I am using Active Directory to authenticate users for an intranet site. I would like to refine the users that are authenticated based on the group they are in in Active Directory. Can someone show me or point me to directions on how to find what groups a user is in in ASP.NET 4.0 (VB)?
I realize this post is quite old but I thought I might update it with processes I am using. (ASP.Net 4.0, VB)
If using integrated windows security, on a domain.
Page.User.IsInRole("domain\GroupName")
will check to see if the authenticated user is a member of the specified group.
If you would like to check another users group membership other than the authenticated user.
Two stage for checking multiple groups with the same user principal:
Dim MyPrincipal As New System.Security.Principal.WindowsPrincipal _
(New System.Security.Principal.WindowsIdentity("UserID"))
Dim blnValid1 As Boolean = MyPrincipal.IsInRole("domain\GroupName")
Single stage for checkin a single group:
Dim blnValid2 As Boolean = New System.Security.Principal.WindowsPrincipal _
(New System.Security.Principal.WindowsIdentity("userID")).IsInRole("domain\GroupName")
NOTE:: The IsInRole method does work with nested groups. If you have a top level group with a sub group that is a member, and the user is a member of the sub group.
I think I have the ultimate function to get all AD groups of an user included nested groups without explicit recursion:
Imports System.Security.Principal
Private Function GetGroups(userName As String) As List(Of String)
Dim result As New List(Of String)
Dim wi As WindowsIdentity = New WindowsIdentity(userName)
For Each group As IdentityReference In wi.Groups
Try
result.Add(group.Translate(GetType(NTAccount)).ToString())
Catch ex As Exception
End Try
Next
result.Sort()
Return result
End Function
So just use GetGroups("userID"). Because this approach uses the SID of the user, no explicit LDAP call is done. If you use your own user name it will use the cached credentials and so this function is very fast.
The Try Catch is necessary because in large companyies the AD is so big that some SIDs are getting lost in space.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With