How to Authorize Users against ADAM Using the Authorization Manager Role Provider
- J.D. Meier, Carlos Farre, Jason Taylor,
Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher
If your application stores role information in an Authorization Manager (AzMan) policy store in ADAM, use the Authorization Manager Role Provider. Authorization Manager provides a Microsoft Management Console (MMC) snap-in, to create and manage roles, and to
manage role membership for users.
Use the following steps to authenticate a directory service with ADAM:
- Use the Authorization Manager (AzMan) to store roles in an ADAM policy store. You can only currently create an ADAM store only within Windows 2003.
- Run Azman.msc from the Start->Run menu item.
- Within Azman, right-click on “Authorization Manager”, choose “New Authorization Store”. Select an “Active Directory” and enter a name to create the ADAM store.
- Right-click on the Groups folder of the Active Directory store you just created, select “New Application Group…” Enter a name for the group you want to create. Repeat this step to create as many groups as needed.
- Add Windows users to the AzMan groups(s) you have created. Double-click on each group you created and use the members tab to add the users.
- Configure the web.config or app.config file to use the ADAM store.
- Authenticate the users declaratively by adding the PrincipalPermission attribute above each service method that requires authorization. Specify the Windows user group required to access the method in the Role field.
[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
return a + b;
- The username/password combination supplied by the client will be mapped by the WCF service to a Windows user account. If the user is successfully authorized, the system will next check to see if the user belongs to the group declared with the
PrinciplePermission role. Method access will be granted if the user belongs to the role.