ASP.NET Active Directory Role Provider via web.config

Question

I would like to ask if anybody could provide an example of web.config for the following situation:

I have a web (ASP.NET) with form authentification (login controls), which I would like to have connected to our corporate Active Directory. In AD, we have defined users as well as groups. Authentification for the users (allow users...) works like a charm, however, when I want to add role authentification (allow roles...) it doesn't work. I've tried to enable role manager but don't know exactly how to setup the provider to communicate with the AD.

Furthermore, I would like to have all the settings only in web.config, not to do group authentification in the code (I know it's possible but I would prefer config solution only).

Althought I went through several tutorials on the web, most of the role authentification was oriented on using a local sql server or windows authorization, but not AD.

Answer 1

The idea is to write a custom role provider which reads groups from the AD and exposes as user roles:

http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html

Answer 2

if that site is on your intranet then you don't need to use login controls or the roles provider. AD is already a provider out of the box. Your web.config file needs to have

<authentication mode="Windows"/>
<authorization>
  <!--<allow roles="AD_GROUP" />-->
  <!--<allow users="USERS"/-->
  <deny users="?"/> <!-- Important if you want to force authentication-->
</authorization>

the somewhere in your code you can check to see the user is in a role like this:

HttpContext.Current.User.IsInRole("AD_GROUP_NAME")