How to Authorize Users against Windows Groups Using the AspNetWindowsTokenRoleProvider

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you use windows groups for authorization, consider using ASP.NET Role Provider with the AspNetWindowsTokenRoleProvider name. This allows you to separate the design of the authorization from the implementation inside your service. If you decide to change the role provider, it will not affect the code needed to perform the authorization. Also, when doing imperative checks, consider using the role manager API instead of performing authorization checks with WindowsPrincipal.IsInrole.

The following configuration example shows how to configure AspNetWindowsTokenRoleProvider.
  1. Enable the role manager and configure to use the default AspNetWindowsTokenRoleProvider:
<system.web>
…
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider" />
…
</system.web>
  1. Configure the service behavior to use ASPNetRoles and the role provider:
<behaviors>
    <serviceBehaviors>
        <behavior name="BehaviorConfiguration">
            <serviceAuthorization principalPermissionMode="UseAspNetRoles"
                roleProviderName=" AspNetWindowsTokenRoleProvider " />
            <serviceMetadata />
        </behavior>
    </serviceBehaviors>
</behaviors>

Additional Resources

Last edited Jun 13, 2008 at 6:15 PM by prashantbansode, version 1

Comments

No comments yet.