I want to know how to use Active Directory in the Account/Login.aspx page in my project but I cannot find a lot of resources out there for this. I am using VS.Net 2013 Asp.net C# 4.0. I have never had to do this before and I was just wondering how you access Active Directory and on a group level so only the person(s) that are in this group have access to the application. Please anyone with a link or any information that would be great. I am really stuck on this and I need to be able to have this working.
I use active directory and forms authentication. You can use this with the default Account/Login.aspx. These are the links that I have used to set it up.
This link will show you how to log in with Active Directory.
This link will show you how to set up an ADRoleProvider.
I prefer to use them both because the first link will show you how to get the AD groups of the logged in user, but it saves them to an authentication cookie. You will have to decrypt this cookie to see which group the ad user is in... this can be a hassle.
The 2nd link will show you have to use roles, which is much simpler.
You can have a simple if statement like..
if(User.IsUserInRole("SoftDev"))
{
//do something
}
or you use the roles in the web config like this..
<location path="Account/Whatever.aspx">
<system.web>
<authorization>
<allow roles="SoftDev"/>
<deny users="*" />
</authorization>
</system.web>
</location>
this will deny everyone to that page besides the group "SoftDev"
Both these links are meant if you are using Forms Authentication as there are other articles out there for using Windows Authentication. I hope this helps.
Related
I have created a Login page that is only for admins (so there is no need to check if the user is admin or not). The page does the check against a database where the username and password is stored. I am able to successfully check the name/password against the database and then transfer the user to the admin page, however, I noticed that I can still type http://localhost:xxxxx/AdminPage and it will take me there. How do I stop people from doing this? I have tried adding
<authorization><deny users="?"/></authorization>
to the web.config file, which stops all anonymous users from entering, but now I need to know how to allow users from the database to be given permission. (NOTE: this is not a normal Login to Default setup. This is directing to a page other than Default)
You can user role based authorization described here.
If you use default ASP role system, you need to add some code to web.config:
<location path="your_page" >
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
I am developing a WCFRest service and want to authenticate it by a single userid and password .
Go through the lot of stuff on internet .But the thing is complex.
I want to know is there any way to give the permission for single userid,password in web Config file .
<Location path="Test.svc">
<system.web>
<authorization>
<denyusers="?"/>
</authorization>
</system.web>
</Location
If there is any way to authenticate it .Please Help me on this.
Here's the thing: you do not want to just allow a specific USER, you want to allow a specific ROLE, i.e. someone who is allowed to do that. Using a userID and Password means that if you ever need to change who is allowed (because that person has been fired, or because there are now 2 people with that permission), you would have to change the web.config and redeploy the file, which in extreme cases might break the site.
Instead, implement an entire membership system, including roles, and then do this:
<Location path="Test.svc">
<system.web>
<authorization>
<allow roles="[RoleNameHere]">
<deny users="*"/>
</authorization>
</system.web>
</Location>
You can then add the user that you want to give access to that role through the standard way of doing this for your membership provider, and s/he'll automatically be allowed access, while everyone else is denied. You can also easily change whoever is allowed or denied, because it's a data change, not a code change.
When you use the following code in your web.config, is there a way to allow for authorization of individuals who might be within subgroups of the listed AD role?
<location path="Restricted.aspx">
<system.web>
<authorization>
<allow roles="FOOMAIN\AccessGroup" />
<deny users="*" />
</authorization>
</system.web>
</location>
The AD groups are setup as such:
AccessGroup
Subgroup1
Subgroup2
John.Foo
Jane.Bar
Subgroup1
Billy.Jean
Other.Individuals
Currently, when Billy.Jean tries to access Restricted.aspx, they are rejected.
We'd love to be able to use AccessGroup in the web.config and be able to add subgroups for future access instead of having to make web.config or code changes. The possibility of just doing the authorization on PageLoad has been proposed but the business prefers to have these things set in configuration. The application is currently using Windows authentication and denies anonymous access site-wide.
Any ideas? Is there something I'm missing with how IIS performs this lookup? Is there a setting within AD that needs to be changed for the AccessGroup? I have no access to the IIS or AD settings and their respective admins are less than helpful.
Thanks.
I was able to finally sort this all out. The reason that Subgroup1 and Subgroup2 were not being accessed was because they are distribution groups and not security groups. When a respective security group is added that contains Billy.Jean, everything works properly. Basic answer to an infuriating problem.
Can some one please help me to get an idea on this? I have a C# website application in which I want to do authorization for accessing the documents in website directory.
If user requests for a document say pdf through a link in my website, http://www.mywebapp.com/documents/test.pdf , before opening the test.pdf in browser, I actually want to verify the user is authorized to access the pdf based on role he got. I have enabled forms authentication for the folder "documents" in IIS and system is redirecting to login page if user is not authenticated. I'm all good with that, but stuck with authorization.
I can't set the roles in web.config since it would different for different users. User role is stored in httpcookie for that particular user.
And in my documents folder there would be different documents targeted for different roles.
Say test.pdf for role called vendor. So only vendors can access this pdf
Another document form.pdf for role supplier- only users with role supplier can see this pdf .
Should I write some handler to execute before loading the pdf in browser?
Or when ever requests comes as /documents/ should I have a URL rewrite to execute an aspx page to verify the authorization and if authorized display the page?
Can anybody please help me to get an idea on how to implement this authorization.
Appreciate your help!
Thanks,
KK
Looks like your question is "how I can check cookie value on my page and return stream of a file with correct document type when cookie is ok".
make sure you are handling all request (much easier to do using MVC than WinForms, but possible in later too)
read and verify cookie
return file if check passed, don't forget to set "content-diposition" and "content-type" headers. Again File result in MVC is easier to use... Make sure to read file content under correct account if using impersonation.
You can add following code to web.config and try
<location path="documents/test.pdf ">
<system.web>
<authorization>
<allow roles="Vendors"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="documents/form.pdf ">
<system.web>
<authorization>
<allow roles="Role Supplier"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="CreateArticle">
<system.web>
<authorization>
<deny roles="banned"/>
<deny users="?"/>
</authorization>
</system.web>
The code above works fine but when I ban myself, It automatically redirects to the login page. I don't want this, If a person is banned I want it to redirect to a banned page. is this possible in MVC?
It sounds like you are using the built in asp.net membership/roles provider. This is the design of the system.
You can code around this yourself. Here's an example of this:
.net Membership deny login
The code in this sample was with web forms in mind not MVC so you will need to adapt it but it should get you down the right path.
well you can check inside your controller if the user is banned and make a proper decision
if (User.IsInRole("Banned"))
{
// do something here
}