CodeProject: Active Directory Roles Provider. Free source code and programming help

Report Article

Discuss

Send to a friend

16 votes for this Article.

Popularity: 4.40 Rating: 3.65 out of 5

Introduction
Requirements
Technical Summary
Querying Active Directory
Caching to SQL Server
SQL Caching Performance
Using the Code
Future Enhancements
History

Introduction

I've written this code in order to fill a percieved gap in Microsoft's current ASP.NET role management offerings. (If you are not familiar with ASP.NET Membership and Role Management, you may want to check out the current framework documentation on Securing ASP.NET Web Sites before continuing this article. The Membership and Role summary pages should give you a good start.)

Currently, if you are using forms-based authentication with Microsoft's ActiveDirectoryMembershipProvider, you are a bit limited in your options for a role provider. There is nothing built into the framework that is as relatively simple to configure and maintain ActiveDirectoryMembershipProvider. The best solution you are left with is setting up AzMan. However, there's a significant learning curve and a lot of conflicting information out there regarding it, and it also requires setup and configuration outside of the web site's web.config.

That's where ADRoleProvider comes into play. Simply stated, ADRoleProvider is a role provider class that allows you to use your existing Active Directory groups as ASP.NET Roles, and attempts to provide that framework as easily as ActiveDirectoryMembershipProvider provides your membership framework. Since it inherits from Microsoft's base RoleProvider class, it should function seamlessly in your site and work with all the standard .NET controls (LoginView, etc) and Web.config authorization settings.

Please make certain that you read through this documentation and understand the security and performance concerns mentioned. Also, look through the code to gain an understanding of what exactly how it operates.

Requirements

In order to make use of this RoleProvider class, there are only two requirements

You must be running an ASP.NET website using version 3.5 of the framework. This is because the code uses the System.DirectoryServices.AccountManagement namespace to enumerate group membership.
Your IIS web server must be a member of the domain you wish to use for group/role maintenance. You can use an off-domain server with a little code tweaking, and I will be supporting this option down the road.
For the time being, attributeMapUsername="sAMAccountName" should be set in your ActiveDirectoryMembershipProvider. This is explained further below in the Technical Summary.

Technical Summary

Using the source code that Microsoft has released for SqlRoleProvider as a jumping-off point, I've tried to make this class adhere as close as possible to the behavior of the "built-in" role providers. The only significant difference to note is that this is a read-only provider. Since management should be done only through Active Directory, any role operations that would require write access will throw a NotSupportedException.

IMPORTANT - All of the Active Directory queries in the class are currently made against the LDAP sAMAccountName attribute. Consequently, any time you are referring to a group or user name in the web.config, please be certain you are using the sAMAccountName. However, ActiveDirectoryMembershipProvider can be configured to use either sAMAccountName OR userPrincipalName. To avoid any confusion, the safe bet is to set attributeMapUsername="sAMAccountName" in the membership configuration section of the web.config. The one critical change I am currently planning for this code is the option to use UPN to avoid any confusion. This change should complete and tested within a week. If you are working in a live environment in which users are accustomed to logging in as username@domain.com rather than username, please hold off using this until then.

Certain built-in or common Active Directory groups are specifically excluded in the source code. For example, Exchange Enterprise Servers would never, ever be used as a role, so that is in an internal exclusion list. These system groups cannot be queried against, and will never show up in any results. You can also specify your own groups to ignore in the Web.config (see configuration below).

Querying Active Directory

All of the heavy lifting done by this class involves querying against Active Directory, and there are as many ways to query Active Directory as there are to shoot yourself in the foot. Below is the complete code for retrieving a user's role (i.e. AD Group) membership. The SQL Caching code is ellipsed out for explanation purposes.

