I don't mean to rant, but if I see another 'username | password' prompt i think i'm going to choke. This post is about doing whatever you can to make this world have one less system that needs a logon prompt...
This describes how to secure your Asp.Net application if you're inside an Active Directory environment, and you want to use the integrated sign on, so your users don't have to remember yet another login/password.
How to limit access to your application
This explains how to limit access to your application to members of a certain role/group.
First you need to change your web.config so that it uses windows authentication, and make it only allow members of a specific Active Directory group. Here is the cut down web.config, showing the changes to the system.web section:
<authentication mode="Windows" />
<allow roles="MYDOMAIN\MyAppUsers" />
<deny users="*" />
Then you want to make a landing page for users who aren't allowed to log in. This is just a plain HTML page, you can call it 'noaccess.htm'.
Now you want to make it send disallowed people to this 'noaccess.htm'.
Open or create the Global.asax page, and change/add this function:
How to figure out who is logged in
// This redirects people without access to the noaccess.htm page
protected void Application_EndRequest(Object sender, EventArgs e)
HttpContext context = HttpContext.Current;
if (context.Response.Status.Substring(0, 3).Equals("401"))
Quite simple this one - it is stored in this variable, accessible from your aspx.cs code-behind classes (Update - FIXED):
Say you've got a literal control on your webform, and you want to show the currently logged on user, you could do this:
How to give different permissions to different users
literalLoggedOnUser.Text = HttpContext.Current.Request.ServerVariables["AUTH_USER"];
Say you want to give some people more access than others, you'll want to create another AD group for these users: "MYDOMAIN\MyAppAdmins".
Open up your web.config and add the appSettings section like so:
<add key="AdminGroup" value="MYDOMAIN\MyAppAdmins"/>
The reason for adding the name of the admin group in the web.config is so that if you have different AD groups for the development vs production environments, it'll be a simple matter of only changing the web.config. The principle adhered to here is that the only difference between development and production should be the web.config file.
Then you'll use this piece of code to check if the current user is in that group:
string group = ConfigurationManager.AppSettings["AdminGroup"];
// this user is an administrator
// this user is a common pleb
Hint: You're most likely to place code like that in the Page_Load function for the admin pages.
This is for C# ASP.Net 2. Some things may be different with VB.Net or .Net 1.1
Redirect to noaccess.htm: http://www.codeproject.com/aspnet/Custon401Page.asp