I created a website using HTML/CSS to display a SQL reports index. This has worked fine up till now because users needed access to a security group and something inside SQL to view the report and the data fields. We are now getting to the stage where there are too many reports and some have sensitive names so we need to limit access based on Active Directory security groups. Thing is that I have no clue at all how to manage access via AD Groups. I have managed to get basic AD authentication working for another project that I deployed for the company, but that didn't require access beyond Domain Users.
Could anyone please point me in the right direction to authenticate via AD, check a user for groups and then display info based on their access. The last bit should be really easy, the hardest part will be checking group info and then filling a variable that I can then use to create a loop that will display all the reports the user has access to.
I have found a partial answer. The below link is a guide on how to pull all AD groups a user belongs to and then checking to see if they are a member of a certain group. This is largely what I was looking for and if I can meld it into what I want, I think I can use this to do what I need.
http://www.c-sharpcorner.com/UploadFile/scottlysle/test-for-user-group-membership-in-Asp-Net-C-Sharp/
Alternatively Microsoft windows server can also run LDAP which has an unbelievable number of compatible libraries to code with.
tutorial linked, its just another server role/feature you can install (like ad itself)
http://osqa.sjsoft.com/questions/248/how-do-i-install-minimal-active-directoryldap-services-on-windows-server-2008
also here is a Q.A.D SO answer to querying user-groups are you using windows framework like asp? whats your server technology?
Query From LDAP for User Groups
Related
How can we take the user's details from active directory in SharePoint 2010. I have one requirement, which has the functionality to send the mail to all the users who are listed in particular column in share point list. These column has the type of Single line of text (displaying display-name of the User). I need to retrieve each users information from AD by passing this display name without adding any LDAP connection string anywhere. Is it possible? if it possible, please help me to sort out this issue.
In my opinion the best way to achieve this is to use User Profile Synchronization. First you will need to configure user profile synchronization with AD. Then you can use SharePoint API (UserProfileManager class of server object model) to access user properties imported from AD.
The Problem
I'm an ASP.NET newb who has been given the task of creating a multi-user password management system for use within a secure intranet. Essentially the user will be automatically logged in via windows authentication, which will then provide them with an appropriate view depending on their group. For example, a user of group 'admin' would be able to access all password entries, and a user of group developers would be able to access all password entries belonging to users in the 'Developers' active directory group. Users should be able to create, update, and hide (delete) password entries.
What I have so far
So far I have essentially been figuring out what will and will not be impossible, and researching technologies. Windows authentication itself appears to be easy, however it breaks when I enable the role provider, which appears to be necessary for providing different views for users. By 'breaks' I mean specific users are still recognized, but entire groups are not.
The different views must be automatically served, and I have come up with two techniques to do this:
Checking the role (group) on the home controller, and serving the appropriate view. This would require a long list of messy 'if' statements, however.
Serve a common view and allow or disallow viewing certain elements according to group. This would require putting a lot of logic in a view, which is as I understand inappropriate.
There will be a password.cs model class which will hold all information on a password entry including which groups should have access to it. I cant really think of any other necessary models, as the user information would not need to be stored.
Security concerns
I understand that storing such sensitive data in a single location could be a recipe for disaster. Passwords will be appropriately encrypted using pre-exising libraries which I have access too. I will have help with this area. Also, passwords will not be view-able as plain text on the system to avoid shoulder-surfing, but will be displayed as asterisks and will be copy-able to the users clipboard.
My questions
Essentially I would like some advice on how to structure the system and the most simple ways to enable active directory authorization with windows authentication. I would like some advice on how to provide the appropriate view for the user, and how the different areas should fit together. I am not expressly asking for any help with the password security side of things, but any insight or discussion would be warmly welcomed. Essentially, I would very much appreciate any help, links to tutorials, or suggested readings.
My tools
At my disposal I have Visual studio professional 2010, MVC 4.0 and .NET framework 4.0, and standard (non-admin) access to the server.
I will be able to give experimental code which I currently have in place tomorrow (It's 22:30 GMT, I'll be back in the office tomorrow morning). Let me know if you need any more information.
I have implemented two solutions where I had to integrate MVC with Active X Directory. There are multiple solutions (e.g. Security Application Block from Enterprise Library). However, I ended up using AzMan and the RoleManagerAzManProvider. I ended up with this combination because I did not need to deploy any additional libraries.
I started with this article: [http://msdn.microsoft.com/en-us/library/ff649313.aspx][1]
Even though it is written for ASP.NET, I was able to use it for MVC. I placed my XML Local Policy Store underneath app_data and configured the web config
<add name="LocalPolicyStore" connectionString="msxml://~/app_data/MyPolicyStore.xml" />
This worked out nicely for me because the Policy Store allowed me to define Application Roles and, when deployed at my client, map those roles to AD Accounts.