/// <summary>
/// Retrieve listing of all roles to which a specified user belongs.
/// </summary>
/// <param name="username"></param>
/// <returns>String array of roles</returns>
public override String[] GetRolesForUser(String username)
{
	...
	//Create an ArrayList to store our resultant list of groups.
	ArrayList results = new ArrayList();
	//PrincipalContext encapsulates the server or domain against which all
         //operations are performed.
	using (PrincipalContext context = new PrincipalContext(ContextType.Domain,
             null, _DomainDN))
	{
		try
		{
			//Create a referance to the user account we are querying
                           //against.
			UserPrincipal p = UserPrincipal.FindByIdentity(context,
                               IdentityType.SamAccountName, username);
			//Get the user's security groups.  This is necessary to
                           //return nested groups, but will NOT return distribution groups.
			var groups = p.GetAuthorizationGroups();
			foreach (GroupPrincipal group in groups)
			{
				if (!_GroupsToIgnore.Contains(group.SamAccountName))
				{
					if (_IsAdditiveGroupMode)
					{
						if (
                                                           _GroupsToUse.Contains(
                                                           group.SamAccountName))
						{
							results.Add(
                                                                    group.SamAccountName);
						}
					}
					else
					{
						results.Add(group.SamAccountName);
					}
				}
			}
		}
		catch (Exception ex)
		{
			throw new ProviderException(
                               "Unable to query Active Directory.", ex);
		}
	}
	...
	return results.ToArray(typeof(String)) as String[];
}

Do not let the nested if statements throw you off; they are there only to make certain that the proper groups are ignored/used, depending on your configuration, explained below. As the comments explain, programming against System.DirectoryServices.AccountManagement is actually quite simple.

Caching to SQL Server

Querying against Active Directory can be pretty slow. To alleviate this, ADRoleProvider includes options to enable caching the results from its Active Directory queries to a Microsoft SQL Server. It seems counterintuitive, but caching querying against SQL Server is generally faster than executing AD queries.

The manner of caching is extremely simple. I vacillated between using a more fully normalized series of tables and the simplified method I finally settled upon. Data is cached to a single table as specified below.

An ID field, used to speed up duplicate lookups in one of the stored procedures
Application Name for the item, allowing a single table to be used for multiple applications
The type of object being cached (L=Roles List, U=User membership, R=Role membership)
User or role name
Comma-separated list of membership
Expiration datetime

CacheId    ApplicationId    CacheType    CacheKey    CacheValue    ExpireDT
49    MyApp    L    AllRoles    Customer Service,IT    8/18/2008 2:49:50 PM
50    MyApp    U    asmith    IT    8/18/2008 2:49:50 PM
51    MyApp    R    IT    dsmith,msmith,asmith,jsmith,ssmith,bsmith    8/18/2008 2:49:50 PM

There are certain situations in which this simplified method of caching could present minor annoyances. For example: The cached results for IT is set to expire at 2:50, the results for asmith are set to expire at 3:50, and asmith is removed from the IT Active Directory group. In this situation, there could be an hour period where enumerating IT shows that asmith is not a member, but asmith still thinks he is. This could be avoided by having a group table, a user table, and a join table. However, I decided that the added complexity and overhead was not worth the trade-off, since every time a cache item is set, the integrity of every item involved would have to be verified.

Included in the code zip file is a SQL file that will create the necessary table and stored procedures to implement caching. This has been tested under SQL Server 2005 Standard and Developer editions, and SQL Server 2008 Standard.

SQL Caching Performance

Honestly, the impact of enabling SQL caching is much larger than I had thought it would be. My test environment consists of only two groups and about a half dozen users. With such a small set of data to work with, I figured the performance impact would be minimal. The SQL instance I am connecting to is on a separate server from the test site. The code below basically what I used to test performance, though I actually set it to run a few hundred times.

DateTime dtStart;
DateTime dtEnd;
TimeSpan executionTime;
string[] results;

dtStart = DateTime.Now;
results = Roles.GetAllRoles();
results = Roles.GetRolesForUser("dsoref");
results = Roles.GetUsersInRole("IT");
dtEnd = DateTime.Now;
executionTime = dtEnd - dtStart;
tests.InnerHtml += "Execution Time: " + executionTime.TotalMilliseconds + "<br /><br />";

Without caching enabled, this chunk of code would take from 78 to 154ms to execute, with the average hovering at about 98ms.

