Tuesday, July 3

Setting up Windows Authentication for Intranet Websites

 Recently I was put on a project that needed to harness the built in windows security for user authentication. Idea was to allow access only tousers of subscribed to certain groups. Once authenticated, based on the group the user is subscribed to, I needed to perform custom actions. 

The configuration started with the Web.Config. I added the authentication andauthorization sections to the Web.Config, specifying the authentication type and the groups authorized to access the site.

We deny access to anonymous users. Also, with the "Impersonate clause" we tell ASP.NET
to run using the permission/priveledges of the authenticated user
instead of the default asp_net user.

   37         authentication mode="Windows"        
   38         authorization
   39             allow roles="MSDomain\Buyers,MSDomain\Clerks,MSDomain\Receivers"
   40             deny users="*"            
   41         authorization
   42         identity impersonate="true"        
In order to be able to find out whether a user belongs to a particular group and to get a list of groups a user is subscribed to, we needed to
specify a "roleManager" config section and set the default provider to "AspNetWindowsTokenRoleProvider". Until this is done, the any code written
to check whether the user is part of a group/list of groups will not work.
"Role Manager" helps us manage groups(roles) and perform group based authorization
in the applicaion. We need the role manager to help us identify the groups of which the authenticated user is a part of and perform actions like wise.
Msdn article about role management says:
"The main benefits of using role manager are that it allows you to look up users' roles without writing and maintaining code. Additionally, the 
role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. Therefore, 
if your role store were to change tomorrow, you would only need to change the configuration settings to make your code work."

 roleManager enabled="true" defaultProvider="WindowsTokenRoleProvider" >

The default role providers are as follows:
1. SqlRoleProvider
 - role information kept in SQL Server
2. WindowsTokenRoleProvider
 - read-only provider that retrieves role information for a 
   Windows user account based on the account's Windows security 
   group membership
3. AuthorizationStoreRoleProvider
 - used if your application uses Authorization Manager (AzMan)
In my case, all I needed was to redirect user to corresponding portion of the site depending on their role, hence read-only role provider was
Msdn article says "The Windows security system acts as role store for this 
provider, so no additional configuration is required to set up the role store"
Once the user is authenticated, we need to check if the user is part of a particular group, if yes, then perform the custom action.
Below is the code required to validate whether a user is part of a inranet group.

  120         if (User.IsInRole   (WindowsGroupSettings.SettingFor.Buyers))
  121         {
  122             if (this.LoadPricesForBuyer != null)
  123             {
  124                 _buyerName = User.Identity.Name;
  125                 LoadPricesForBuyer(this, EventArgs.Empty);
  126             }
  127         }

To get a list of groups a user is part of use the following code:

  140         if (!IsPostBack)
  141         {
  142             gvRoles.DataSource = Roles.GetRolesForUser(User.Identity.Name);
  143             gvRoles.DataBind();
  149         }
Notice that I have used the WebNavigator, MVP pattern in this project. :)
I am having a torrid time fighting the fonts/html in post that contain code copied using copySourceAsHtml, 
especially code containing tags.

Labels: , ,

Comments: Post a Comment

Subscribe to Post Comments [Atom]

<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]