I am building an intranet with ASP.NET core 2.0 MVC. All users are part of an active directory. Additionaly I have a MSSQL database with the following tables:
Users (Id, FirstName, UserNameAd (unique), ...)
Roles (Id, RoleName)
UserRoles (User_Id, Role_Id)
In my web application I now want to retrieve the roles of a user and store them in the Authentication/Identity Classes of Microsoft in order to use [Authenticate(Roles="Admin")] stuff. I am not sure where I shall put this role-request and what is the best practice. It is possible that a user gets a new role during the day or that a role is removed during the day and I actually do not want the user to click something specific or need him to restart the browser in order to get the new roles applied - thats why I think that the roles need to be requested with each server-action (POST, GET) from the server.
Any idea or link to a good tutorial would be highly appreciated.
Also if you think my approach is not good practice and you have a better idea I would be happy to know.
After a lot of discussions and researches in the internet i came to the conclusion to chose pure windows authentication.
It works out of the box and you can already use the active directory groups as roles with [Authorize(Roles = "ADGroupName")] which is really straightforward and nice.
Related
I have three levels of users in my website, Managers,employees and normal users. Each of them in different table in my database.
I created a log in form using login tool. Then I created connection and sessions.They work fine.
now my question is what is the best way to check the session in all pages (if it is manger, employee or user). it would be more useful if there is example :)
Thank you for your time.
Pretty traditional and simple, you could use this tried and true method.
Essentially you would use the UserData property of the authentication ticket to store the current users' roles. You can then obtain the data at any time from the current thread's principal.
I don't see all application in Kentico. Please help me.
Currently I am Global System Administrator. This is my new website.
Current situation with applications looks like this:
Can someone help me ?
Thanks in Advance.
There are three things you need to check:
The user need to be set a Global Administrator in Users>User>General tab (dropdown list)
The user needs to be in the Global Administrator role which is part of the (global) roles.
You need to ensure any pre-configured roles which are assigned to the user for a particular site are removed. Reason being is any role with lower permissions will override any other "global" permissions.
I had the similar problem when I created my first site. All license, user and domain were rightly setup. I even checked all the settings for pages module which looked right. The only noticeable thing was that the site was not showing on top ribon as shown in solution 3.
I just did a log off and log on which resolved the issue. :)
Thanks a lot Brenden for directing towards solution.
I would first make sure the user you are using is set to Global Administrator, if not it would be permissions. If you can't access the users application, you can check in the database:
SELECT userid, username, dbo.CMS_User.UserIsGlobalAdministrator FROM dbo.CMS_User WHERE UserName =USERNAME
If you are a global administrator, it's possible that something happened to the CMS_UIElement table.
I have had a similar experience when working with a new site. Ensure that the appropriate site is selected (see image) and that the site has a valid license matching the Site domain name or alias (Sites -> {SiteName} -> General ).
I'm building a helpdesk/asset tracking web application using Windows Authentication, ASP.NET MVC5, and C#, with a SQL back-end.
In the database, I'm thinking of linking support tickets and assets to users by way of their Active Directory SID, since this value will not change over time. Their SID, along with some other pieces of information, would go into a table called "Users".
Since I'm new to MVC, what would be the most efficient way of getting the user's SID into the database upon their first visit to the site? I thought about building something into Global.asax, but that seems like it goes against the MVC paradigm.
Alternatively, does anyone have suggestions for a better approach?
The idea is quite common.
For most sites (for example StackOverflow) you have to register. You take a common login service (StackExchange) and upon first login, a 'profile' is created.
Authentication (and maybe authorization) still happens through the original source (in your case AD), while the information you really need is saved in the database.
In the AccountController.Login action, you call ActiveDirectory yourself.
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(context, model.UserName))
{
// read back the user from database
// if non-existent: add it using a stored procedure or something like that
}
}
I am trying to learn about how to do Roles in ACS. I have a Windows Store App (not a website :-), and I need Administrator and a Member roles - but finding even very basic documentation or tutorials for something like this is proving very difficult for me.
