Easy Integrated Active Directory Security in ASP.Net
Introduction
I don't mean to rant, but if I see another 'username | password' prompt i think i'm going to choke. This post is about doing whatever you can to make this world have one less system that needs a logon prompt...
This describes how to secure your Asp.Net application if you're inside an Active Directory environment, and you want to use the integrated sign on, so your users don't have to remember yet another login/password.
How to limit access to your application
This explains how to limit access to your application to members of a certain role/group.
First you need to change your web.config so that it uses windows authentication, and make it only allow members of a specific Active Directory group. Here is the cut down web.config, showing the changes to the system.web section:
Then you want to make a landing page for users who aren't allowed to log in. This is just a plain HTML page, you can call it 'noaccess.htm'.
Now you want to make it send disallowed people to this 'noaccess.htm'.
Open or create the Global.asax page, and change/add this function:
How to figure out who is logged in
Quite simple this one - it is stored in this variable, accessible from your aspx.cs code-behind classes (Update - FIXED):
Say you've got a literal control on your webform, and you want to show the currently logged on user, you could do this:
How to give different permissions to different users
Say you want to give some people more access than others, you'll want to create another AD group for these users: "MYDOMAIN\MyAppAdmins".
Open up your web.config and add the appSettings section like so:
The reason for adding the name of the admin group in the web.config is so that if you have different AD groups for the development vs production environments, it'll be a simple matter of only changing the web.config. The principle adhered to here is that the only difference between development and production should be the web.config file.
Then you'll use this piece of code to check if the current user is in that group:
Hint: You're most likely to place code like that in the Page_Load function for the admin pages.
Notes
This is for C# ASP.Net 2. Some things may be different with VB.Net or .Net 1.1
Redirect to noaccess.htm: http://www.codeproject.com/aspnet/Custon401Page.asp
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
...etc...
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="MYDOMAIN\MyAppUsers" />
<deny users="*" />
</authorization>
</system.web>
</configuration>// This redirects people without access to the noaccess.htm page
protected void Application_EndRequest(Object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
if (context.Response.Status.Substring(0, 3).Equals("401"))
{
context.Response.ClearContent();
context.Response.Write("<scr" +
"ipt language=javascript> self.location='noaccess.htm'; </sc" +
"ript>");
}
}HttpContext.Current.Request.ServerVariables["AUTH_USER"];
literalLoggedOnUser.Text = HttpContext.Current.Request.ServerVariables["AUTH_USER"];
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings>
<add key="AdminGroup" value="MYDOMAIN\MyAppAdmins"/>
</appSettings>
...etc...
</configuration>string group = ConfigurationManager.AppSettings["AdminGroup"];
if (User.IsInRole(group))
{
// this user is an administrator
}
else
{
// this user is a common pleb
}Thanks for reading! And if you want to get in touch, I'd love to hear from you: chris.hulbert at gmail.
Chris Hulbert
(Comp Sci, Hons - UTS)
Software Developer (Freelancer / Contractor) in Australia.
I have worked at places such as Google, Cochlear, Assembly Payments, News Corp, Fox Sports, NineMSN, FetchTV, Coles, Woolworths, Trust Bank, and Westpac, among others. If you're looking for help developing an iOS app, drop me a line!
Get in touch:
[email protected]
github.com/chrishulbert
linkedin
