Authorization Manager (AzMan) can be used along with ASP.NET
to manage roles for the application and also check role membership. AzMan also
has the capability of defining Tasks and operations on tasks against the AzMan
policy store. I will be focusing more on role membership for ASP.NET
applications.
Managing role membership is especially useful with AzMan
because you can easily have the administrator add users to roles. This includes
mapping Windows accounts to roles defined in AzMan. Therefore, it is helpful
with ADAM and ActiveDirectoryMembershipProvider. AzMan can work with ADAM or
use XML based policy store file that can be easily deployed along with the
application. In the scenario I have below, I am going to use XML based policy
store within the well known ASP.NET folder: App_Data.
AzMan is installed with Windows Server 2003 SP1 and later.
For Windows XP clients, you need to install the Windows Server 2003
Administration Tools Pack, which you can download from the Windows
Server 2003 Service Pack 1 Administration Tools Pack download page.
The first step to using AzMan is creating a policy store
file. To do that, you need to run AzMan in “Developer Mode.” This allows
creation of policy files and applications. In “Administrator Mode,” a system
administrator can connect to the policy store and make the required changes.
Step 1: Create Policy Store File,
Roles and assign the users
1.
Click Start, Run and type in AzMan.msc.
2.
Right click on Authorization Manager and select Options, then select Developer
Mode. Click OK.
3.
Right click on Authorization Manager and select New Authorization
Store...
4.
Select XML File then provide the path and name for the file in the Store
name box. Eg: D:\<YourApplicationFolder\App_Data\Roles.xml.
5.
Right click on Roles.xml, select New Application..., and then provide a
name for the application.
6.
Expand the Definitions folder and then right click on Role Definition...
7.
Provide a name for the role, Eg: Managers and click OK.
8.
Right click on Role Assignments and select New Role Assignment...
9.
Check the box against Managers and click OK. This role should now be
listed under Role Assignments node.
10. Right
click on Managers and Assign Users and Groups à
From Windows and Active Directory...
11. Select
the users that you want to be part of this group and click OK.
Step 2: Provide access permissions for
the process account on the policy store
Open the policy file location and then add the process
account to the ACL on roles.xml file. This will be NETWORK SERVICE by default
on Windows Server 2003 and Local ASPNET account on Windows XP. If you changed
the IIS application pool identity to a service account, then it should be that
account.
Step 3: Configure the Role Provider
and enable application to use Roles
Internet Information Service 6.0
Step 1: configure the Connection
String for local policy store
Open your application’s web.config and add the following
under <configuration> element.
Listing 5
<connectionStrings>
<add connectionString="msxml://D:\MyWebApp\App_Data\Roles.xml"
name="LocalPolicyStore" />
</connectionStrings>
Step 2: Enable Role Manager and
configure the role provider
Listing 6
<roleManager defaultProvider="FormsAuthRoles" enabled="true">
<providers>
<add applicationName="FormsWithADAuth" connectionStringName="LocalPolicyStore"
name="FormsAuthRoles"
type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
Step 3: Configure Role based access
for secured content
Create a folder under your application folder called “Secured”
and copy the ManagementHome.aspx file into this folder. Then add a <location
path="Secured"></location> just after </configuration>
element and then add the access rule. It should look like this:
Listing 7
<location path="Secured">
<system.web>
<authorization>
<allow roles="Managers" />
<deny users="*" />
</authorization>
</system.web>
</location>
Internet Information Service 7.0
1.
Open Internet Information Services Manager. Click Start, run and type
“Inetmgr” without quotes and press ENTER.
2.
Expand the <ComputerName> node and then expand “Sites” node.
3.
Locate your website/virtual folder and click on it.
4.
Double click on the Connection Strings icon.
5.
In the Actions Pane, click on Add...
6.
Configure the following:
7.
Name: LocalPolicyStore
8.
Click on Custom and then enter your connection string: msxml:// D:\<YourApplicationFolder\App_Data\Roles.xml.
9.
Click OK.
10. Click
on the Back button in IIS User Interface.
11. Double
click on the Providers icon
12. From
the Feature drop down, select .NET Roles.
13. In
the Actions Pane, click on Add...
14. From
the Type dropdown, select “AuthorizationStoreRoleProvider
(System.Web.Security...)."
15. In
the name box type: “FormsAuthRoles.”
16. Under
ConnectionStringName, select LocalPolicyStore.
17. Under
ApplicationName, provide a name for the application.
18. Click
OK.
19. Click
on the Back button in the IIS User Interface.
20. Double
click on the .NET Roles icon.
21. In
the Actions Pane, click on Set Default Provider... and select FormsAuthRoles and
click OK.
22. In
the Actions Pane, click on Enable button.
23. Click
on the Back button in IIS User Interface.
The IIS 7.0 manager only allows authorization rules with
respect to IIS (new feature with IIS 7). For configuring authorization rules
for ASP.net, we need to add the authorization rules under <system.web>
section with a <location> tab, as illustrated below:
Listing 8
<location path="Secured">
<system.web>
<authorization>
<allow roles="Managers" />
<deny users="*" />
</authorization>
</system.web>
</location>
That is it! We are now ready to test our website. Logon with
a user that is not part of the Managers Role in AzMan policy file and test if
you can access the secured pages. Also test after adding that user to the
Managers role.
One of the problems you will notice is that, after the user
is added to the “Managers” role, the changes may not be visible immediately or
until you recycle the worker process or restart the application. I am currently
investigating where it caches this information and how to mitigate it.
Related Links
You can use the Windows Server 2003 Support Tools kit to
figure this one out.
Support
Tools Download
http://support.microsoft.com/kb/892777
add
Element for providers for membership (ASP.NET Settings Schema)
How to authenticate against the Active Directory by using forms
authentication and Visual Basic .NET