Comments on: ASP.NET MVC Using Forms Authentication With LDAP http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/ Web Design, Programming, Tutorials Wed, 21 Jul 2010 19:57:50 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Chris Jackson http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-2129 Chris Jackson Mon, 07 Jun 2010 16:06:01 +0000 http://www.cmjackson.net/?p=262#comment-2129 @JeffKirby The Authorize attribute should work because the code in the global.asax is creating a new GenericPrincipal using the list of groups stored in the cookie and then passing it into the user context. The group names should match those you create in Active Directory. I have noticed that the built-in groups do not show in this list. I have had to use my own custom groups. If there are spaces in the group names, that may be the problem. Maybe the IsInRole trims the group passed into it and the Authorize atribute does not? Not sure. If you found another way that you prefer, that's great! The nice thing about programming is there's about a million ways to do something and you get to be creative in coming up with your answer. @JeffKirby
The Authorize attribute should work because the code in the global.asax is creating a new GenericPrincipal using the list of groups stored in the cookie and then passing it into the user context.

The group names should match those you create in Active Directory. I have noticed that the built-in groups do not show in this list. I have had to use my own custom groups.

If there are spaces in the group names, that may be the problem. Maybe the IsInRole trims the group passed into it and the Authorize atribute does not? Not sure.

If you found another way that you prefer, that’s great! The nice thing about programming is there’s about a million ways to do something and you get to be creative in coming up with your answer.

]]> By: JeffKirby http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-2125 JeffKirby Mon, 07 Jun 2010 01:16:52 +0000 http://www.cmjackson.net/?p=262#comment-2125 I should also mention that negates the need to mess with the user context at all. I should also mention that negates the need to mess with the user context at all.

]]> By: JeffKirby http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-2124 JeffKirby Mon, 07 Jun 2010 01:15:35 +0000 http://www.cmjackson.net/?p=262#comment-2124 @Chris The reason I mentioned the getRolesForUser is that the Authorize(Roles: ) thing doesn't work and I used it to see what was there. Maybe that was the wrong path to go down. I can make it work,by creating Roles in the role manager, and then in the global.asx method, add the user to the role like this string[] groups = authTicket.UserData.ToString().Split('|'); foreach (string group in groups) { if (Roles.RoleExists(group)) { if (!User.IsInRole(group)) { Roles.AddUserToRole(authTicket.Name, group); } } } Its quick and dirty and works fine :). Then everything works. @Chris
The reason I mentioned the getRolesForUser is that the Authorize(Roles: ) thing doesn’t work and I used it to see what was there. Maybe that was the wrong path to go down.
I can make it work,by creating Roles in the role manager, and then in the global.asx method, add the user to the role like this

string[] groups = authTicket.UserData.ToString().Split(‘|’);

foreach (string group in groups)
{
if (Roles.RoleExists(group))
{
if (!User.IsInRole(group))
{
Roles.AddUserToRole(authTicket.Name, group);
}
}
}

Its quick and dirty and works fine :) . Then everything works.

]]> By: Chris Jackson http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-2058 Chris Jackson Fri, 14 May 2010 13:01:25 +0000 http://www.cmjackson.net/?p=262#comment-2058 @JeffKirby I've not used the roles.getRolesForUser method, but instead used the following attribute for checking the role within a controller action: < Authorize(Roles:="Group1,Group2,Group3") > _ ...and used the following for checking a role within a user control: <% If (Context.User.IsInRole("Group1")) Then %> This code was setup on MVC1.0 using VS2008. I haven't tried running this on the upgraded versions, so I'm not sure if something will break by using them, but would assume that it would work. If you need to use the getRolesForUser function for some reason, you might download the MVC source code and see if you can find what exactly that function is doing. @JeffKirby
I’ve not used the roles.getRolesForUser method, but instead used the following attribute for checking the role within a controller action:

< Authorize(Roles:="Group1,Group2,Group3") > _

…and used the following for checking a role within a user control:

< % If (Context.User.IsInRole("Group1")) Then %>

This code was setup on MVC1.0 using VS2008. I haven’t tried running this on the upgraded versions, so I’m not sure if something will break by using them, but would assume that it would work.

If you need to use the getRolesForUser function for some reason, you might download the MVC source code and see if you can find what exactly that function is doing.

]]> By: JeffKirby http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-1969 JeffKirby Thu, 29 Apr 2010 00:39:26 +0000 http://www.cmjackson.net/?p=262#comment-1969 Hey Chris, I've translated this to C# and it all looks to be working, right up until I try and check the roles ( roles.getRolesForUser ) or look in the debugger on the User object in a page ( in this case the LogOnUserControl ). The Roles are empty. The Global.asax method is however populating the Identity correctly according to the debugger. I have Role Manager on ( should I not? ) but thats about all I've set ( using MVC2 default kit under VS2010 ) Hey Chris,

I’ve translated this to C# and it all looks to be working, right up until I try and check the roles ( roles.getRolesForUser ) or look in the debugger on the User object in a page ( in this case the LogOnUserControl ). The Roles are empty. The Global.asax method is however populating the Identity correctly according to the debugger. I have Role Manager on ( should I not? ) but thats about all I’ve set ( using MVC2 default kit under VS2010 )

]]> By: Chris Jackson http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-1734 Chris Jackson Sat, 20 Mar 2010 22:38:26 +0000 http://www.cmjackson.net/?p=262#comment-1734 If you want to have users auto login, you can use Windows authentication instead of Forms authentication. In the web config, use <authentication mode="Windows">. This will set the authenticated user to the user logged into the client computer. This works well for sites such as a company intranet. If the user cannot be authenticated, then a login box will ask them for a user/password. If you want to use both authentication methods at the same time, I'm not sure that is possible. If you want to have users auto login, you can use Windows authentication instead of Forms authentication. In the web config, use . This will set the authenticated user to the user logged into the client computer. This works well for sites such as a company intranet. If the user cannot be authenticated, then a login box will ask them for a user/password.

If you want to use both authentication methods at the same time, I’m not sure that is possible.

]]> By: Gonzalo http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-1721 Gonzalo Wed, 17 Mar 2010 16:12:50 +0000 http://www.cmjackson.net/?p=262#comment-1721 Thanks for this article! It's really helpfull. Maybe you can help me with this: I'm using your code in a project, I will have users accesing from outside the domain and others from PCs within the domain. For the PCs in the domain, I want to skip the login process and get the current user to automatically log him in. How can I do this? Thanks for this article! It’s really helpfull.
Maybe you can help me with this: I’m using your code in a project, I will have users accesing from outside the domain and others from PCs within the domain.
For the PCs in the domain, I want to skip the login process and get the current user to automatically log him in. How can I do this?

]]> By: Chris Jackson http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-1222 Chris Jackson Tue, 22 Dec 2009 22:48:33 +0000 http://www.cmjackson.net/?p=262#comment-1222 You could add the flag properties to your user object, then during the Authenticate method of the userRepository, check for the expired password and create a user object with the appropriate flags. In the account controller, you'd have to modify the if block after the user is authenticated... You would want to check if the user = nothing, redirect to signon screen with errors; user exists but flags are set, redirect to password change screen; otherwise user is valid and redirect to desired URL. I'm not sure on the specifics for checking LDAP for expired passwords. I'm sure you can find many resources about it on google. You could add the flag properties to your user object, then during the Authenticate method of the userRepository, check for the expired password and create a user object with the appropriate flags. In the account controller, you’d have to modify the if block after the user is authenticated… You would want to check if the user = nothing, redirect to signon screen with errors; user exists but flags are set, redirect to password change screen; otherwise user is valid and redirect to desired URL. I’m not sure on the specifics for checking LDAP for expired passwords. I’m sure you can find many resources about it on google.

]]> By: Vince http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-1160 Vince Mon, 14 Dec 2009 20:37:50 +0000 http://www.cmjackson.net/?p=262#comment-1160 Is there a way to add useraccountcontrl flags? For example how would I be able to redirect users who have the password expired to another link where they can reset the password. Is there a way to add useraccountcontrl flags? For example how would I be able to redirect users who have the password expired to another link where they can reset the password.

]]> By: Chris Jackson http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/comment-page-1/#comment-1159 Chris Jackson Mon, 14 Dec 2009 13:36:04 +0000 http://www.cmjackson.net/?p=262#comment-1159 The FormsAuthentication class writes a cookie with the user's name and list of groups. The code in the Global.asax file then loads the data from that cookie into the session's current user for each request. Then, if you want to use the Data.User object, you can do a lookup using the LDAP class on the user's name read in from the cookie (which is now in the session's current user). There may be other ways to do this, but this was one way I found that worked with the <Authorize> attributes and Active Directory groups. The FormsAuthentication class writes a cookie with the user’s name and list of groups. The code in the Global.asax file then loads the data from that cookie into the session’s current user for each request.

Then, if you want to use the Data.User object, you can do a lookup using the LDAP class on the user’s name read in from the cookie (which is now in the session’s current user).

There may be other ways to do this, but this was one way I found that worked with the attributes and Active Directory groups.

]]>