Click here to Skip to main content
Click here to Skip to main content

Tagged as

Authenticating a Web service with Active Directory group

, 7 Feb 2013
Rate this:
Please Sign up or sign in to vote.
I struggled for four weeks trying to authenticate my Web service with AD group, I wanted to allow specific users to perfom specific tasks with the project. So finally I got it working and I thought I'll share this.

Introduction

This code allows a specif user from active directory to perform a specific task i.e viewing important employee information (companies can't allow every employee to have access to that kind of information)

Using the code

using System.ServiceModel;
using System.DirectoryServices.AccountManagement;

Firstly I have my web.config which looks like this (I won't post the whole file):

<system.web>
    <authentication mode="Windows" />
    <compilation debug="true" targetFramework="4.0" />
    <customErrors mode="RemoteOnly" />
    <trust level="Full" />
    <identity impersonate="false" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" >
              <extendedProtectionPolicy policyEnforcement="Always" />
            </transport>
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
  </system.serviceModel>

I have two functions, and each function can be processed by a certain group of people from the AD groups. This is what I did on my functions on the service implementation:

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
Public MyFunction()
{
//Finds the user in Active Directory  
string whoAmI = ServiceSecurityContext.Current.PrimaryIdentity.Name;
//Sets the context to domain    
PrincipalContext context = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);

//Specifies the context to use and the group name to look for
 GroupPrincipal group = GroupPrincipal.FindByIdentity(context, "APP_EMPLOYEEWS_BIO");
//Sets the user to look for
 UserPrincipal user = UserPrincipal.FindByIdentity(context,whoAmI)
//Checks if the user is the member of the group, if not throws an exceptions else processes the function
if(!user.IsMemberOf(group))
              {
 throw new SecurityException("Access Denied: User has no permission to process the request");
              }
              else
              {        //Code to process here }
}

I hope someone will find this helpful and not struggle as i did.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Thando Khumalo

South Africa South Africa
No Biography provided

Comments and Discussions

 
QuestionFlowers and gifts are the best way to express love on Mother’s Day PinmemberMember 1064722122-Apr-14 3:10 
QuestionFlora orchid delight hamper on Mother’s Day PinmemberMember 106472215-Mar-14 20:09 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140821.2 | Last Updated 7 Feb 2013
Article Copyright 2013 by Thando Khumalo
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid