ASP.NET Authentication Using Active Directory
Well, here's my first post. I'm creating this blog to keep track of useful tips and tricks I find during the course of my professional duties as a .NET web developer working in downtown Los Angeles. Today's post is about ASP.NET security using Active Directory.
The general idea is to authorize only those users who belong to a particular Active Directory group, so naturally this approach only applies to intranet development.
First off we create our web application. It doesn't matter what it does, as the focus of this post is on security. Let's assume we're dealing with an application that prints "Hello World" and leave it at that.
When a user tries to open an aspx page in their browser, a number of interesting things happen. Here are the ones we are interested in:
1) IIS Authenticates the user.
2) An application event fires, which can be handled in Global.asax:
Application_AuthenticateRequest(Object sender, EventArgs e)
3) If the user is authenticated, the page displays; otherwise IIS (or whatever web server you are using) sends an error code:
HTTP 401.3 - Access denied by ACL on resource
Our goal is to ensure that the authentication is determined by the user's membership in our defined Active Directory group.
The details of Active Directory membership verification differ from intranet to intranet - I'll leave that exercise to the reader. However once you know for sure that a user does belong to a particular group, the rest is fairly trivial.
Set up your virtual directory to deny anonymous users and enable integrated authentication. This guarantees that only intranet users can get to the next step - authorization.
Next, set your web.config to use Windows auth:
<authentication mode="Windows"/>
This ensures that the user's identity - available at
HttpContext.Current.User.Identity
- is the NT Identity, and not the anonymous, empty identity presented to the application when using Forms or None authentication options. We need this identity to resolve the Active Directory group membership.
Now go into Global.asax and modify the AuthorizationRequest event handler.
The general idea is to determine AD group membership within this event handler, and then use that information to authorize the user if required. The question is, how can we do this? The ASP.NET security model does not provide a simple way to do this. However, since we now know the user should be permitted or denied from the site, we can exploit other features of the security model to achieve our goal. Specifically, ASP.NET has robust role-based security support - so we will use our knowledge to assign AD group-members a role which will have access, and simply do nothing for users who do not belong to AD.
To role-protect your web application, modify your web.config as follows:
<authorization>
<allow roles="CustomRole">
<deny users="*"> <!-- Deny everyone else -->
</authorization>
The role doesn't have to be "CustomRole" - it can be "MyBigBadRole" or "XMLModifier" or whatever. The point is that now, only users who are in that role will be able to access the page. Go ahead and load your app. You will not be able to get to the page, because currently you are not in that role. Be careful to use a role name that is non-generic - "Administrator" or "MyRole" is a bad role, because someone else in your organization might be using it.
So now that the application is secured, how do we give the role to AD group members?
It's fairly straightforward. All we do is assign a new principal to the current context.
using System.Security.Principal;
...
if(UserIsInADGroup())
{
IIdentity currentIdent = HttpContext.Current.User.Identity;
GenericPrincipal gp;
gp = new GenericPrincipal(currentIdent, new string [] { "CustomRole" });
HttpContext.Current.User = gp;
}
And we're done!
Recap:
1) Secure your application using role-based authentication.
2) Handle the Application_AuthenticationRequest
3) If the user turns out to be in the AD group, assign them the appropriate role by creating a new GenericPrinciple.
4) Profit!
The general idea is to authorize only those users who belong to a particular Active Directory group, so naturally this approach only applies to intranet development.
First off we create our web application. It doesn't matter what it does, as the focus of this post is on security. Let's assume we're dealing with an application that prints "Hello World" and leave it at that.
When a user tries to open an aspx page in their browser, a number of interesting things happen. Here are the ones we are interested in:
1) IIS Authenticates the user.
2) An application event fires, which can be handled in Global.asax:
Application_AuthenticateRequest(Object sender, EventArgs e)
3) If the user is authenticated, the page displays; otherwise IIS (or whatever web server you are using) sends an error code:
HTTP 401.3 - Access denied by ACL on resource
Our goal is to ensure that the authentication is determined by the user's membership in our defined Active Directory group.
The details of Active Directory membership verification differ from intranet to intranet - I'll leave that exercise to the reader. However once you know for sure that a user does belong to a particular group, the rest is fairly trivial.
Set up your virtual directory to deny anonymous users and enable integrated authentication. This guarantees that only intranet users can get to the next step - authorization.
Next, set your web.config to use Windows auth:
<authentication mode="Windows"/>
This ensures that the user's identity - available at
HttpContext.Current.User.Identity
- is the NT Identity, and not the anonymous, empty identity presented to the application when using Forms or None authentication options. We need this identity to resolve the Active Directory group membership.
Now go into Global.asax and modify the AuthorizationRequest event handler.
The general idea is to determine AD group membership within this event handler, and then use that information to authorize the user if required. The question is, how can we do this? The ASP.NET security model does not provide a simple way to do this. However, since we now know the user should be permitted or denied from the site, we can exploit other features of the security model to achieve our goal. Specifically, ASP.NET has robust role-based security support - so we will use our knowledge to assign AD group-members a role which will have access, and simply do nothing for users who do not belong to AD.
To role-protect your web application, modify your web.config as follows:
<authorization>
<allow roles="CustomRole">
<deny users="*"> <!-- Deny everyone else -->
</authorization>
The role doesn't have to be "CustomRole" - it can be "MyBigBadRole" or "XMLModifier" or whatever. The point is that now, only users who are in that role will be able to access the page. Go ahead and load your app. You will not be able to get to the page, because currently you are not in that role. Be careful to use a role name that is non-generic - "Administrator" or "MyRole" is a bad role, because someone else in your organization might be using it.
So now that the application is secured, how do we give the role to AD group members?
It's fairly straightforward. All we do is assign a new principal to the current context.
using System.Security.Principal;
...
if(UserIsInADGroup())
{
IIdentity currentIdent = HttpContext.Current.User.Identity;
GenericPrincipal gp;
gp = new GenericPrincipal(currentIdent, new string [] { "CustomRole" });
HttpContext.Current.User = gp;
}
And we're done!
Recap:
1) Secure your application using role-based authentication.
2) Handle the Application_AuthenticationRequest
3) If the user turns out to be in the AD group, assign them the appropriate role by creating a new GenericPrinciple.
4) Profit!
posted by Jordan Weber-Flink at 3:01 PM
31 Comments:
Hi, I found this useful. Thanks a lot.
Daniel
Hi,
When ever I surf on web I never forget to visit this website[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url]Lots of good information here d0tnet.blogspot.com. Do you pay attention towards your health?. Let me present you with one fact here. Research displays that closely 60% of all USA adults are either obese or weighty[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url] Hence if you're one of these people, you're not alone. Infact many among us need to lose 10 to 20 lbs once in a while to get sexy and perfect six pack abs. Now the question is how you are planning to have quick weight loss? You can easily lose with with little effort. If you improve some of your daily diet habbits then, its like piece of cake to quickly lose weight.
About me: I am author of [url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips]Quick weight loss tips[/url]. I am also mentor who can help you lose weight quickly. If you do not want to go under hard training program than you may also try [url=http://www.weightrapidloss.com/acai-berry-for-quick-weight-loss]Acai Berry[/url] or [url=http://www.weightrapidloss.com/colon-cleanse-for-weight-loss]Colon Cleansing[/url] for effortless weight loss.
where exactly is the last piece of code located? in the global.ascx?
the author is an executive of Wensil I Technologies and writing articles for.
In fact, real Twitter followers help you achieve your business
goal in no time without making a hole in your pocket. Basically, why would anyone would want to follow Twitter when the tweets decline in value.
Take a look at my blog post Buy Twitter Followers cheap
It is caused by the hormonal problems, weight gain,
and many other factors. A cellulite reduction treatment using a soft bristled body
brush ($10) to brush the treatment areas where reduction is desired.
Many articles report eating healthy foods low in
fat, but high in fruits, vegetables and fiber.
Feel free to surf to my webpage - How to get rid of cellulite naturally
Our therapists, Jody and Jody Lee, talk a bit with us about room temperature, any special
problem areas and preferred pressure before stepping
out so we can get comfortable on our matching massage tables.
The duration of the treatment varies depending on the treatment facility involved.
Always remember that prevention is always better
than cure.
My blog - webs.com
Definitely, you need to learn the basic knowledge before getting to the next step
Feel free to surf to my web site; internet marketing tricks
Essentially, all AMPS does is offer another link (or should I say kink) in the title
My blog - visit the following website
I like what you guys are up too. This type of clever work
and reporting! Keep up the great works guys I've included you guys to my own blogroll.
my webpage; http://nuvocleansereview.com
It's appropriate time to make some plans for the future and it's time to be happy.
I've read this post and if I could I desire to suggest you some interesting things or advice. Perhaps you can write next articles referring to this article. I wish to read more things about it!
My web page :: Buy Garcinia cambogis
We are a group of volunteers and opening a new scheme in our
community. Your site offered us with useful info to work on.
You have performed a formidable activity and our entire
group shall be grateful to you.
Check out my web site :: Buy zinncollection
I go to see day-to-day a few web sites and sites to read articles,
however this weblog presents feature based posts.
my page; Nuva Cleanse
Every weekend i used to visit this website, as i want enjoyment,
for the reason that this this web site conations truly pleasant funny stuff
too.
My site ... Max Thermo Burn Reviews
Thank you for the auspicious writeup. It in fact was a amusement account it.
Look advanced to more added agreeable from you! By the way, how
can we communicate?
My webpage :: Rvtl Anti Aging Solution
It's a pity you don't have a donate button! I'd without a doubt donate to this fantastic blog! I suppose for now i'll settle for bookmarking and adding your RSS
feed to my Google account. I look forward to brand new updates and
will share this blog with my Facebook group.
Talk soon!
Stop by my page ... Internet Money Path Review
Asking questions are truly fastidious thing if you are not understanding something fully, however this article
gives good understanding even.
my homepage Buy mito slim
My partner and I absolutely love your blog and find a lot of your post's to be what precisely I'm looking for.
can you offer guest writers to write content in your case?
I wouldn't mind creating a post or elaborating on many of the subjects you write about here. Again, awesome web site!
My webpage - Elevate GF
I know this site offers quality depending posts and additional stuff,
is there any other website which presents these information
in quality?
my web blog :: Cosima revival review
If you are going for best contents like me, simply visit this site daily
for the reason that it offers feature contents, thanks
Here is my blog post cambogiasafe.com
I’m not that much of a online reader to be honest but your
sites really nice, keep it up! I'll go ahead and bookmark your website to come back in the future. All the best
my webpage - Weight loss burner
My developer is trying to persuade me to move to
.net from PHP. I have always disliked the idea because
of the expenses. But he's tryiong none the less. I've been using Movable-type on several websites for about a year and am nervous about switching to another platform.
I have heard good things about blogengine.net. Is there
a way I can transfer all my wordpress content into it?
Any help would be greatly appreciated!
Here is my web page: Goji Berry Review
Hello very nice website!! Guy .. Beautiful .. Superb .. I'll bookmark your web site and take the feeds additionally? I am satisfied to search out numerous helpful info right here within the put up, we need work out extra strategies on this regard, thank you for sharing. . . . . .
My page ... Chronic profits
Hello colleagues, its great article regarding tutoringand entirely defined, keep it up all the time.
My webpage :: Test Force Muscle Testosterone Booster
Woah! I'm really loving the template/theme of this blog. It's simple,
yet effective. A lot of times it's hard to get that "perfect balance" between superb usability and visual appeal. I must say that you've done a awesome job with this.
Additionally, the blog loads very quick for me on Chrome.
Superb Blog!
Here is my page: green coffee beans review
I do agree with all of the concepts you have presented in your post.
They are really convincing and can definitely work.
Still, the posts are very short for starters. May just you please
prolong them a little from next time? Thanks for the post.
Feel free to surf to my homepage Natural Cleanse Weight Loss
Summer is the perfect time for cookouts and dinner events.
Season the beef roast with salt and pepper as desired.
Stir constantly to toast all sides and prevent burning.
Here is my web-site ... paula deen christmas recipes food network ()
) You end սp wіtҺ foսr "free cellular material" with which
tto worк, wҺere yyou cаn location virtually аny solitary greeting card you'll wɑnt, andd youгsеlf would bring these plastic back offf upn articles ԝhen undertaking iѕ trսly lawful.
To learn mοre aƄоut this partіcular Regular Kitchen table
involving Factors, ʏoս сan easlily go to уοur neighborhood stockpile, chemjistry lecturer, оr even book retailer.
Αn area, ther exists ɑ customized աhich female partner grant other forms involving treasure tɦerefore
to thеiг life partne aѕ an alternative tо bridal rings yеt men sҺow only
diamond rings.
mу web-site: free solitaire download
That Is an unbelievable savings given how well the Inciteis attributes compete with iPhone.
The packages are extremely fast without limitations whatsoever.
Shake the phone for vibrato and pitch versions.
Also visit my homepage :: cydia tweaks
Generally I don't read article on blogs, however I wish
to say that this write-up is amazing! Your writing taste has impressed me.
Thanks, very great post.
Take a look at my weblog Best Acne Products [http://finance.yahoo.com]
I'm so thrilled that I discovered your blog. You really know what you're talking about, and you made me feel like I ought to learn more about this.
Feel free to visit my website :: get rid of acne scars
You can as well try to selection whether you get
guests to bring inst believability to a 65-38 win in eighter seasons.
Video was recorded in uncompressed form and required enormous bandwidth for its time.
Many are not only painless to install and easy to use, but are absolutely free.
Here is my blog :: bandicam free download ()
Post a Comment
<< Home