Click here to Skip to main content
13,252,537 members (55,380 online)
Click here to Skip to main content
Add your own
alternative version


107 bookmarked
Posted 18 Nov 2004

Authorize and authenticate users with AD

, 18 Nov 2004
Rate this:
Please Sign up or sign in to vote.
How much time do you spend to ensure user permissions? Ease the job and let Windows and Active Directory do it for you.


I always had interest in security issues, specially about application use security. I believe user authentication and authorization is one of the main thoughts in application development (even if not the first to be coded).

Despite all my interest, just recently, I got the time to study the resources and advantages .NET offers to this matter. And there are many things I found.

Active Directory and LDAP

Since MS launched Windows 2000 family, there is the Active Directory (AD). Whoever has studied it is aware this is based on a less used Internet protocol called LDAP. Its job is, basically, manage users, groups and other security stuff on a domain in a simple way. The greater advantage is interoperability, since one can replace AD for another LDAP server given some work.

For developers, .NET comes with a full namespace to ease working with both AD and LDAP, System.DirectoryServices, which includes LDAP v3. On the following samples, I will use a fake domain called AD1.

private static string domain = "AD1"; 

public static bool LogonValid(string userName, string password) {
  DirectoryEntry de = new DirectoryEntry(null, domain +
    "\\" + userName, password);
  try {
    object o = de.NativeObject;
    DirectorySearcher ds = new DirectorySearcher(de);
    ds.Filter = "samaccountname=" + userName;
    SearchResult sr = ds.FindOne();
    if(sr == null) throw new Exception();
    return true;
  } catch {
    return false;

public static bool IsInRole(string userName, string role) {
  try {
    role = role.ToLowerInvariant(); 
    DirectorySearcher ds = new DirectorySearcher(new DirectoryEntry(null));
    ds.Filter = "samaccountname=" + userName;
    SearchResult sr = ds.FindOne();
    DirectoryEntry de = sr.GetDirectoryEntry();
    PropertyValueCollection dir = de.Properties["memberOf"];
    for(int i = 0; i < dir.Count; ++i) {
      string s = dir[i].ToString().Substring(3);
      s = s.Substring(0, s.IndexOf(',')).ToLowerInvariant();
      if(s == role) return true;
    throw new Exception();
  } catch {
    return false;

These methods are implemented to work with a single application. The sources provided with this article are full implementations of IIdentity and IPrincipal interfaces. They are more suitable for developing ASP.NET Forms Authentication based on AD.

Let it to Windows

Applications can benefit more efficiently and easily from Active Directory by using another set of classes, also avoiding to create their own logon process. Developers should keep in mind this is a Windows-dependent solution.

But how is that possible? This time, we'll use Windows logon itself to authenticate the user, using only two classes in the System.Security.Principals namespace. Yet, this can be done in two ways:

IIdentity wi = WindowsIdentity.GetCurrent();
IPrincipal wp = new WindowsPrincipal((WindowsIdentity)wi); 
// ...or... 
IPrincipal wp = Thread.CurrentPrincipal;
IIdentity wi = wp.Identity;

From now on, we can check if a user belongs to a user group by simply calling the method IsInRole defined by the IPrincipal interface. It's important to remember that domain groups must specify the domain (e.g. "AD1\Administrators"), or the group evaluated will belong to the machine running the code.

A call to IsInRole is an alternate when the group name is known only at runtime. Once it is known during design time, methods and even full classes can be blocked using PrincipalPermissionAttribute. This can allow access to specific groups (roles), users, or simply user is authenticated (remember, in Windows 9x/ME, the user can cancel logon).

[PrincipalPermission(SecurityAction.Demand, Role="AD1\\Administrators")]

[PrincipalPermission(SecurityAction.Demand, User="AD1\\harkos")]

[PrincipalPermission(SecurityAction.Demand, Authenticated=true)]

The Windows identity can also be used to authenticate users on intranet sites. This configuration requires no code at all but adjusting the web.config file to the following lines:

<authentication mode="Windows"/> 
   <allow roles="AD1\Administrators"/> 

<identity impersonate="true"/>

The last line is not mandatory, but it makes the ASP.NET process to impersonate the user accessing the site, thus making the site more secure and allowing the use of PrincipalPermissionAttributes through your ASP.NET code.


User authentication and authorization using Windows/Active Directory is the best way to protect applications running inside a corporation, like a webmail or ERP application, easing management and task delegation and avoiding multiple passwords. Of course, nothing here applies if users should or must not be associated with domain user accounts, like a blog or an event registration. In these cases, a larger implementation with or without databases is more suitable.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Leonardo Pessoa
Systems Engineer
Brazil Brazil
I may seem nice but I rewrite other people's code from scratch.

You may also be interested in...


Comments and Discussions

GeneralExtranet Pin
dave at b22-Nov-06 7:34
memberdave at b22-Nov-06 7:34 
GeneralRe: Extranet Pin
dave at b22-Nov-06 7:35
memberdave at b22-Nov-06 7:35 
AnswerRe: Extranet Pin
Harkos23-Nov-06 1:16
memberHarkos23-Nov-06 1:16 
GeneralMethod LogonValid Pin
stancrm3-Nov-06 4:34
memberstancrm3-Nov-06 4:34 
GeneralRe: Method LogonValid Pin
Harkos3-Nov-06 11:47
memberHarkos3-Nov-06 11:47 
Generalnewbie in ldap Pin
LouPadrino25-Jul-06 0:33
memberLouPadrino25-Jul-06 0:33 
AnswerRe: newbie in ldap [modified] Pin
Harkos25-Jul-06 3:47
memberHarkos25-Jul-06 3:47 
GeneralRe: newbie in ldap Pin
LouPadrino25-Jul-06 4:24
memberLouPadrino25-Jul-06 4:24 
GeneralObject O Pin
James Curran13-Jun-06 13:51
memberJames Curran13-Jun-06 13:51 
AnswerRe: Object O Pin
Harkos14-Jun-06 2:21
memberHarkos14-Jun-06 2:21 
QuestionHow to get results from command "net session" using C#? Pin
Pi po10-Apr-06 19:15
memberPi po10-Apr-06 19:15 
AnswerRe: How to get results from command "net session" using C#? Pin
Harkos20-Apr-06 3:40
memberHarkos20-Apr-06 3:40 
GeneralSecurity accessing AD/LDAP Pin
Harkos15-Sep-05 3:38
memberHarkos15-Sep-05 3:38 
GeneralCreate user on remote IIS server via LDAP Pin
dragomir14-Sep-05 9:02
memberdragomir14-Sep-05 9:02 
GeneralRe: Create user on remote IIS server via LDAP Pin
Harkos15-Sep-05 3:19
memberHarkos15-Sep-05 3:19 
GeneralRe: Create user on remote IIS server via LDAP Pin
Anonymous24-Sep-05 10:27
sussAnonymous24-Sep-05 10:27 
GeneralLoginvalid doesnt work in a workgroup Pin
v_r_t@rediffmail.com9-May-05 10:25
memberv_r_t@rediffmail.com9-May-05 10:25 
GeneralRe: Loginvalid doesnt work in a workgroup Pin
Harkos15-Sep-05 3:02
memberHarkos15-Sep-05 3:02 
GeneralTHANK YOU Pin
nsimeonov14-Apr-05 12:41
membernsimeonov14-Apr-05 12:41 
GeneralAbout your IsInRole() method Pin
Pink Floyd6-Apr-05 14:37
memberPink Floyd6-Apr-05 14:37 
GeneralRe: About your IsInRole() method Pin
Harkos15-Sep-05 2:54
memberHarkos15-Sep-05 2:54 
GeneralIUSR_&lt;servername&gt; Pin
wooboo4-Apr-05 22:16
memberwooboo4-Apr-05 22:16 
GeneralRe: IUSR_&lt;servername&gt; Pin
Harkos5-Apr-05 2:59
memberHarkos5-Apr-05 2:59 
GeneralGod damn Error!!! Pin
Pink Floyd1-Apr-05 12:58
memberPink Floyd1-Apr-05 12:58 
GeneralRe: God damn Error!!! Pin
Harkos2-Apr-05 3:48
memberHarkos2-Apr-05 3:48 
QuestionAm I missing something? Pin
Pink Floyd31-Mar-05 13:00
memberPink Floyd31-Mar-05 13:00 
AnswerRe: Am I missing something? Pin
Harkos1-Apr-05 8:00
memberHarkos1-Apr-05 8:00 
GeneralFrustration Pin
jou_ma_se_epos24-Feb-05 4:29
memberjou_ma_se_epos24-Feb-05 4:29 
GeneralRe: Frustration Pin
Harkos27-Feb-05 11:35
memberHarkos27-Feb-05 11:35 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.171114.1 | Last Updated 18 Nov 2004
Article Copyright 2004 by Leonardo Pessoa
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid