0

I have been able to create a working ASP.NET web form authentication with Active Directory following this tutorial.

I have two questions (one of them might be specific to my need):

  1. I put in my own username and password in the membership element in web.config for ConnectionUsername and ConnectionPassword. It seems strange to me that while I am authenticating all users in the domain I need to put my own username and password in the web.config. I would imagine that the username and password from the login form should be used for this, unless I understand this incorrectly. Whose username and password do we usually put in the web.config in membership element?

  2. Out of hundreds of users in the domain, I need to give access to several users (let's say 20 of them) to several pages. I read about Active Directory access control but I don't want to go down that path. Is it common and sensible to have a table in the database with a list of usernames that has access to those special pages and do a match whether a logged-in user is in that table and authorize if so?

Thank you for your input.

Improve this question
2
  • It would probably be easier to authenticate by role in this instance, but it really depends on your use case. If you want absolute granularity over access permissions then having a user table would make sense too. Commented May 6, 2014 at 3:51
  • Thanks for your prompt comment @ElGavilan. I am thinking to have a special table because I doubt that AD has a role that is owned only by the set of users I want to authorize. And I want to avoid having to create a special role in AD to accommodate this. But thanks for confirming that create a user table makes sense. Commented May 6, 2014 at 3:58

1 Answer 1

Reset to default
1

Regarding # 1:

Typically you would create a user for the database that is recognized as the "application" and specify those credentials. The "application" is acting on behalf of the users.

Or to restrict access at the database level, you would not specify credentials in the connection string and use the "impersonate=true;" option in the connection string instead.

Regarding # 2:

You can restrict access to specific users in the web.config via the allow and deny nodes, for instance:

<system.web>
<authorization>
  <allow users="MyCompanyDomain\John.Deere,MyCompanyDomain\Jane.Doore"/>
  <deny users="*"/>
</authorization>
</system.web>

This only allows two users in and denys all others. You can also specify Active Directory Groups as well.

Read more here: http://msdn.microsoft.com/en-us/library/acsd09b0(v=vs.85).aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks @Domin8urMind, exactly info that I am after. I tried #1 but I have not been successful. Could you please let me know where to put the impersonate=true. My connection string is the same as the one here except it uses my own ldap.
I got it. I needed to put this as well for the impersonate to work <validation validateIntegratedModeConfiguration="false"/>

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.