January 23, 2006 - 09:16 UTC - Tags: ADAM authorization ASP.NET roles AD LDS
This entry will explain the steps you need to take, to use ADAM for both roles and membership in ASP.NET 2.0 and authorization manager.
I read an article from Microsoft explaining how to use ADAM for roles (
How To: Use ADAM for Roles in ASP.NET 2.0), and thought that I would then be able to use ADAM for both roles and membership without writing a single line of code. After much hassle, I found a blog entry stating that this is not possible:
Problems with AzMan and ADAM (at least not with WS2003 SP1)
You can still make it work, but there are some steps you need to go through, and this also involves writing some code.
Initial steps
- Install ADAM, and setup ASP.NET 2.0 to use the ADAM instance as the Membership Provider (read my previous entry or check MSDN.)
- Go through Step 2 of the MSDN-article: How To: Use ADAM for Roles in ASP.NET 2.0
Writing a custom RoleProviderAs mentioned in the blog entry linked to above, the AuthorizationStoreRoleProvider only seems to work when you're using windows authentication. If you want to use forms authentication you will have to write your own RoleProvider as
the AuthorizationStoreRoleProvider is uanable to map the application users to the ADAM users. This may seem like a lot of work, but actually it is quite simple. Microsoft has written an aritcle on
Implementing a Role Provider, which explains the methods you need to implement and the exceptions they should throw on errors.
To use authorization manager in your role provider, you should add the Microsoft.Interop.Security.AzRoles reference. This gives you access to a number of different classes. The most interesting are perhaps the AzAuthorizationStoreClass, the IAzApplication2, IAzTask and IAzRole.
To open a connection to the ADAM AzMan store, you can use the AzAuthorizaitonStoreClass and IAzApplication2:
AzAuthorizationStore _azStore = new AzAuthorizationStoreClass();
_azStore.Initialize(0, azManConnectionString, null);
IAzApplication2 _azApp = _azStore.OpenApplication2(azManApplicationName, null);
The IAzTask class, does not only represent the AzMan tasks, but also the Role-definitions. When creating a role, this means that you have use both an IAzRole and an IAzTask when creating and deleting roles in the application.
IAzTask task = _azApp.CreateTask(roleName, null);
task.IsRoleDefinition = true;
task.Submit(0, null);
IAzRole role = _azApp.CreateRole(roleName, null);
role.addTask(roleName, null);
role.Submit(0, null);
When checking the roles of a user, you need to provide the SID of the user. This is done in the following way:
MembershipUser user = Membership.GetUser(username);
IAzClientContext = _azApp.InitializeClientContextFromStringSid(
user.ProviderUserKey.ToString(), 1, null);
object[] roles = (object[])context.GetRoles("");
When adding or removing a user from a role, you can use the IAzRole class. In Authorization manager this class actually represents the role assignments. To add a user to a role, to the following:
MembershipUser user = Membership.GetUser(username);
IAzRole role = _azApp.OpenRole(rolename, null);
role.AddMember(user.ProviderUserKey.ToString(), null);
role.Submit(0, null);
Using the code parts above together with the MSDN article, should allow you to implement a working role provider storing both roles and users in ADAM.
Configurating ASP.NET 2.0 to use the new role providerTo use the role provider with ASP.NET 2.0, simply add a connectionstring (I assume and suggest you use a connection string to set the URI of the AzMan ADAM store), and the following to your web.config:
<roleManager cacheRolesInCookie="true" defaultProvider="RoleManagerAzManADAMProvider">
<providers>
<add connectionStringName="connectionstringname" applicationName="ONE_ABB" name="RoleManagerAzManADAMProvider" type="Package.Class, Assembly"/>
</providers>
</roleManager>
The parts you need to change, are the name of the connection string, and the type attribute. The type attribute contains the package name and class of the role provider you just created. If the class is in another assembly you, also need to add the assembly name. If it is in the same assembly, you can ommit the "," and assembly part.
Final commentsI guess Microsoft will provide a proper provider in time, but this should work for now. Please note though, that the users added to the roles will not show up in the azman.msc, and you will not be able to add users to the roles in azman.msc either.
Comments closed for this post