With caching enabled, the initial request would take from 81 to 204ms to execute, with the average hovering around 102ms since the data needed to be cached to the SQL database. However, subsequent requests within the expiration time took only 14 to 16ms. I guess SQL is faster than AD after all.

Using the Code

First, you will want to compile the provider and copy the resulting .dll into your website's bin folder. You could instead copy the .cs file into your App_Code directory, but this is somewhat less secure. Granted, you should be able to trust all of your developers, but better safe than sorry.

Web.Config

Next, you will want to enter the proper configuration settings into your web.config, as below. I will run through each of these settings.

...
<connectionStrings>
    ...
    <add name="ActiveDirCS"
        connectionString="LDAP://DC=YourDomain,DC=com"/>

</connectionStrings>
...
<roleManager enabled="true" defaultProvider="ActiveDirRP">
    <providers>
        <clear/>
        <add applicationName="MyApp"

            name="ActiveDirRP" 
            type="DanielPS.Roles.ADRoleProvider" 
            activeDirectoryConnectionString="ActiveDirCS" 
            groupMode="Additive" 
            groupsToUse="IT, Customer Service" 
            groupsToIgnore="Senior Management" 
            usersToIgnore="asmith, ksose"

            enableSqlCache="True"
            sqlConnectionString="SQLCacheCS"
            cacheTimeInMinutes="30" />
    </providers>

</roleManager>
...

Name should be specified as with any other role provider for reference in the web.config.
Type will refer to our new roleprovider class, DanielPS.Roles.ADRoleProvider, or something else if you don't like the namespace.
ApplicationName should be the same as used in your membershipprovider section.
activeDirectoryConnectionString should be LDAP-formatted and serverless, i.e. LDAP://DC=YourDomain,DC=com. If you specify a server, an error will be thrown.
The most important setting here is groupMode. It has two options:
- Additive - All Active Directory groups are essentially invisible and useless unless the are specified in the groupsToUse section. This is the safest method, as you are assured that no secure Active Directory groups are exposed to the web site, and will not be listed even on a GetAllRoles() call. All groups you wish to use as roles must be specified in groupsToUse
- Subtractive - All Active Directory groups are exposed as roles unless they are listed in the groupsToIgnore section. This is somewhat less secure, but requires less maintenance when groups are added or removed. As mentioned, there is a list in the source code of common AD groups that will be ignored whether or not they are in the groupsToIgnore list.
groupsToUse is a comma-separated list of groups that should be used as roles. This is only used if groupMode is set to Additive.
groupsToIgnore is a comma-seperated list of groups that should be ignore for roles purposes. They will not should in the results for any Roles functions. In the example above, Roles.GetRolesForUser() will never include "Senior Management" in the results, and Roles.GetUsersInRole("Senior Management") will throw a ProviderException.
enableSqlCache should be set to True to enable SQL caching. I highly recommend it.
sqlConnectionString is the name of the connection string to use for SQL connections if SQL caching is enabled.
cacheTimeInMinutes is the length of time, in minutes, that items should be cached if SQL caching is enabled.

Note: If a groupMode is additive, and a group is specified in both groupsToUse and groupsToIgnore, groupsToIgnore will take precedence.

Note: If a group is specified in groupsToUse, but does not exist in Active Directory, it will be ignored.

Groups and Users Excluded in the Source

The following groups are excluded in the source code. Even specifying them in groupsToUse will not make them functional.

Domain Guests, Domain Computers, Group Policy Creator Owners, Guests, Users, Domain Users, Pre-Windows 2000 Compatible Access, Exchange Domain Servers, Schema Admins, Enterprise Admins, Domain Admins, Cert Publishers, Backup Operators, Account Operators, Server Operators, Print Operators, Replicator, Domain Controllers, WINS Users, DnsAdmins, DnsUpdateProxy, DHCP Users, DHCP Administrators, Exchange Services, Exchange Enterprise Servers, Remote Desktop Users, Network Configuration Operators, Incoming Forest Trust Builders, Performance Monitor Users, Performance Log Users, Windows Authorization Access Group, Terminal Server License Servers, Distributed COM Users, Administrators, Everybody, RAS and IAS Servers, MTS Trusted Impersonators, MTS Impersonators

The following users are excluded in the source code. They will not show up in any group membership enumeration.

