ASP.NET Combining Windows Authentication with Custom Application Groups/Roles

Question

Full disclosure, I do not fully understand the world of windows auth, active directory and LDAP and have had little experience with individual user accounts via sql server. Additionally, I have found that most documentation on the web, especially those put forth by Microsoft, assume that you develop in a pure Microsoft world and have the ability to implement the most current and any which solution, framework, or service they provide.

I am developing an intranet application. And for various reasons I cannot take advantage of Active Directory groups/roles but would like to mimic this functionality as much as possible. Thus I need to be able to manage users/roles/groups internally within the application. However, I would like the ability to be able to detect a users Windows Auth credentials in the process. In other words I do not want the user to have to register nor do I want them to have to log in but rather use the windows account they are signed in as.

The application managed roles would then determine various functionality the user will have within the application.

This is an asp.net MVC application. I will ultimately need to satisfy the following requirements in regards to authorization.

1) Compare current windows user with application user store and roles. Can use SQL server this.

2) Manipulate functionality based on a users role

3) allow for an admin to search AD and add a domain\User to the store as well as assign groups

4) Create Groups and register with application components

Any information as to how I could address on or all of these would be vastly beneficial.

Are you saying you don't have Active Directory or that you have it but can not leverage it for your purposes? — Cos Callis, Feb 21 '17 at 21:10
if you are not familiar with `AD or LDAP` I would suggest a quick google search on `PrincipalContext` takes out a great deal more of the headache from coding AD / LDAP back in the good old days — MethodMan, Feb 21 '17 at 21:10
There is an active directory, but cannot leverage it more than querying it for information. — LCaraway, Feb 21 '17 at 21:12
@CosCallis that could be considered, ideally this should work for any browser. — LCaraway, Feb 21 '17 at 21:16
http://stackoverflow.com/questions/4946068/using-windows-intergrated-authentication-with-sqlroleprovider-in-silverlight-app — Joe, Feb 21 '17 at 21:47

score 5 · Accepted Answer · answered Feb 21 '17 at 21:27

What you are looking for is a custom role provider. It is extremely easy and simple to do. Simply create a class that inherits from System.Web.Security.RoleProvider. The only methods you need to implement are IsUserInRole and GetRolesForUser. You may just throw a NotImplementedException on all the other methods. Then, tie it to your application in Web.Config by setting the roleManager element under System.Web.

public class CustomRoleProvider : RoleProvider
{
    private mydatabase db;

    public override string ApplicationName { get; set; }

    public CustomRoleProvider()
    {
        db = new mydatabase();
    }

    public override bool IsUserInRole(string username, string roleName)
    {
        //This will return the user object.
        //To get the username of the logged on user, you can use User.Identity.Name
        //To remove the domain name from the username: User.Identity.Name.Split('\\').Last();
        var user = db.CurrentUser();

        return user.Roles != null
            && user.Roles.Count > 0
            && (user.Roles.Exists(x => x.Roles.RoleNm == roleName));
    }

    public override string[] GetRolesForUser(string username)
    {
        var user = db.CurrentUser();

        return user.Roles.Select(x => x.Roles.RoleNm).ToArray();
    }

    #region not implemented

    public override void AddUsersToRoles(string[] usernames, string[] roleNames)
    {
        throw new NotImplementedException();
    }

    public override void CreateRole(string roleName)
    {
        throw new NotImplementedException();
    }

    public override bool DeleteRole(string roleName, bool throwOnPopulatedRole)
    {
        throw new NotImplementedException();
    }

    public override string[] FindUsersInRole(string roleName, string usernameToMatch)
    {
        throw new NotImplementedException();
    }

    public override string[] GetAllRoles()
    {
        throw new NotImplementedException();
    }

    public override string[] GetUsersInRole(string roleName)
    {
        throw new NotImplementedException();
    }

    public override void RemoveUsersFromRoles(string[] usernames, string[] roleNames)
    {
        throw new NotImplementedException();
    }

    public override bool RoleExists(string roleName)
    {
        throw new NotImplementedException();
    }

    #endregion
}

and then, in Web.Config

<system.web>
    <roleManager defaultProvider="CustomRoleProvider" enabled="true">
      <providers>
          <clear />
          <add name="CustomRoleProvider" type="ThisProject.CustomRoleProvider, ThisProject" />
      </providers>
    </roleManager>
</system.web>

DISCLAIMER: There are likely typos in this code but you should be able to get the gyst

"... a custom role provider" or a standard role provider. There's nothing to stop you using a standard role provider (e.g. SqlRoleProvider). The usernames in the database are windows usernames in the format domain\user (or computername\user for local accounts). — Joe, Feb 21 '17 at 21:42
Was able to get it to work with a standard role provider. This answer does solve the question however! — LCaraway, Feb 24 '17 at 16:05

score 0 · Answer 2 · answered Feb 21 '17 at 21:12

There is a membership provider created specifically for ActiveDirectory:

https://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider(v=vs.110).aspx.

You can implement that provider in your app. In addition, you can create your own membership provider if you need additional functionality that the ActiveDirectoryMembershipProvider does not provide:

https://msdn.microsoft.com/en-us/library/f1kyba5e.aspx

score 0 · Answer 3 · answered Feb 21 '17 at 21:54

Asp.Net Identity separates Identity and Authorization as two distinct components.

By design you can choose to use the AD identity piece with the Asp.Net Authorization piece. Such that you can use the local AD token to identify WHO the user is and then use that token to assign them privileges (roles and/or claims) based on that identity. Similar to how you can also use Google, Facebook or Twitter identities. Obviously, if your AD authorities won't allow you to query AD for "who is the user behind token X" then this answer is moot.

I haven't time to go further with this right now, but I think this should start you in the right direction.

(caveat: you MAY become limited to using a Microsoft browser. Last I looked only IE would send the Active Directory Token with the HttpRequest IF the request was being sent to a local domain server (aka the 'intranet' zone). I have heard that Chrome will allow you to configure it do this as well, but have never actually done it.)

ASP.NET Combining Windows Authentication with Custom Application Groups/Roles

3 Answers3