Windows Authentication and Authorization

Topics: ASP.NET 2.0, Controls, Themes
Jan 7, 2008 at 2:26 PM
I am trying to make BlogEngine work in our organization. My basic requirement for this is. The BlogEngine is running within the local network. Any authenticated domain user can read it. The author could edit it and admin it using windows authentication.

Anybody had this experience and can share the details with me?

Great Thanks!
Email: me@avalongirl.com
Jan 7, 2008 at 5:27 PM
There shouldn't be an issue with replacing the membership provider with an Active Directory membership provider. Have a look at http://msdn2.microsoft.com/en-us/library/ms998360.aspx for an outline on using Active Directory for membership provider in ASP.NET 2.0

If you have any problems following this then let me know and I will walk you through it.
Jan 7, 2008 at 5:38 PM
I found another good article that talks about using an Active Directory membership provider...

http://blogs.msdn.com/gduthie/archive/2005/08/17/452905.aspx

A good point was made in this article about using SSL for your authentication process... I have previously written a post about using SSL for authentication:

http://www.dscoduc.com/post/2007/11/Unencrypted-login-to-BlogEngineNet.aspx
Jan 8, 2008 at 12:36 PM
Hi, Thank you for your reply. 2 more questions:

  • 1. I do have a problem to set up the ADConnectionString when following the MSDN document.
Do I have to have the domain controller administrator password to set up the memembership like following?

<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnString"
connectionUsername="vstsb2.local\Administrator"
connectionPassword="password"/>
</providers>
</membership>

I do not think I could get the administrator password. so what should I do? ask for a new account with some special right?

  • 2. Assuming I know how to set up ASP.net with AD security, how could I make set up the authorization to identify who is the user and who is the author? I guess the User page is not valid anymore...

Great thanks.


Jan 8, 2008 at 5:00 PM
Edited Jan 8, 2008 at 5:03 PM
I think you may be going the long way. In order to enable Windows Authentication all you need to do in your web application's Web.config file is enable impersonation, set the authentication mode, and if you are managing your roles in AD as AD groups set the role manager, as in the following example. However, I would think that you may want to manage your roles using something other than AD unless you are the one who can modify these.

<system.web>
    ...
    <identity impersonate="true" />
    <authentication mode="Windows" />
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
    ...
</system.web>
In addition, in your web site configuration in IIS you will need to enable Windows Authentication.
Jan 8, 2008 at 6:39 PM
Edited Jan 8, 2008 at 7:32 PM
lvildosola,

I am also trying to get BlogEngine.NET to work for an organization's intranet. I made the changes you suggested, but am still getting the 500 error "The page cannot be displayed because an internal server error has occurred." It seems like this should be very simple, but I've been struggling with this and haven't been able to get it to work. If I start with a fresh web.config, it works fine. If I do nothing else but make the changes you suggested -- add the identity tag, replace the authentication section, and enable Windows Authentication (disable everything else) in IIS -- it does not work. Any other ideas? Is there at least a way to toggle off the error page so I can see exactly where the failure is?

Any and all help is much appreciated!


lvildosola wrote:
I think you may be going the long way. In order to enable Windows Authentication all you need to do in your web application's Web.config file is enable impersonation, set the authentication mode, and if you are managing your roles in AD as AD groups set the role manager, as in the following example. However, I would think that you may want to manage your roles using something other than AD unless you are the one who can modify these.

<system.web>
    ...
    <identity impersonate="true" />
    <authentication mode="Windows" />
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
    ...
</system.web>
In addition, in your web site configuration in IIS you will need to enable Windows Authentication.

Jan 8, 2008 at 8:03 PM
I don't believe BlogEngine.Net will work with Windows Integrated, only Forms Authentication. So changing over to integrated should be off the table. As for forms authentication using Active Directory, you have two choices... You can manually configure a service account username and password in your web.config file (least desirable)... Or you can run the web site within an application pool configured with a domain service account that has permissions to look into your Active Directory (most desirable).

NOTE: the domain account doesn't need administrator permissions to the domain, just read access. For AD Authentication to work the web site membership provider will attempt to make an authentication request using the credentials provided by the web user during their login. (This traffic is a simple bind and probably made in the clear - recommend using PKI - HTTPS:// and LDAPS://) If the user credentials are able to authenticate to the domain then the user has successfully authenticated to the web site.

If I get some time this week I will configure up my lab and post how I did this on my blog.
Jan 8, 2008 at 10:04 PM
I just made the changes to my local setup. I am using SQL Server with it so I had to add 'NT AUTHORITY\IUSR' to allow login to my Blog database (I'm using Vista so I did it this way to get it working). The bulk of the problem appears to be the Recent Posts and Author List control. I temporarily commented these out. So, I am now able to get it loading and I can navigate through the pages. I cannot get to the admin part because I am using the SQL role manager and I would have to set it up differently and create AD groups and change the respective Web.config file for the admin part but I think it should work in general.