Administrator, TsInternetUser, Guest, krbtgt, Replicate, SERVICE, SMSService

Future Enhancements

Add configuration options to allow a non-domain IIS server to host a web site making use of this code without any tweaking.
Add configuration options to use Common-Name rather than sAMAccountName.

History

8/12/2008 - Initial Posting
8/20/2008 - Update to include SQL Caching, rewrite of some sections for clarification, more detailed explanations, and misc. corrections
8/20/2008 - Rewrote group membership enumeration to use System.DirectoryServices.AccountManagement (.NET 3.5 only) and support recursive membership
9/4/2008 - Source updated
9/30/2008 - Article Rewrite

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Daniel_PS

Location:

United States

Other popular ASP.NET articles:

Multiple File Upload With Progress Bar Using Flash and ASP.NET
How to use Flash to upload multiple files in a medium-trust hosting environment
CAPTCHA Image
Using CAPTCHA images to prevent automated form submission.
10 ASP.NET Performance and Scalability Secrets
10 easy ways to make ASP.NET and AJAX websites faster, more scalable and support more traffic at lower cost
Paging of Large Resultsets in ASP.NET
An article about optimization and performance testing of MS SQL Server 2000 stored procedures used for paging of large resultsets in ASP.NET
File Upload with ASP.NET
This article shows you how work with uploading of the files using ASP.NET and C#.

Article Top

You must Sign In to use this message board.

Msgs 1 to 25 of 33 (Total in Forum: 33) (Refresh)

FirstPrevNext

Which Provider "Type" do I use if ADRoleProvider class is not converted to a .dll

Alan Dale Fisher

6hrs 51mins ago

First of all Thanks for sharing this code, great job! I got this to work on my app by just referncing the class but am having an issue when implementing it from web.config. I didn't convert the class to a .dll and I don't know what to put in the Type field for the Provider. I'm fairly new to .net and don't know how to get from a class to .dll. Any way you said it could be done leaving it as a class but the Type is the only issue I see. Thanks for any help.

Integrated Authentication

Mike Peters

12:27 3 Nov '08

I'm curious, if I want to use windows integrated authentication for my web application, could I still use your AD role provider to retrieve roles, or does it require a user to log in using the AD membership provider? Thanks!
Sign In·View Thread·PermaLink

"allow roles" in web.config [modified]

Mike Peters

8:43 29 Oct '08

I am doing a volunteer project for my daughter's school and I think I am going to use this to show/hide items in the menu. I haven't tested it but it looks like a great solution!

One question.. when using ActiveDirectoryMembershipProvider, can I use "allow roles" in the authorization section of the web.config to allow roles to access specific pages or folders, or do I need to use your AdRoleProvider to do a check on every page to see if the user is in the role?

Thanks!!

modified on Wednesday, October 29, 2008 2:28 PM

Re: "allow roles" in web.config

Daniel_PS

14:45 29 Oct '08

Hi Mike,

Thanks very much for the kind words.
You should definitely be able to use the authorization section of the web.config. If you do happen to run in to any trouble, just post here with details and I will do what I can to help.

The only thing to keep in mind is the samaccountname issue mentioned in the article's technical summary. I intended to have had that change implemented a couple weeks ago, but I don't currently have access to an AD domain that I can play with to test the changes to allow the use of userprincipal name.