After that, I implemented a custom Authorize Attribute that I registered in the Global filters. This is where I made the decision which page the user would be redirected when they logged into the app. Finally, I used the standard Authorize Attribute on controllers based on group names.
I have thought about writing a set of Custom Editor Templates and Display Templates that would take roles into account so that I can render different UI for controls based on the User's application role (render a span instead of input).
Although your application is probably already written, I hope this helps.
Chuck
I'm writing a C# application that monitors Active Directory for certain changes, and synchronize those to another system. I'm using System.DirectoryServices.Protocols.DirectoryNotificationControl from C# for this purpose so I don't have to poll AD for changes.
Works well in most scenarios. If I edit the user and adds the user to a group, I get notified. But if I edit a group and add a user to that group, I'm not notified about the user change. I'm notified about the group change though, but then I have to scan the groups members and maintain a crosscheck list and compare. Which doesn't scale.
Any ideas on how I can get notified more precisely about group membership changes in Active Directory?
Cheers,
Christian
Group membership is stored on the group. There is no modification to the user when you add them to a group. The display of group membership on the properties of the user is an abstraction via the memberOf attribute which is calculated on the fly when requested.
Full agree with #Brian Desmond, you can find the source information of what he is talking about in User Security Attributes Microsoft article (look for memberof). You can also read that you can get more informations in connecting to a Global Catalog
WMI is perhaps a second solution you can dig in.It exists AD WMI Providers. Using WMI to Monitor AD gives you some clues about that. This article don't do more than what you get so far, but I think that with WMI events you can create the notifications you need. You can find Microsoft informations about this begining in Monitoring Active Directory Health, especialy Active Directory WMI Providers.
I've an InfoPath form that the filler needs to specify people. A workflow later assigns tasks to these people. What I'm looking for is a people picker like what SharePoint has for user fields, but that I can use in InfoPath. I've already designed a form to do this where the filler can put in a name or email and the form will list results from the site.allusers group.
The problem is, what if the person that needs to be added into the form has never accessed this particular site collection before. Their account isn't going to be listed in the AllUsers list.
Where in the object model can I search for a user that is able to authenticate with SharePoint?
Why not just use the OTB one in InfoPath and configure it to point to your SharePoint environment?
http://www.sharepointassist.com/2009/02/27/adding-a-contact-selectorpeople-picker-to-an-infopath-form/
If your running MOSS with AD integration, then it should automatically retrieve everyone that's in your domain if AD synch is enabled.
I think that the problem here is that even if you do find a list of users, the workflows won't trigger any actions if the users don't exist in the User Information List.
If the users don't exist in the User Information List, then you won't be able to find them via the SharePoint object model because they don't exist in SharePoint. You will have to find them some other way.
So basically, it depends on how the authentication is configured on your SharePoint server :
If you are using FBA, then the users who can authenticate with SharePoint must exist in a SQL database somewhere. Membership.Provider will give you a hook on your FBA membership provider (whether it's a SqlMembershipProvider or something else). You can then use methods like
Membership.Provider.GetUser(username)
to see if a user exists. You can also loop through your users or find all the existing usernames which you could then display in your people picker.
If you are using windows authentication, you will have to look in your AD to find the potential users. The DirectoryEntry object is what you'll need. I imagine that only users from a certain AD group can access SharePoint? If so, then isolate that group with the DirectoryEntry object, loop through the users and you will have your data source for the people picker.
As I said above though, either method will give you the possible users, but it won't make the workflow work if the users have not logged in. Workflows will only work properly with users that do exist in the User Information List.
When someone picks a user that doesn't exist in SharePoint, you will probably have to create it via code. A safe way to do this is with the SPWeb.EnsureUser.
Checks whether the specified login
name belongs to a valid user of the
Web site, and if the login name does
not already exist, adds it to the Web
site.site.
So really, to answer your question, nowhere. You need to look for them where they could be coming from.
We have a SharePoint site and we now want to only allow users that have registered and paid to have access to the site by yearly subscription.
We would like to automate the process of managing the subscriptions and creating the users as much as possible.
I understand we will not get a turnkey solution. However, does the SO Community have any ideas on how we could do this. We will be using forms authentication.
A bit more info would be welcome, but I'll give it a try.
I assume you are running with FormsBasedAuthentication? If so, you would need to write the logic that creates the user in the database. The existing ASP.NET Membership Provider should meet all your needs. After that, you would need to add the newly created user to the appropriate sharepoint groups (this can also be done using the sharepoint object model).
The first step though would be to create your "become a member" page and make that accessible anonymously. Add a webpart / control to that page that handles the payment and then when succesful creates the ASP.NET Membership Provider user. Then adds that user to the appropriate sp groups. The easiest way to restict access would be to create a subsite of the main welcome site (root of the sitecollection), which has it's own rights and groups. make the root site accessible for anyone, allow access to the subsite for paying users only.
The codeplex project SharePoint 2007 List Membership Provider allows you to maintain your users in a SharePoint list