Login form using Active directory groups in ASP.NET 2

Question

Sorry if this has been asked before, but I have searched both Google and this site and can't find a complete work through aimed at beginners. I am trying to write a login page that authenticates against active directory groups using ASP.NET 2. I have found various articles but they all seem to be lacking key information for novices. I have managed to piece together a login page that works with a couple of active directory logins but I can't restrict it to only users who are members of specific active directory groups. My web.config contains the following:

    <connectionStrings>
        <add name="ADConnectionString" connectionString="LDAP://domainname.local/DC=domainname,DC=local" />
      </connectionStrings>
            <authentication mode="Forms">
              <forms
                  loginUrl="Login.aspx"
                  name=".ADAuthCookie" timeout="1000" />
            </authentication>   
            <authorization>
              <allow roles="DOMAINNAME\group"/>
              <deny users="?"/>
            </authorization>
          <membership defaultProvider="MyADMembershipProvider">
            <providers>
              <add name="MyADMembershipProvider"
              type="System.Web.Security.ActiveDirectoryMembershipProvider,
            System.Web, Version=2.0.0.0, Culture=neutral,
            PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="ADConnectionString"
              attributeMapUsername="sAMAccountName"/>
            </providers>
          </membership>

I have anonymised the real domain, but I believe this part works as it allows me to login if I use:

<allow roles="DOMAINNAME\username"/>
<deny users="?"/>

The rest of the project consists of a Login.aspx page with a WebControls.Login control and a Default.aspx page with the following in the page_load function to prove that the login has worked:

Response.Write("Hello, " + Server.HtmlEncode(User.Identity.Name));

I have tried

<allow roles="DOMAINNAME\group"/>
<deny users="*"/>

But that seems to deny everyone.

What am I missing?

Answer 1

From what I can tell the Authorization section of the web.config doesn't work like that for the ActiveDirectoryMembershipProvider. It seems you will need to check role/group memebership in code.

I spent a couple of days recently researching what you are attempting and didn't find anything. Ended up implementing our own AD login module to get the desired behavior. If you decide to implement your own solution I would recommend making use of the ActiveDirectoryMembershipProvider for authentication. Then just handle authorization yourself.

Answer 2

Try this changes in your web.config file

   <configuration>

   <configSections>

<section name="loginRedirectByRole" type="dirrerentloginusers.LoginRedirectByRoleSection" allowLocation="true" allowDefinition="Everywhere" />

 <loginRedirectByRole>  
   <roleRedirects>
  <add role="Manager" url="/Manager/ManagerPage.aspx" />
  <add role="User" url="/User/UserPage.aspx" />
</roleRedirects>

<system.web>
  <authentication>
    <forms  loginUrl="LoginForm1.aspx" protection="All"></forms>
  </authentication>
  <roleManager enabled="true"></roleManager>
    <compilation debug="true" targetFramework="4.0" />
</system.web>

create a class for logintype

   public class LoginRedirectByRoleSection : ConfigurationSection
{
    [ConfigurationProperty("roleRedirects")]
    public RoleRedirectCollection RoleRedirects
    {
        get
        {
            return (RoleRedirectCollection)this["roleRedirects"];
        }
        set
        {
            this["roleRedirects"] = value;
        }
    }
}

public class RoleRedirectCollection : ConfigurationElementCollection
{
    public RoleRedirect this[int index]
    {
        get
        {
            return (RoleRedirect)BaseGet(index);
        }
    }

    public RoleRedirect this[object key]
    {
        get
        {
            return (RoleRedirect)BaseGet(key);
        }
    }

    protected override ConfigurationElement CreateNewElement()
    {
        return new RoleRedirect();
    }

    protected override object GetElementKey(ConfigurationElement element)
    {
        return ((RoleRedirect)element).Role;
    }
}

public class RoleRedirect : ConfigurationElement
{
    [ConfigurationProperty("role", IsRequired = true)]
    public string Role
    {
        get
        {
            return (string)this["role"];
        }
        set
        {
            this["role"] = value;
        }
    }

    [ConfigurationProperty("url", IsRequired = true)]
    public string Url
    {
        get
        {
            return (string)this["url"];
        }
        set
        {
            this["url"] = value;
        }
    }
}

then add this code in your code behind page and redirect the user to his page

             private void RedirectLogin(string username)
    {
        LoginRedirectByRoleSection roleRedirectSection = (LoginRedirectByRoleSection)ConfigurationManager.GetSection("loginRedirectByRole");
        foreach (RoleRedirect roleRedirect in roleRedirectSection.RoleRedirects)
        {
            if (Roles.IsUserInRole(username,roleRedirect.Role))
            {
               // Response.Redirect(roleRedirect.Url);
                FormsAuthentication.RedirectFromLoginPage(username,true);
                Response.Redirect(roleRedirect.Url);
            }
        }
    }

Answer 3

I don't see any RoleProvider in the web.config file you posted. I'd have thought you'd need a WindowsTokenRoleProvider if you want to use Windows group membership as ASP.NET roles.