.NET : Set Active Directory security via Web.config only

active-directorynetSecurityweb.config

Our application requires Active Directory for users to access it. Our goal is to split the business logic and the security.

Here is what I try to do but did not succeed yet :

Connect to Active Directory via web.config.
Specify groups needed for each .aspx page in the web.config file. (e.g.: index.aspx = admin, users)
Redirect the user to an error page if user's groups do not match the expected credentials.
Do all this without adding any code in my actual pages (to split business logic from security).

What do you suggest for that ? I found many examples on the web about Active Directory but they were not doing what I wanted.

Best Answer

Have you tried something like this in your web.config file.

<configuration>    
    <system.web>
        <authentication mode="Windows"/>
        <authorization>
         <allow roles="AD\My-Security-Group"/>
         <deny users="?"/>
        </authorization>
        <identity impersonate="true"/>
    </system.web>

    <location path="/ProtectedPath">
        <system.web>
          <authorization>
            <deny roles="AD\My-Security-Group"/>
            <allow roles="AD\My-Other-Security-Group"/>
          </authorization>
        </system.web>
    </location>
</configuration>

Related Solutions

C# – Validate a username and password against Active Directory

If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace and easily verify your credentials:

// create a "principal context" - e.g. your domain (could be machine, too)
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
    // validate the credentials
    bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

It's simple, it's reliable, it's 100% C# managed code on your end - what more can you ask for? :-)

Read all about it here:

Update:

As outlined in this other SO question (and its answers), there is an issue with this call possibly returning True for old passwords of a user. Just be aware of this behavior and don't be too surprised if this happens :-) (thanks to @MikeGledhill for pointing this out!)

What are the differences between LDAP and Active Directory

Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment

LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.

Best Answer

Related Solutions

C# – Validate a username and password against Active Directory

What are the differences between LDAP and Active Directory

Related Topic