Tuesday, July 3
Setting up Windows Authentication for Intranet Websites
Recently I was put on a project that needed to harness the built in windows security for user authentication. Idea was to allow access only tousers of subscribed to certain groups. Once authenticated, based on the group the user is subscribed to, I needed to perform custom actions.
The configuration started with the Web.Config. I added the authentication andauthorization sections to the Web.Config, specifying the authentication type and the groups authorized to access the site.
We deny access to anonymous users. Also, with the "Impersonate clause" we tell ASP.NET
to run using the permission/priveledges of the authenticated user
instead of the default asp_net user.
37 authentication mode="Windows"
39 allow roles="MSDomain\Buyers,MSDomain\Clerks,MSDomain\Receivers"
40 deny users="*"
42 identity impersonate="true"
In order to be able to find out whether a user belongs to a particular group and to get a list of groups a user is subscribed to, we needed to
specify a "roleManager" config section and set the default provider to "AspNetWindowsTokenRoleProvider". Until this is done, the any code written
to check whether the user is part of a group/list of groups will not work.
"Role Manager" helps us manage groups(roles) and perform group based authorization
in the applicaion. We need the role manager to help us identify the groups of which the authenticated user is a part of and perform actions like wise.
"The main benefits of using role manager are that it allows you to look up users' roles without writing and maintaining code. Additionally, the
role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. Therefore,
if your role store were to change tomorrow, you would only need to change the configuration settings to make your code work."
roleManager enabled="true" defaultProvider="WindowsTokenRoleProvider" >
The default role providers are as follows:
In my case, all I needed was to redirect user to corresponding portion of the site depending on their role, hence read-only role provider was1. SqlRoleProvider- role information kept in SQL Server2. WindowsTokenRoleProvider- read-only provider that retrieves role information for aWindows user account based on the account's Windows securitygroup membership3. AuthorizationStoreRoleProvider- used if your application uses Authorization Manager (AzMan)
Msdn article says "The Windows security system acts as role store for this
provider, so no additional configuration is required to set up the role store"
Once the user is authenticated, we need to check if the user is part of a particular group, if yes, then perform the custom action.
Below is the code required to validate whether a user is part of a inranet group.
120 if (User.IsInRole (WindowsGroupSettings.SettingFor.Buyers))
122 if (this.LoadPricesForBuyer != null)
124 _buyerName = User.Identity.Name;
125 LoadPricesForBuyer(this, EventArgs.Empty);
To get a list of groups a user is part of use the following code:
140 if (!IsPostBack)
142 gvRoles.DataSource = Roles.GetRolesForUser(User.Identity.Name);
Notice that I have used the WebNavigator, MVP pattern in this project. :)
I am having a torrid time fighting the fonts/html in post that contain code copied using copySourceAsHtml,
especially code containing tags.
Subscribe to Posts [Atom]