tags:

views:

1441

answers:

2
+4  Q: 

Problem with AspNetWindowsTokenRoleProvider for Windows Authentication in ASP.NET

Hi,

Im developing an Intranet Application in ASP.NET that uses Windows Authentication. I have created an AD class that gets information from the Active Directory Domain Controller. This is what I use to get things like User Groups that the currently logged user is in. The problem is in the ASP.NET Roles that the user is in. Seems funny, but the list of AD Groups that the user is in is totally different from the list of Roles that the user has.

Here is what I get:

List of AD Groups for a certian user

1)Developers

2)Account Operators

3)Domain Admins

4)IS_IUSRS

5)Administrators

List of the same user's Roles

1) PUDDOM\Domain Users

2) Everyone

3) BUILTIN\Users

4) BUILTIN\Administrators

5) NT AUTHORITY\INTERACTIVE

6) NT AUTHORITY\Authenticated Users

7) NT AUTHORITY\This Organization

8) LOCAL

9) PUDDOM\Domain Admins

10) PUDDOM\Denied RODC Password Replication Group

11) PUDDOM\DnsAdmins

OTHER INFORMATION

1) I have my website use Integrated Windows Authentication from IIS7.

2) A portion of my web.config looks like this 

<authentication mode="Windows"  />
<authorization>
  <deny users="?" />

</authorization>

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider"  enabled="true">
        <providers>
            <remove name="AspNetSqlRoleProvider" />
        </providers>
</roleManager>

If anyone has an idea on how on earth is this happening, and or how do I reconcile the list, please post a reply.

I need to make my Roles list reflect the same data as my AD Groups list because I will use Role trimming in my site map and other stuff.

Thanks in advance,

A: 

You might need to assign the website permissions specifically to the groups you want to enumerate.

UndertheFold  2008-11-05 05:56:48
+2  A: 

Part of your result is because some of the groups the user belongs to are members of other groups. The full list of a user's groups will include all groups the user belongs to, both directly and via membership in other groups who are also members.

The list will also include built-in groups that are normally hidden from the native admin tools by default.

Your best bet is to have the application store a master list of the groups you want your application to see, or a list of groups you want your application to ignore (either an include list, or an exclude list). Then when you pull back a specific user's roles, just compare it to the configured exclude or include list and filter out the unwanted results.

If you want an easier way, there is an open source AD role provider over at codeproject that already has support for both exclude and include lists. It also has other nice features like optional caching that will REALLY speed up your application. The build-in AD role provider performs very poorly.

Stephen M. Redd  2008-11-05 06:28:05

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)