So, the thing is to figure out why Recent Posts and Author List fail. I don't have time to check it right now but I will later today if I have a chance.
Jan 10, 2008 at 11:26 AM
Any luck, dscoduc or lvidosola ? Looking forward to your update Thanks!
Jan 10, 2008 at 9:42 PM
I have been thinking more about this and decided that my previous answers were incorrect/incomplete... So let's re-address this topic with more clarification:

I guess It is possible to use Windows Integrated security as the membership provider. This would require that your IIS web site has the security settings to only allow Windows Integrated Security, and that you have configured the roles.xml file correctly. I say this because a user who has authenticated to the web server using Windows Integrated Security can pass the Authenticated User Identity to the Web Application (in this case BlogEngine.Net) and it would be up to BlogEngine.Net to match that Authenticated User Identity to an entry in the roles.xml file. I believe you would have to update the roles.xml file to include the username as it has been presented to BlogEngine.Net. In the case of an Authenticated User Identity that is MyDomain\Chris then I would expect that you would need an entry in roles.xml for MyDomain\Chris. I will test this shortly and let you know. Keep in mind that this works great if your IIS server is a member of your Active Directory domain but not if you are running the IIS server as a stand-alone server.

If you are running a stand-alone IIS server then you would need to use Forms Authentication and an Active Directory Membership Provider. I will also be doing this in my lab and will document this on my blog when I have completed it successfully...
Jan 10, 2008 at 11:03 PM
dscoduc has it right. I have gone through this yesterday but I did not have a chance to post. I have successfully configured it to even use AspNetWindowsTokenRoleProvider (more on this later). The overall problem however is anywhere a call to Membership.GetAllUsers is made. I had to comment these out becuase it always fails. I assume there's something that is missing.

For the roleManager, using AspNetWindowsTokenRoleProvider is possible, but I had to make a lot of changes since "administrators" and "editors" is hardcoded throughout the code (more the former than the latter). I think that these should be made constants somewhere to make them easier to change.

So, with some tweaking it is possible to get it all working. The specific details will have to come in another post I'm afraid, as I cannot do it right now. The main caveat I see is the method used to list all the users or to get to all the users seems to be causing problems for me and the exception thrown is cryptic.

More to come...
Jan 11, 2008 at 6:23 AM
I ran into the GetAllUsers issue and was able to overcome it by adding enableSearchMethods="true" to the membership settings:

<membership defaultProvider="MyADMembershipProvider" >
<providers>
<add
name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="domain\administrator"
connectionPassword="Password"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true" />
</providers>
</membership>

I also was able to keep the roles.xml for the role provider, but can't seem to get any of the administration pages to work... Still working it though...
Jan 15, 2008 at 2:14 PM
dscoduc or lvidosola ? Are you still working on this? Looking forward to your solution. This prevents me to promote BlogEngine in our organization. I wish I can simply change the configuration to make it work. But it seems not...
Jan 16, 2008 at 1:30 AM
I have been pretty busy, so I have not had a chance to do any further research on this one. However, I can see that there may be a problem getting all users from AD, sicne these may be many. In any case, I have not been able to provide a reasonably clean solution. So, at this time, at least, I would say that without changes to BE.NET you may not be able to do this cleanly. dscoduc seems to be closer than I to get it working. I don't know if he managed to get further on it. Sorry.
Jan 16, 2008 at 4:33 PM
I too have been distracted on other projects. I will try and spend some time over the next several days to have a look at finishing this up...

Stay tuned!
Jan 16, 2008 at 7:28 PM
Hi, I have also been working with BlogEngine.NET for my company and am trying to get Windows Authentication to work. I have managed some success building on top of lvildosola's original suggestion (i.e. setting impersonate to true, etc.)

Rather than going to an AD server, which is not an option for me here, I based role membership on the user's NT groups. On my box I simply defined two local groups on the server for blog editors & admins, and to these I added AD users and/or groups. (I'm not a security guy but my understanding is this approach is a best practice for regulating app access on a server anyhow.)

Once I had this I wrote a simple custom role provider based on WindowsTokenRoleProvider to map NT groups to BE roles. The user's groups are provided already by the base class so this is a snap. I used an XML file to define the mapping, but any way will work.

I haven't got too far in testing but so far this method appears to work, except as mentioned you lose the ability to get all users. I'm thinking of getting around this by have users.xml simply grow as new users login. I believe the only thing this won't allow for is letting an admin do a post-as-any but I don't need that. I'm still very new to BlogEngine.NET though so it's very possible I've overlooked something.

I will keep you posted.

NOTE: If you try this, use RUNAS to launch IE during testing to be sure the group changes you make get used immediately.
Jan 17, 2008 at 12:38 AM
I was able to complete my testing and get everything working. I completed a write up on my blog and would like to hear if anyone has any problems. You can find the details at http://www.dscoduc.com/post/2008/01/Active-Directory-for-BlogEngineNET-Membership-Provider.aspx.
Dec 1, 2009 at 4:01 PM

Wow,

dscoduc, it was so easy to set ADAuthProvider for "not the coding guy" like me. its working now with roles.xml for giving the users their roles.

I have another small question. I'd like to make the web for authenticated only. Reader role, as you named it few posts above. Can U help in this point?

Jenda

Jul 14, 2010 at 2:55 PM

dscoduc thanks so much for you article. It's well written but I can't get it working. I have tried every combination of settings I can think of. I have tried a fresh version of the code (v1.6.0) and even an old version (v1.4.5). I've tried everything short of re-writing the provider. I have spent quite some time on this problem and it's driving me nuts.

The error is always the same: A ProviderException ("Property 'userAccountControl' not found.") is generated whenever GetAllUsers is called. By following the stack trace deep into .NET code I found the 'direct' reason. During a sorting procedure the following code is executed:
if (this.directoryInfo.DirectoryType == DirectoryType.AD)
{
        searcher.PropertiesToLoad.Add("userAccountControl");
}

Then user objects are compared by this "userAccountControl" property they don't have and an exception is generated.

I've read about several similar problems on the net but it didn't help me.

Any help would be awesome!