Windows authentication questions

[Chicagoan2016]

I have a couple of very simple internal applications that will use windows authentication, one is windows forms and the other asp.net forms ( yes : )), we are going to check for specific AD roles when a user tries to access these applications. 1) Where should I check for AD roles? which event will be better in Winforms and asp.net forms? also in asp.net forms I want to redirect them to a page about why they don't have access and who to contact.

2) It seems to me I have to implement a UserInfo class( as in the samples code) because I need to implement a couple of extra properties and customIdentity that is inherited from WindowsIdentity won't let me create any, am I correct?

Kind regards

[rockfordlhotka]

You do need to create a custom identity that contains a copy of the windows identity roles/groups, yes - or you need to ensure that you have Windows impersonation set up so users log into the web site and the Windows Forms app using their AD credentials. One way or the other.

Either way, the ProjectTracker sample demonstrations how you can use the Csla.ApplicationContext.User to enforce authz rules in the object model and therefore in the Windows Forms UI.

You'll have to look back at some older versions to find a Web Forms implementation (or the C# 2008 Business Objects book), but the Csla.Web assembly includes helpers to take the rules from the business layer and render them into a Web Forms UI.

[Chicagoan2016]

Thank you Rocky, I need to access the Roles property implemented in WindowsIdentity base class and since its protected I can't access through my CustomIdentity derived from WindowsIdentity. Any suggestions please : )

Regards

[Chicagoan2016]

I also found out that if I try to add a managed readonly property to CustomIdentity (inherited from Csla.Silverlight.Security.WindowsIdentity), I am getting a compile time error, is there a certain way to declare properties in cases like these?

Thanks and regards

[Chicagoan2016]

could anyone please reply : )

Thanks

[tonydrake]

Can you give us examples of code and what compile error is?

On 6 June 2017 at 10:39, Chicagoan2016 notifications@github.com wrote:

could anyone please reply : )

Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarimerLLC/cslaforum/issues/370#issuecomment-306353042, or mute the thread https://github.com/notifications/unsubscribe-auth/ABtKPigUigc3wWId4vNW4-VlJDQOFL4hks5sBKbmgaJpZM4Nu-F6 .

[rockfordlhotka]

Busy weekend followed by a day of travel...

That WindowsIdentity class isn't generic, it isn't designed as a base class. You can subclass it if you'd like, but you'll have to use the RegisterProperty overloads that work without using generic type information.

Or you can copy the code into your own class and enhance that code to your own ends.

[Chicagoan2016]

Thank you Rocky, I appreciate your time and help, I will create my own Identity class and inherit it from CslaIdentityBase.

Kind regards

[Chicagoan2016]

I created a custom Identity class inheriting from CslaIdentityBase and copied the code from WindowsIdentity and pasted it inside CustomIdentity.cs I am getting the error "Some or all identity references could not be translated." Exception Details: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

the error is occuring at line System.Security.Principal.NTAccount account = (System.Security.Principal.NTAccount)item.Translate(typeof(System.Security.Principal.NTAccount));

inside the 'PopulateWindowsIdentity' method.

Any ideas where am I making mistake?

Regards

[Chicagoan2016]

This is a asp.net web forms application and only windows authentication is enables in IIS.

thanks

[Chicagoan2016]

I commented out call to 'PopulateWindowsIdentity' in DataPortal_Fetch() and now when I try to cast Csla.Applicationcontext.User.Identity to MyCustomIdentity (I need to access an extra property that I added to MyCustomIdentity) I am getting the following error.

Unable to cast object of type 'System.Security.Principal.WindowsIdentity' to type 'MyProject.BusinessLayer.Security.MyCustomIdentity'."} System.InvalidCastException

[Chicagoan2016]

I got it working to a certain extent but I am checking for users windowsIdentity ( user domain name) in Application_AcquireRequestState in global.asax and its returning app pool Id, although i have set up the website to use windows authentication only. I tried numerous events in global.asax but to no avail. Which event in global.asax should I use to get user's domain name?

Thanks

[rockfordlhotka]

This whole thing relies on the user authenticating with the web server using their Windows credentials, and then having the web server impersonate the user, that way your code on the server is running under the user's identity.

You don't need any event then, because IIS/ASP.NET already authenticated the user before they even get access to any of your code - and that is what allows you to just use the current WindowsIdentity object for the thread.

[Chicagoan2016]

Thank you Rocky, I put the code in SessionStart event in global.asax and it's working (at least for now : )) I had to check for specific AD roles for this application, and if the user wasn't in those roles then direct to notauthorized page with contact info for the Admin. I implemented a few lines of code from System.DirectoryServices.AccountManagement in CustomIdentity and its working ( for the time being : ))

kind regards

[Chicagoan2016]

My requirement is to load AD roles for a domain user and if the user is not in certain AD roles then he is not 'authenticated', I am probably overthinking this and there is any easy way to accomplish this : )

[ghost]

Don't sell yourself short @Chicagoan2016. Authentication/Authorization is not a trivial thing. For the ASP.NET side of things I have, in the past, used ADFS 2.0 with CSLA to authenticate users. They get a "non-standard" login screen similar to the Microsoft ones you get for Azure portal, etc. Once logged in, claims take over. I don't have any reference code at the moment since it is on my work computer but if you're interested, here's a good starting point: Use the On-Premises Organizational Authentication Option (ADFS) With ASP.NET in Visual Studio 2013

[Chicagoan2016]

Thank you @fujiiface , I guess my problem was I couldn't get it work so that it would call WindowsIdentity's populateIdentity method as implemented in CSLA. I know that windowsIdentity class will always return authenticationtype as 'windows', however in my code it wasn't the case. Has anyone been able to use WindowsIdentity.cs in an asp.net webforms successfully?

Regards