭Ginger


    Right you need to look at the RoleProvider object to do this.

    In your web.config
    <authentication mode="Windows" />
<roleManager enabled="true" 
             defaultProvider="AspNetWindowsTokenRoleProvider" />

    This uses the AspNetWindowsTokenRoleProvider which is located in the Machine.config on your server.

    You will then be able to use the IsUserInRole and GetRolesForUser methods to do your application.

    getting the roles for your logged in user
    protected void Page_Load(object sender, EventArgs e)
    {
        string[] members = Roles.GetRolesForUser();
        foreach (string role in members)
        {
            Label1.Text += role + "<br />";
        }
        
    }

    You can also use the WindowsPrincipal object to check for builtin roles on the server such as local admins or backup admins for example
    WindowsPrincipal User = new 
  WindowsPrincipal((WindowsIdentity)HttpContext.Current.User.Identity);

    Additionally you can secure different folders etc with some role management
    <configuration>
   <location path="memberPages">
       <system.web>
            <authorization>
               <allow roles="BUILTIN\Administrators" />
               <deny users="*" />
            </authorization>
          </system.web>
        </location>
   <!-- other configuration settings here -->
</configuration>


    Some links

    http://msdn.microsoft.com/en-us/library/83y98ckk.aspx
    http://msdn.microsoft.com/en-us/library/ms998314.aspx

    EDIT: Of course I did the whole thing in C# but you should get the jist from this :)


Advertisement