.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
david stephan
Gaurav Pal
Post New Web Links

UserPrincipal, IIdentity and WCF authorization

Posted By:      Posted Date: September 06, 2010    Points: 0   Category :.NET Framework
We are developing a client-service WPF application which consume various WCF services.For authentications of the WPF desktop app, we are trying to use System.DirectoryServices.AccountManagement against the AD DS in Server2008.The overall intended security flow:1. User enter user name and password2. Application authenticate against AD DS in Server2008 using System.DirectoryServices.AccountManagement, and obtain UserPricipal.Now, should we set the UserPrincipal using AppDomain.Current.SetThreadPrincipal? So that the WCF client can pick the Principal up and use it for transport and messaging clientCredential?My questions are:1. UserPrincipal is not System.Security.Principal.IPrincipal, so I can't set as current AppDomain ThreadPrincipal. Is this correct?2. Does System.DirectoryServices offers API to acquire Kerberos token that I can pass to WCF client? Tried looking at System.DirectoryServices.ActiveDirectory but can't seem to find any.3. How should the WPF disable/hide certain UI controls/views based on user's role? Should we use AzMan?3. How should the WCF authorized based on user role? AzMan?Thank you in advance!Best regards,KhoonSeang

View Complete Post

More Related Resource Links

URL Authorization



I have 2 tables with foreign key and other requrired things to get the use data from the logged in user name.

When i visit the page that should shows the logged in user name information, I get the error of return nothing nullexception etc...

I did set the url authorization on this page and now getting (unauthorized access)

I used the login page with login control and from its propreties i did made a destination page is the (information.aspx) it is the page i want to show the user data and did the url authorization on it and it should be permitted for that specific logged in user, but even when i logged in, i still getting the (aunothrized access). 

How can i let this page knows that i am already logged in and accept me as a logged user and same as the one i gave the permit to it in the web.config?


userprincipal.changepassword throws exception


Hi all,

      userprincipal.changepassword(oldpassword, newpassword);

gives error: that is Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. (Exception from HRESULT: 0x80070547)

but userDirectoryEntry.invoke("ChangePassword", new object[] { oldpassword, newpassword });

      userDirectoryEntry.CommitChanges works fine.

Any one please tell me the reason behind this.

Claims-Based Apps: Claims-Based Authorization with WIF


Over the past few years, federated security models and claims-based access control have become increasingly popular. Platform tools in this area have also come a long way. Windows Identity Foundation (WIF) is a rich identity model framework designed for building claims-based applications and services and for supporting active and passive federated security scenarios.

Michele Leroux Bustamante

MSDN Magazine November 2009

Service Station: Authorization In WCF-Based Services


Windows Communication Foundation (WCF) provides an easy role-based system and a more powerful and complex claims-based API for implementing authorization in services.

Dominick Baier and Christian Weyer

MSDN Magazine October 2008

Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager


Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample.

Keith Brown

MSDN Magazine November 2003

How in web.config work in MVC



I would like to secure any URL below the http://MyServer/Admins and limit it to a specific role.

In webforms it was straight forward. I just put a child web.config in the /Admin/ folder and add <authorization>  <allow roles> tags to it.

How would be the equivalent technique in MVC?

Thank you,


require guideline for 'Role-based authentication/authorization'



In my asp.net website in VS-2005 with SQL-Server 2005 as db, I need to implement role-based Authentication/Authorization.

I am familiar to the practises used in role-based authentication..as I have previously worked on projects that used this method. However, my project lead used to design the database. Now I have an existing website where authentication has been set to anonymous by setting 'allow users="?"' in the authentication tags in web.config.

If I use the createUserWizard control and use the Membership.creatUser(.....) method in code behind will the asp.net security tables, like users, roles, userinrole etc get created on its own? Can anyone please give the proper steps on how to acheive this?

UserPrincipal.FindByIdentity Permissions

I'm attempting to use the System.DirectoryServices.AccountManagement library to obtain the UserPrincipal for a particular Active Directory user. I've got the following code: PrincipalContext context = new PrincipalContext(ContextType.Domain, "DomainName"); userPrincipal = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username); This code is running as a valid domain user, but when I execute it I get the following exception: System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): Logon failure: unknown user name or bad password. What's interesting is that I can make the following call, using the same context, without a problem: context.ValidateCredentials(username, password, ContextOptions.Negotiate) Ideas?