Happy programming,

Daniel

"Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life." - Terry Pratchett

Re: "allow roles" in web.config

Mike Peters

10:57 30 Oct '08

I used your "GetRolesForUser" to write out all the roles I belong to, and I see I am part of the "ReportAdmin" group, however when I try to give myself permission to a folder like this:

location path="Reports">
system.web>
authorization>
allow roles="ReportAdmin" />
deny users="*" />
authorization>
system.web>
location>

I don't have access to that folder. I don't think this is an issue with your role provider. I think I just might be doing something wrong. I'm using ActiveDirectoryMembershipProvider and your role provider.

Re: "allow roles" in web.config

Mike Peters

11:25 30 Oct '08

Ooops, sorry, I forgot to add that role to "groupsToUse" Once I did that, it works perfectly!! THANKS!!!
Sign In·View Thread·PermaLink

Using this Role Provider with MOSS 2007

delillo

7:56 21 Oct '08

Has anyone tried to use this Role Provider in MOSS 2007 in combination with the ActiveDirectoryMembershipProvider? I want to set up FBA in MOSS to authenticate against AD, and then use security groups to manage Sharepoint site permissions.
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Demo does not seem to work with latest version of dll included in source distribution

wgeurden

11:58 29 Sep '08

After changing the activeDirCS connectionstring and running the demo - i get an "Object reference not set to an instance of an object." error. It seems the old version cached an object that referred to the current user with a key of "UserName". The dll included in the source does not seem to do that from there the error. Can you verify/fix ? Many thanks, Wim
Sign In·View Thread·PermaLink

Re: Demo does not seem to work with latest version of dll included in source distribution

Daniel_PS

12:10 29 Sep '08

Sorry about that. The demo project is outdated.

I'm going to be rewriting the entire article tonight, so when I submit the changes for that, I'll include a replacement demo project.

In the meantime, if you take the DLL from the source package, that should work with the web.config as given in the article.

Again, my apologies, I've just been so busy it slipped my mind. It will be updated shortly.

Daniel

Other Active Directory Role Provider (ADRP) on CodePlex

kuke

17:13 28 Sep '08

Hi Daniel,

This looks great - I'll take a look now and see how it fits into our SharePoint extranet.

Are you familiar with an existing ADRoleProvider on CodePlex here[^]?

As I just suggested to the creator "dunry" there, it may be worthwhile investigating a way to merge the solutions - where possible - to provide a single community ADRoleProvider. (Though arguably there should be an official MS one that works with FBA!).

Also, have you considered how you'll distribute future updates (e.g. via a CodePlex site?).

Cheers,

Peter

Re: Other Active Directory Role Provider (ADRP) on CodePlex

Daniel_PS

12:20 29 Sep '08

That's not at all a bad idea.

I had been planning on distributing potential future updates by simply updating this article, but a CodePlex site is a pretty good idea. I'll see if I can get in touch with Dunry and see what his thoughts are on the matter, or I'll just create a new project there.

As for Sharepoint, I'm not sure how well this will work in that environment. (I mean that in the literal sense. It may or may not be worthwhile.) The one problem I can see is that Sharepoint seems to handle security with its own groups, whose membership can refer to AD groups if it is member of a domain, so you'd be duplicating functionality. Also, I think that the Sharepoint role model extends upon the standard .net model, in which case the code here could be lacking certain functionality. In the same way, adding a SqlRoleProvider into a Sharepoint site might not achieve much. I'm not sure what you are doing, though, so I could be wrong.

In any case, let me know what you learn in that regard, if you don't mind. I'm going to be starting work shortly on a WSS site, so maybe I can learn something from your mistakes before I start learning from my own. Wink

Thanks for the input as well.

Daniel

Re: Other Active Directory Role Provider (ADRP) on CodePlex

kuke

15:43 30 Sep '08

Basically you need a "custom" RoleProvider for SharePoint when:

- You want to use Forms Authentication
- You have Active Directory and want to make these roles available in SharePoint

This is because there's WindowsTokenRoleProvider only works with Windows Authentication. (Isn't it strange that Microsoft doesn't provide a decent RoleProvider for it's own ActiveDirectory using FBA?).

An example of needing it in SharePoint is when you have an extranet with external users in the AD and they are members of various groups which you want to base your SharePoint site security on - e.g. you give members access to all your Supplier's to the Suppliers site.

After messing about a bit, I actually discovered the poorly documented "Microsoft.Office.Server.Security.LdapRoleProvider" which ships with MOSS that does actually work [with a bit of help help], so I don't actually need your great effort now sorry. Not sure if it'd work you were just using WSS (and not MOSS).

As an aside, I note you were using ArrayList objects - have you considered upgrading to List (generics)?

Re: Other Active Directory Role Provider (ADRP) on CodePlex

Daniel_PS

9:28 1 Oct '08

Hi Kuke,

That's pretty cool, regarding the MOSS LdapRoleProvider. Like you mentioned, I'm not sure this code would even work in your situation, since one would assume that there is extended functionality in the MOSS provider that is not covered by the standard ASP .Net provider. Its existence also makes me wonder two things.

One, if they can provide that for MOSS, why don't they implement it as a standard ASP .Net LdapRoleProvider? I suppose they must simply be satisfied with the unwieldy AzMan solution.

Two, would a tool like Reflector give some valuable insight into how they are implementing it that could be used in this project?

Maybe that's something you could help me with. In another post on this page, I've mentioned a coding contest that I've entered this project in. If I won that, I'd have access to MOSS so I could poke around with it. If you would, please consider going to that site and voting, which starts in less than a day. It actually doesn't have to be for my project, as there is some pretty good competition out there.

Enough of that.

Not a bad idea at all concerning switching to List<>. You started me thinking and I happened upon this[^]. Since keeping this class lightweight and snappy paramount, I'll definitely make that switch in the next update.

Thanks much for the support and suggestions! Smile

I hope your MOSS project goes well.

Daniel

"Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life." - Terry Pratchett

Re: Other Active Directory Role Provider (ADRP) on CodePlex

kuke

21:33 2 Oct '08

No worries Dan cheers - it seems to be working, but I've still got an issue with SharePoint not wildcard searching the groups in its people-picker as described here[^].

It is crazy that the LdapRoleProvider is only included as part of MOSS and not the wider .NET - surely MS wants you to use AD? (I mean, it's more secure than a SQL DB in the DMZ isn't it?!?!).

I think you could reflect on Microsoft.Office.Server.Security (I think that's what it's called) but I recall seeing a DotFuscator attribute on it, so it could be scrambled.

Just stuck my vote in for you. Good luck.

Cheers,

Peter

Recursive membership

Richard Deeming

6:54 29 Aug '08

The GetUsersInRole method is recursive, but the GetRolesForUser is not.

From the documentation of the GetGroups method:

This method returns only the groups of which the principal is directly a member; no recursive searches are performed.

You could make the code recursive by calling GetAuthorizationGroups instead, but that would exclude distribution groups (which are included by the GetGroups method).

"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

Re: Recursive membership [modified]

Daniel_PS

10:09 29 Aug '08

The trick is I'm not using the Principal class, but the UserPrincipal class.

Take a look here: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.principal.getgroups.aspx[^]

Quote:
----
This overloaded method only returns the groups of which the principal is directly a member; no recursive searches are performed. Recursive search results are available for user principal objects. For more information, see the GetAuthorizationGroups method.

If the principal store is AD DS, the list of groups contains the user's primary group that is identified by the primary group ID attribute in the AD DS object.
----

This page http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getgroups.aspx[^] does not contain the same remarks

To clarify,

Principal p = Principal.FindByIdentity(context, IdentityType.SamAccountName, username);
var groups = p.GetGroups();
-> Only returned non-nested groups

UserPrincipal p = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
var groups = p.GetGroups();
-> Returns nested groups

The documentation is a little confusing. My theory is that UserPrincipal.GetGroups() actually calls GetAuthorizationGroups(), but I haven't yet tested to see if distribution groups show up. I'll test that Tuesday when I'm back at work and have access to an AD domain.

