ASP.NET Membership - Which RoleProvider to use so User.IsInRole() checks ActiveDirectory Groups?

Asked 14/5, 2009 at 12:36 Answered 24/5, 2009 at 20:5

Solved asp.net authentication active-directory roles active-directory-group

Very simple question actually:

I currently have IIS anonymous access disabled, users are automatically logged on using their Windows login. However calling User.IsInRole("Role name") returns false. I double-checked User.Identity.Name() and the "Role name" and it should return true.

I currently have this in my Web.Config:

UPDATE
I was calling User.IsInRole("Role name") where I should call User.IsInRole("DOMAIN\Role name")

However I still like to know if the <membership> entry is needed at all?

What should I change? (and is the <membership> entry needed at all?)

  <authentication mode="Windows">
      <forms
      name=".ADAuthCookie"
      timeout="10" />
  </authentication>


<membership defaultProvider="ADMembershipProvider">
  <providers>
    <clear/>
      <add
         name="ADMembershipProvider"
         type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
         connectionStringName="ADConnectionString"
         connectionUsername="XXX\specialAdUser"
         connectionPassword="xx"
         />
  </providers>
</membership>

<roleManager enabled="true" defaultProvider="WindowsProvider">
  <providers>
    <clear />
      <add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

Polacca answered 14/5, 2009 at 12:36 Comment(0)

If you use Windows authentication IsInRole will work with no extra configuration, as long as you remember to prefix the role with the domain, i.e. DOMAIN\groupName.

In addition you can role (pun intended) your own and use Windows auth against, for example, a SQL Role Provider, where you don't want your AD littered with custom roles for your application.

So no, you don't need the provider configuration at all.

Wrongheaded answered 24/5, 2009 at 20:5 Comment(0)

The membership provider here isn't going to help. The ActiveDirectoryMembershipProvider seems to best(only?) fit with Forms authentication.

Tutto answered 22/5, 2009 at 19:18 Comment(0)

BlogEngine.NET has an Active Directory role provider.

Pilau answered 24/5, 2009 at 19:49 Comment(0)

Pretty sure the only thing you need in there is the roleManager group (along with the base authentication mode='windows' setting)

Ferret answered 22/5, 2009 at 19:22 Comment(1)

Aren't the Roles automatically checked for in Activedirectory already? – Polacca 22/5, 2009 at 19:41

Out of the box, there's no role provider to use Active Directory directly. You can use the role table in the ASP.NET membership- and role-system, or you can use Authorization Manager (AzMan).

There's an article on CodeProject which shows the implementation of a role provider which works against the Active Directory - with full source code. Maybe this helps?

Marc

Slug answered 24/5, 2009 at 17:13 Comment(0)

Recommended topics

Hot tags