Last post Mar 13, 2008 03:24 PM by dsmayer
Mar 07, 2008 04:41 PM|dsmayer|LINK
I work in a large corporation which uses Active Directory to authenticate users.
I am building a website which will have pages to allow the “owners” of the web site the ability add articles to the site. These pages need to be secured. My web server is configured for SQL 2005 and ASP.Net 2.0 (c#). I have read a lot about using Memberships
and roles using the sqlMembershipProvider.
The problem with this option is that I do not want to force my users to remember another password. I would like to provide a login page, which authenticates the user with Active Directory and if they NT ID and Password are correct, then I need the web page
to check a table in my SQL database to determine what role this user belongs to. Finally based on their membership (role) display menu items accordingly.
If somebody creates a shortcut to a secured page, I want to force the user into logging in before they can complete the form. Does anybody have the code to make this work or can provide a link to the information needed so that I can build this type of security.
Mar 07, 2008 05:47 PM|philipjohnson3|LINK
Is it workable for you to just turn off anonymous logon in IIS for that website, so that they logon with their username, and then you can use their windowsidentity.getcurrent to find their name, and tie that to a SQL role that way? That sounds like the
easiest method to me.
Mar 07, 2008 09:21 PM|dsmayer|LINK
Thank you for your suggestion. I might be wrong, so please correct me if you need to, but it seems to me that if I turn off anonymous login in IIS for the web site, the would make every user have to log into the site.
Let me go into a little more details about the site. The target audience is about 800 sales agents. The site will contain documents and articles about industry regulations and requirements. It is on an Intranet site inside of the corporate web system.
Their is only 5 people who need to add information to the site, thus they need to be able to log in. This will prevent unauthorized people inside of the corporate from adding / deleting information on the site.
This is why I want to put the admin pages in a folder called Admin. Attach a role to that folder and force anybody who attempts to open a page inside this folder to login with their NT ID/Password. After they log in, I want to check the User ID again
a table in my SQL database to get the users role. If the user is an "administrator", then allow access to the requested web page. This is the same process that the sqlMembershipProvider does. They only difference is that I want to use the NT login/password.
This will make it easier on the user by not making them remember another password.
I have another website which needs the same feature but with more than one group. I need a "sales leader" group and an adminsitrators group. This site contains information which is not secured and several sections which needs to be secured. The concept
is that when a manager goes to an agents office, they will have a conversation about some new sales tools. If the agent is interested in using the tools, the manager will use the agents computer (with the agent still logged on), click on a "login" link.
Enter the managers NTID and password. The page will search AD, verify the password, then search the SQL table to determine the access level of the user. If the user is in the manager table, then display the links to the secured web pages. I also want the
secured pages to be able to refush access unless the user is logged in.
I truly pray that somebody out can give me some points on how to wire in the ASP:Login feature to check Active Directory, then grant access based on the roles in a SQL table.
Mar 10, 2008 10:03 AM|raghu1|LINK
Quick and dirty fix:
Turn off anonymous at the folder level: IIS will prompt for login if these pages are referenced directly.
You can also place these physical folders/directories in a different path other than the regular web site path and have these as virtual directories with anonymous off on the virtual directory. This way you add another security layer( physical directory
not in the typical root)
Mar 13, 2008 10:59 AM|dsmayer|LINK
One more question on this subject. Lets say that an authorized user goes to "newMenu.aspx". She logs in, then goes to "UpdateArticle.aspx". Will she have to log in a second time?
Mar 13, 2008 11:16 AM|raghu1|LINK
No, as the user is already authenticated.
Mar 13, 2008 11:30 AM|dsmayer|LINK
I turned off anonymous at the "admin" folder level, then it would not let me or anybody in. I received a page 401.2 error, user is not authorized to view this page.
How is IIS supposed to provide a log in page?
Mar 13, 2008 12:37 PM|raghu1|LINK
401 errors are unauthorized access.
Is Integrated windows authentication checked ? This has to be checked. IIS will not provide a login page, it will prompt for login.
Mar 13, 2008 03:24 PM|dsmayer|LINK
Thanks everyone for your help. I have created a workable solution to my situation. Here is what I did.
1) I created a generic log in form (not ASP:Login)
2) I then created a routine to validate the user id/password (from the generic log in form) with active directory. If validation = false goto step 4.
3) If the log in information is correct, I then search a table in my SQL database. If the user is in the table, then grant access to the requested form.
4) If AD Validation is false or not in Admin SQL table, then deny access for web page form.
Here is the code I used:
Boolean AuthorizedUser =
Thanks again and may God bless you all![:)]