Whether or not that is the case, during my testing nested security groups always were listed. I'll verify that again Tuesday, though.

modified on Friday, August 29, 2008 3:15 PM

Re: Recursive membership

Richard Deeming

10:28 29 Aug '08

Have you actually tried it?

Neither the UserPrincipal or AuthenticationPrincipal override the GetGroups method (which is not virtual).

Testing against my account:

Principal.GetGroups returns eight groups (three security, five distribution);

UserPrincipal.GetGroups returns the same list;

UserPrincipal.GetAuthorizationGroups returns seventeen security groups, including "Everyone" and "Users" which were not returned by GetGroups;


using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
    Principal p = Principal.FindByIdentity(context, IdentityType.SamAccountName, username);
    Console.WriteLine("Principal:");
    foreach (GroupPrincipal item in p.GetGroups())
    {
        Console.WriteLine("{0} ({1})", item.SamAccountName, item.IsSecurityGroup);
    }
    Console.WriteLine();
    
    UserPrincipal u = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
    Console.WriteLine("UserPrincipal:");
    foreach (GroupPrincipal item in u.GetGroups())
    {
        Console.WriteLine("{0} ({1})", item.SamAccountName, item.IsSecurityGroup);
    }
    Console.WriteLine();
    
    Console.WriteLine("UserPrincipal Auth Groups:");
    foreach (GroupPrincipal item in u.GetAuthorizationGroups())
    {
        Console.WriteLine("{0} ({1})", item.SamAccountName, item.IsSecurityGroup);
    }
    Console.WriteLine();
}

"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

Re: Recursive membership

Daniel_PS

10:51 29 Aug '08

I'll have to check it again Tuesday, but I was definitely getting nested security groups when I tested. Maybe I'm imagining things, but I don't think so.
Sign In·View Thread·PermaLink

Re: Recursive membership

Daniel_PS

6:27 2 Sep '08

Well I've got egg on my face. Actually, it's not so much egg as a look of embarrassment. D'Oh!

I call it egg.

You are completely correct about the nested group issue. It seems to be my ~~Achilles'~~ Daniel's Heel. It was just a typo in my testing that was giving me the correct results.

I've now altered the code to use GetAuthorizationGroups and modified GetAllRoles to exclude distribution groups, for better or worse. It makes sense, since we are dealing with security, but is a bit more limiting. I may change this back down the road, but I'm too crunched for time now write and test another method.

I'll just need to update the article text to make note of this change, which I've been meaning to completely rewrite anyway.

Thanks for the help, Richard. It is very much appreciated Smile

Daniel

So what was that secret to hide the source for the DLL ?

nsimeonov

14:09 22 Aug '08

Just curiosity on my side. Why didn't you disclose the source code for the actual AD query but only provided a compiled version of it? I admit MSDN provides way too much information about it and you may easily get lost but it isn't such a big secred. Also caching AD queries in SQL? WTF? How much time will you save if any?
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

???? nothing? All the source is there.

Daniel_PS

14:19 22 Aug '08

I'm not sure what you mean. If you click to download the source code, everything is there. All the AD querying code is out in the open. You must have just downloaded the demo project, which actually needs to be updated yet.

If you read the article, caching the queries in AD saves a LOT of time. AD queries are very slow.

Hope that clarifies things. Any other questions, just ask.

Daniel

modified on Friday, August 22, 2008 7:46 PM

Re: ???? nothing? All the source is there.

nsimeonov

13:32 23 Aug '08

I stand corrected! Apparently I was looking at the wrong code. About caching - yes it may speed it up but still it is risky and if an admin corrects someone's permissions this will stay undetected. Workarounds may be implements though. Please accept my apologies for the misunderstanding!
Sign In·View Thread·PermaLink

Active Directory Roles Provider

Contents

Introduction

Requirements

Technical Summary

Querying Active Directory

Caching to SQL Server

SQL Caching Performance

Using the Code

Web.Config

Groups and Users Excluded in the Source

Future Enhancements

History

License

About the Author

Other popular ASP.NET articles: