Forms Authentication +Active Directory +Roles

  • Thread starter Thread starter Marty Underwood
  • Start date Start date
M

Marty Underwood

Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a
notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when
they log in whether there account is "not activated", "pending activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have
4 roles for an application so I need 4 groups whether they be nested or not.

thanks
Marty
 
Marty Underwood said:
Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.

The current way:

1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a
notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when
they log in whether there account is "not activated", "pending activation".

What I need to know:

If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if
I had 2 AD groups how would I assign each group to a role.

Select Case, If/then, hopefully you get my drift.

The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have
4 roles for an application so I need 4 groups whether they be nested or
Click to expand...
not.

Marty, I don't understand: what's wrong with treating groups as roles?
 
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30 groups
for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.

Thanks
 
Marty Underwood said:
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30 groups
for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.

Alot of overhead I think can be prevented I just can't think of the simplest
way.

Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.
Click to expand...

I haven't done much AD programming, so maybe I'm missing something obvious.
But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you
use them as is, or they're from different sets and you need to find the
correspondence.
 
John Saunders said:
I haven't done much AD programming, so maybe I'm missing something obvious.
But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?

Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).

I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you
use them as is, or they're from different sets and you need to find the
correspondence.
Click to expand...

Long last couple of days, what you say is what I have to do. I was just
working on 3 different projects at the same time and guess I got my mind
sidetracked. I thought about a different way and that is to check the
members of a group against a username and see if that person is a member of
the group instead checking the groups that person is a member of.

Thanks for your time

Marty
 
Back
Top