I have been googling like crazy and can't find an example that matches my needs. I need to setup security this way:

 I have a big Active Directory group called MyAppUsers

Inside this group I have subgroups which are my application roles (e.g. MyAppInspectors and MyAppSupervisors)

In SQL, I have roles that match the Active Directory subgroups with security for tables, etc.

I need to create ASP code that checks the user role and enables/disables a button depending on the role , for example. Or if they are not allowed to modify one field, I could catch the error, etc

I don't have a clue on how to do this.

You can use the method User.IsInRole to do this (http://msdn2.microsoft.com/en-us/library/ms127603(VS.80).aspx)

I have not done this myself yet, but it sounds as if you need a custom role provider that checks the active directory group to assign the app. role. When you say

In SQL, I have roles that match the Active Directory subgroups with security for tables, etc.

What exactly do you mean? You mean they can access certain tables (name matching roles or the like?) depending on the AD role? 

Exactly. For example, I have a Cases table. Both an inspector and a supervisor can insert and modify a case but only a supervisor can Reopen a case (Reopen meaning changing the case status field from Closed to Open). One of the things I want to do is besides of setting the permission in SQL, enabling or disabling the "Reopen" button in the form based on the user role. So far this is what I have been able to do:

I created an AD group Inspectors and a group Supervisors

I created a SQL role Inspectors and a SQL role Supervisors. Security in SQL is also pointing to the AD groups.

I created a login page in my application and used the login control. I'm able to authenticate the user and get the user name.

Now, I don't have a clue on how to get the group in which the user is. I have tried different samples without success. See below what I have in the web.config file.

Config file

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
 <appSettings/>
 <connectionStrings>
  <add name="ADConnectionString" connectionString="LDAP://mydomain.CMGOV.NET/OU=All_Users, DC=RIVERSIDE, DC=CMGOV, DC=NET"/>
 </connectionStrings>
 <system.web>
  <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
  <compilation debug="false">
   <assemblies>
    <add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies></compilation>
  <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
  <authentication mode="Forms">
   <forms name=".ASPXAUTH" loginUrl="login.aspx" defaultUrl="default.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" domain="" enableCrossAppRedirects="false">
    <credentials passwordFormat="SHA1"/>
   </forms>
  </authentication>
  <authorization>
   <deny users="?"/>
   <allow users="*"/>
  </authorization>
  <identity impersonate="true"/>
  <membership defaultProvider="MyADMembershipProvider">
   <providers>
    <add name="MyADMembershipProvider" attributeMapUsername="sAMAccountName" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="username" connectionPassword="password"/>
   </providers>
  </membership>
  <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
 </system.web>
</configuration>

I don't see any role configuration in your web.config file.  It is most likely defaulting to the sqlroleprovider (or roleManager is turned off by default ... can't remember).   You probalby want to look at the WindowsTokenRoleProvider (See link at bottom).

If you're using the SQLRoleProvider, there are four tables that are used to correlate what user is in what role (aspnet_Users, aspnet_roles, and aspnet_UsersinRoles and aspnet_Applications). In AD, I assume it's the 'Member Of' that it looks to (haven't played with it yet).

There's a section in the page linked below that goes like this:

    <roleManager defaultProvider="WindowsProvider"
      enabled="true"
      cacheRolesInCookie="false">
      <providers>
        <add
          name="WindowsProvider"
          type="System.Web.Security.WindowsTokenRoleProvider" />
      </providers>
    </roleManager> 

FWIU, that tells .Net to use Windows (Active Directory) for your roles. 

 http://msdn2.microsoft.com/en-us/library/system.web.security.windowstokenroleprovider.aspx

 Unfortunately, my knowledge is theoretical still on this specific part, but I hope this helps some. On my list of enhancements/things to figure out is to write a custom role provider.

Actually ... this piqued my interest, so I did a little more research. It appears that the WindowsTokenRoleProvider only works with windows auth., not Forms authentication:

It would appear that you may want to look in the direction of an ActiveDirectoryRoleProvider. at least I see hints pointing to it ...

http://directoryprogramming.com/forums/thread/1131.aspx

http://weblogs.asp.net/scottgu/archive/2006/04/13/442772.aspx

 Hope that helps!