tags:

views:

294

answers:

1
+2  Q: 

Authentication with ActiveDirectory and authorization with custom role provider

Hi,

I've just started a small ASP.NET web application. In this project, I need to authenticate the users with Active Directory. I managed to authenticate the users successfully with Active Directory. But with Authorization with Custom Role Provider, I'm so confused. You see, the user name and password are stored in AD. So, my approach is that after the LoggedIn event of the Login Control, I check if UserName is not yet stored in the Users table yet, then I will store the UserName there. Finally, I have all the UserName of the AD users store in the Users table so I can assign Roles to the users. Please see my tables diagram below:

alt text

Let's say I assign UserA to RoleOne. After he logs in successfully, I do some query to look for his Roles.

Where do I keep the Role ticket? In the Cookie or in the session? How does the authorization of ASP.NET role provider work? I want to store the authorization ticket like ASP.NET role prover does too.

A: 

Have you considered using Active Directory groups for roles and the WindowsTokenRoleProvider (or a custom role provider accessing AD)? I find that this works very well for a situation where you're using AD for authentication as well. One tip: use cookies to store the user's roles so you don't have to find them on every request.

tvanfosson  2010-02-21 14:46:28
The project requirement needs to use AD for authentication and use DB table for authorization. Cookies is good place for authorization. I'm just concerned about the security. If I use Cookies for this, I think I will have to check it on every page request or I don't have to?
Angkor Wat  2010-02-21 14:57:02
The cookie should be encrypted. When you set up the RoleProvider you can specify to use cookies to hold the roles. If you use cookies, then it automatically retrieves the roles from the cookie instead of using the provider, if the cookie is available. I believe they are session cookies. You can secure them using SSL in addition to encrypting them if necessary.
tvanfosson  2010-02-21 18:40:15

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps