Using Forms Authentication with Membership Providers in ASP.NET 2.0
page 3 of 6
by Sudeep G
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 67154/ 105

Part 2: Using AuthorizationManager (Azman) with Active Directory Membership Provider

Authorization Manager (AzMan) can be used along with ASP.NET to manage roles for the application and also check role membership. AzMan also has the capability of defining Tasks and operations on tasks against the AzMan policy store. I will be focusing more on role membership for ASP.NET applications.

Managing role membership is especially useful with AzMan because you can easily have the administrator add users to roles. This includes mapping Windows accounts to roles defined in AzMan. Therefore, it is helpful with ADAM and ActiveDirectoryMembershipProvider. AzMan can work with ADAM or use XML based policy store file that can be easily deployed along with the application. In the scenario I have below, I am going to use XML based policy store within the well known ASP.NET folder: App_Data.

AzMan is installed with Windows Server 2003 SP1 and later. For Windows XP clients, you need to install the Windows Server 2003 Administration Tools Pack, which you can download from the Windows Server 2003 Service Pack 1 Administration Tools Pack download page.

The first step to using AzMan is creating a policy store file. To do that, you need to run AzMan in “Developer Mode.” This allows creation of policy files and applications. In “Administrator Mode,” a system administrator can connect to the policy store and make the required changes.

Step 1: Create Policy Store File, Roles and assign the users

1.    Click Start, Run and type in AzMan.msc.

2.    Right click on Authorization Manager and select Options, then select Developer Mode. Click OK.

3.    Right click on Authorization Manager and select New Authorization Store...

4.    Select XML File then provide the path and name for the file in the Store name box. Eg: D:\<YourApplicationFolder\App_Data\Roles.xml.

5.    Right click on Roles.xml, select New Application..., and then provide a name for the application.

6.    Expand the Definitions folder and then right click on Role Definition...

7.    Provide a name for the role, Eg: Managers and click OK.

8.    Right click on Role Assignments and select New Role Assignment...

9.    Check the box against Managers and click OK. This role should now be listed under Role Assignments node.

10. Right click on Managers and Assign Users and Groups à From Windows and Active Directory...

11. Select the users that you want to be part of this group and click OK.

Step 2: Provide access permissions for the process account on the policy store

Open the policy file location and then add the process account to the ACL on roles.xml file. This will be NETWORK SERVICE by default on Windows Server 2003 and Local ASPNET account on Windows XP. If you changed the IIS application pool identity to a service account, then it should be that account.

Step 3: Configure the Role Provider and enable application to use Roles

Internet Information Service 6.0

Step 1: configure the Connection String for local policy store

Open your application’s web.config and add the following under <configuration> element.

Listing 5

<add connectionString="msxml://D:\MyWebApp\App_Data\Roles.xml" 
name="LocalPolicyStore" />

Step 2: Enable Role Manager and configure the role provider

Listing 6

<roleManager defaultProvider="FormsAuthRoles" enabled="true">
    <add applicationName="FormsWithADAuth" connectionStringName="LocalPolicyStore" 
type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, 
Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Step 3: Configure Role based access for secured content

Create a folder under your application folder called “Secured” and copy the ManagementHome.aspx file into this folder. Then add a <location path="Secured"></location> just after </configuration> element and then add the access rule. It should look like this:

Listing 7

<location path="Secured">
      <allow roles="Managers" />
      <deny users="*" />

Internet Information Service 7.0

1.    Open Internet Information Services Manager. Click Start, run and type “Inetmgr” without quotes and press ENTER.

2.    Expand the <ComputerName> node and then expand “Sites” node.

3.    Locate your website/virtual folder and click on it.

4.    Double click on the Connection Strings icon.

5.    In the Actions Pane, click on Add...

6.    Configure the following:

7.    Name: LocalPolicyStore

8.    Click on Custom and then enter your connection string: msxml:// D:\<YourApplicationFolder\App_Data\Roles.xml.

9.    Click OK.

10. Click on the Back button in IIS User Interface.

11. Double click on the Providers icon

12. From the Feature drop down, select .NET Roles.

13. In the Actions Pane, click on Add...

14. From the Type dropdown, select “AuthorizationStoreRoleProvider (System.Web.Security...)."

15. In the name box type: “FormsAuthRoles.”

16. Under ConnectionStringName, select LocalPolicyStore.

17. Under ApplicationName, provide a name for the application.

18. Click OK.

19. Click on the Back button in the IIS User Interface.

20. Double click on the .NET Roles icon.

21. In the Actions Pane, click on Set Default Provider... and select FormsAuthRoles and click OK.

22. In the Actions Pane, click on Enable button.

23. Click on the Back button in IIS User Interface.

The IIS 7.0 manager only allows authorization rules with respect to IIS (new feature with IIS 7). For configuring authorization rules for, we need to add the authorization rules under <system.web> section with a <location> tab, as illustrated below:

Listing 8

<location path="Secured">
      <allow roles="Managers" />
      <deny users="*" />

That is it! We are now ready to test our website. Logon with a user that is not part of the Managers Role in AzMan policy file and test if you can access the secured pages. Also test after adding that user to the Managers role.

One of the problems you will notice is that, after the user is added to the “Managers” role, the changes may not be visible immediately or until you recycle the worker process or restart the application. I am currently investigating where it caches this information and how to mitigate it.

Related Links

You can use the Windows Server 2003 Support Tools kit to figure this one out.

Support Tools Download

add Element for providers for membership (ASP.NET Settings Schema)

How to authenticate against the Active Directory by using forms authentication and Visual Basic .NET

View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2021  |  Page Processed at 2021-11-29 10:38:24 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search