All I have found are a bunch of references to ASP.NET or Azure Websites stuff - which I can't use, since a Store app is not a Website - and doesn't use ASP.NET.
I have Azure Mobile Services for my Windows Store app. Is there any information that you know of that could be of help?
I'm surprised that Roles don't seem to be covered in the samples/reference/tutorials section anywhere on the Azure website (unless I've missed it - several times).
Take, for example, this scenario. Here, in the Script tab of the Management Portal, I insert some text into the table associated with the currently logged in user (via the insert function):
var SendGrid = require('sendgrid').SendGrid;
function insert(item, user, request) {
item.userId = user.userId;
request.execute(
{
success: function() {
request.respond();
// Send email in the background.
sendEmail(item);
}
}
);
}
The above code inserts some text into the table and then sends an email to that user. But, how could I adapt this code, so that it would (pseudo code):
if item.text == "administrator"
then insert userid into admin column
else
then insert userid into member column
Any help at all will be highly appreciated.
It is not really an answer, but it is also too long for a comment, and I think it is really important.
First of all, when using authentication from the Windows Azure Mobile Services, you are not using Windows Azure Access Control Service. So, there is no Active Directory, there are no (additional) claims when one uses Mobile Services. This must be very clear, because I see continuous misunderstanding and confusion. #Joey still asks for, and refers ACS as federation provider for his application, which is not the case if he relies on the Mobile Services authentication mechanism.
So, the roles assignment must totally be handled by your application logic with additional table as Jim describes.
However roles assignment in general is interesting topic, and really is not part of any tutorial or documentation. And it is not part of such, because Role Assignment is part of business logic of the application itself, not part of the Authentication service. There is very similar question here, which however again does not answer in detail how to assign roles. The foundation and main issue to solve is: How to assign administrator role. Everything else, can be solved by adding appropriate UI for the application administrators. Still, this question is not subject to a short SO answer.
This is a weird way to state the question, but this is what I'm trying to achieve.
This is what I'm doing
Connect to a MySQL Db(complete)
authenticate(complete)
select all the roles that I have specified in mySQL (complete)
store those roles somehow so I can display controls and links based on their role membership.
I just got this figured out to handle the mySQL part in web.config
system.web
membership defaultProvider="MySQLMembershipProvider" /
roleManager enabled="true" defaultProvider="MySQLRoleProvider" /
/system.web
I'm using this as code
MySqlDataReader dr2 = cmd2.ExecuteReader();
while (dr2.Read())
{
string roleName = dr2["role"].ToString();
//error here -> Roles.AddUserToRole(userID, roleName);
}
Access denied for user ''#'localhost' (using password: NO)
Is Roles.AddUserToRole really what i'm looking for to satisfy my needs. I think I need to store the user roles in the sessio don't I? I
Is Roles.AddUserToRole really what i'm looking for to satisfy my needs. I think I need to store the user roles in the sessio don't I?
NO! Adding user to roles means the provider will link the user to the role. As you already have the user linked, this is a worthless direction.
store those roles somehow so I can display controls and links based on their role membership
Why do you need to do this? At the page level, you can set up ASP.NET security with trimmings so you can automagically exclude pages from the user's view if they are not in the correct role(s). As far as sections/controls/etc, you can check to see if a user IS in a role and then determine whether or not to display it. If you use sections, a lot of this can be done declaratively rather than programmatically.
The one caveat is what your membership provider supports. The "out of the box" providers (Access and SQL Server) support security trimmings and declarative syntax for exclusions of sections of a page, etc. If the MySQL provider full implements all of the methods, you should be fine using it, as well. If you create a custom provider, there are certain parts YOU have to implement to get things to work.
The short story is once you grab a membershipUser (authenticate the person), you will have access to whether the person is in role or not. This is all part of the standard implementation of a membership provider in .NET. As long as the provider you are using for MySQL covers all of the same methods, you can do a quick google search and find tons of sites showing how to show/hide bits based on roles.