User Logon

[Dan]

I am developing an application that has to have acces to
it controlled. I would like to be able to have the users
logon to the application using their existing WIndows
account. I would create a new Group on the domain and add
those users who should access the program to that group.

The problem I am having is determing how to validate their
UserID and Password and retrieve their group membership
information. Do I do this via Active Directory? Should I
do this via API calls?

Any insight or a point in the right direction would be
great. Thanks!

 

[Nicholas Paldino [.NET/C# MVP]]

Dan,

I would actually use a ServicedComponent for this. With it, you can
assign the user group to a role. Once you have the role defined, then you
can create a class which derives from ServicedComponent. Create a method,
Login. This method would do nothing. Then, you can set access for the
method to that role only. When someone outside of the role (and outside of
this user group) calls the method, it will throw an exception (granted, this
isn't the most eloquent solution).

Once you have that, you can call the LogonUser API (or LogonUserEx) to
validate a username/password combo. Then you can impersonate the user
(using the Impersonate method on the WindowsIdentity API class, the
documentation for this method will show you how to do all of this).

The benefit to doing this is that you don't have to worry about a
predefined name of a windows group (which isn't always possible). You have
to worry about a defined role in your application, which is specific to the
application, not to the domain it is running in. Then, you just have to
handle the mappings of the users and groups to the role that your
application provides.

Hope this helps.