Last post Jul 26, 2011 06:13 PM by gww
Jul 22, 2011 02:00 PM|xdougiefreshx|LINK
I am trying to block normal users from being able to view/use certain files of the intranet site but still allow administrators to view/use them. Now I am not just talking about users and admin of the server that intranet site files are on but all the servers
of the company. Becasue the site can be accessed from any computer connected to the server without the use of remote desktop it has to be able to determine who is admin and who is not.
Any help is appreciated!
Jul 22, 2011 08:40 PM|gww|LINK
You can check membership of AD groups in your authentication code and if they belong to the administrator's group you can add them to a role that allows access to the pages.
Jul 26, 2011 01:22 PM|xdougiefreshx|LINK
How would you add them to a role and then change the restrictions on that role to allow/deny access to that page?
Jul 26, 2011 06:13 PM|gww|LINK
There are a few ways to do it. You can use the MembershipProvider
http://msdn.microsoft.com/en-us/library/ff648345.aspx of 2.0 or with the role based authentication
http://www.codeproject.com/KB/web-security/formsroleauth.aspx which is how I have done mine. There are probably better examples out there with complete code, just look for role based
I did mine as a mix of forms and windows authentication. You can provide roles by creating them in a database or check a user's group membership in AD or both. Access to folders and individual pages is controled with the web.config files where you can allow
or deny roles and users. I can probably provide samples of the code I use if you need to. Basically this is how i do it.
When a user accesses the intranet the global takes their user name and searches for them in the Active Directory and lists their group membership. So lets say you want your domain adminstrators to have access to a section of the website and not anyone else.
You would check if that person's group membership included domain administators and then add them to a role on the website for them. Its no different than setting up a database with groups and roles and using it. Once they are added to the website role they
have access to any files that the web.config has allow roles set to administrators and denies all other users.
Using a database or AD groups is up to you. For example, if you have 200 people in an AD group for marketing there is no need to recreate that group in a database and try to keep it updated, just use the AD group. But if you want to setup a group for website
administrators that has very few people it would be easy to setup in a database and no need to bother setting it up in AD.
You have two options when to do the authentication, when an authentication request is made when a person visits a page with the web.config set with deny access or with visits to every page. If you want people to be able to log onto the website with their
user name and password for AD then you would use a login page and do authentication when they login from that page and a authentication request is sent. This would be handled in the global.asax Application_AuthenticateRequest. If you do not want people to
use their AD logins, such as where places require CaC login to their computers, then you would want to check their role membership when their session starts when they first visit the intranet. And when they visit a page they are denied access, the redirect
to login page simply states access denied with no login form.