Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Find If User is Member of Active Directory Group ASP.NET VB?

I am using Active Directory to authenticate users for an intranet site. I would like to refine the users that are authenticated based on the group they are in in Active Directory. Can someone show me or point me to directions on how to find what groups a user is in in ASP.NET 4.0 (VB)?

like image 812
Dave Mackey Avatar asked Jul 06 '10 23:07

Dave Mackey


2 Answers

I realize this post is quite old but I thought I might update it with processes I am using. (ASP.Net 4.0, VB)

If using integrated windows security, on a domain.

Page.User.IsInRole("domain\GroupName") will check to see if the authenticated user is a member of the specified group.

If you would like to check another users group membership other than the authenticated user.

Two stage for checking multiple groups with the same user principal:

Dim MyPrincipal As New System.Security.Principal.WindowsPrincipal _
     (New System.Security.Principal.WindowsIdentity("UserID"))
Dim blnValid1 As Boolean = MyPrincipal.IsInRole("domain\GroupName")

Single stage for checkin a single group:

Dim blnValid2 As Boolean = New System.Security.Principal.WindowsPrincipal _
     (New System.Security.Principal.WindowsIdentity("userID")).IsInRole("domain\GroupName")

NOTE:: The IsInRole method does work with nested groups. If you have a top level group with a sub group that is a member, and the user is a member of the sub group.

like image 103
Jim M Avatar answered Sep 27 '22 15:09

Jim M


I think I have the ultimate function to get all AD groups of an user included nested groups without explicit recursion:

Imports System.Security.Principal

Private Function GetGroups(userName As String) As List(Of String)
    Dim result As New List(Of String)
    Dim wi As WindowsIdentity = New WindowsIdentity(userName)

    For Each group As IdentityReference In wi.Groups
        Try
            result.Add(group.Translate(GetType(NTAccount)).ToString())
        Catch ex As Exception
        End Try
    Next

    result.Sort()
    Return result
End Function

So just use GetGroups("userID"). Because this approach uses the SID of the user, no explicit LDAP call is done. If you use your own user name it will use the cached credentials and so this function is very fast.

The Try Catch is necessary because in large companyies the AD is so big that some SIDs are getting lost in space.

like image 38
Mickey Mouse Avatar answered Sep 27 '22 15:09

Mickey Mouse