Using ONLY User Certificates for SharePoint 2010 Authentication/Authorization

  Hello, I am relatively new to SharePoint, and was wondering how I can accomplish using only user certificates to authenticate (and eventually authorize) access to the SharePoint 2010 Server (not just IIS). My Environment currently looks like this:  - SharePoint is SSL-enabled - User Browser Certificates (generated using OpenSSL) successfully authenticate to the IIS Server - SharePoint uses Basic Authentication (user/password based on AD credentials) I need to: - Authenticate the user to SharePoint using the User Certificate from my browser (in other words, no password authentication to access the SharePoint website, but use the certificate that was used by iis to be able to log into SharePoint) I am assuming I must use some sort of claims-based authentication.  Ideally, I would like to use ONLY the certification itself as a source of Authorized Repository for authentication. However, I am also open to having the user certificate be linked to Active Directory users as well.  I have done some research on this but am still lost as to how to approach this problem. Is there anyone that has done this or can assist me in getting this to work? Any help would be greatly appreciated. Thanks!  

WCF IP authentication / authorization

I need to secure my WCF web service.  I wish to only allow messages coming from a certain IP to make calls to my web services.  Is there a way to detect the client's IP address and permit or not permit the message call to be made from the web service level?  What would be the best way of doing this? I cannot use IIS to filter out IP's because my web service sits behind a reverse proxy so all traffic hitting the web server has the same IP address.  Thanks DW

WCF Custom Authentication and Authorization

Hi, I'm porting a recently developed asmx service to a WCF service. We have used WSE3.0 UsernameToken authentication for the asmx service. The service authenticates the username and password against AD and then gets a list of things the account can do for authorization. I'm trying to do this with WCF. I've got the authentication working. The authorization is causing me problems. In the asmx service I read the username and password off the UsernameToken with this UsernameToken token = (UsernameToken)RequestSoapContext.Current.IdentityToken. I can get the username and password in the WCF service using a custom UserNamePasswordValidator which works great but how is best to do the authorization? I can't do it in the custom validator because that is common to all services for the project. So I have to do it at a later stage which means reading the username and password somehow (off the channel?) Any ideas?   Thanks

Best way to implement authentication and authorization for a sharepoint 2010 website.

Hi I come across different authentication methods in Sharepoint 2010. The sharepoint website we are develpoing as of now is Intranet. Later we are planning to move it to Internet(Public) site. What will be the best way to implement authentication and authorization for our website. If windows authentication(Classic mode authentication) is default for a sharepoint website (2010) , I have a few questions ragarding windows authentication. 1) In case of windows authentication, where should we maintain  users? 2) In case of windows authentication, how are the users created? 3) In case of windows authentication, how can I perform authorization.   If we want to use FBA(Form based authentication) in sharepoint 2010, I have a few questions ragarding FBA in sharepoint 2010. 1) In case of FBA(using Claim based authentication) , if we want to use custom database(where we are storing user details and  roles) rather than bulitin SQL membership  provider, how can we achieve this? Can anyone provide some useful resources to implement authentication(Windows or FBA or dual) and authorization for a sharepoint 2010 website with sample code? Please reply ASAP. Thanks & Regards Mahendra Babu

Issue with URL Authorization in IIS 7

Hi I am using ASP .NET URL Authorization to restrict the SharePoint settings page to only farm. administrators. <Configuration> <Location path="_layout/settings.aspx"> <allow Roles="Domain\FarmAdmins" /> <deny users= "*" /> </Location> </Configuration> But this is working for only the site at the top level in a web application. It is not working for  site collections which are configured at the managed path level. If any of you have somes ideas on how to fix this issue, please let me know.

IIdentity within Xbap

I am trying to get a custom IIdentity to run under xbap but get the following error: System.Runtime.Serialization.SerializationException was unhandled Message: Type is not resolved for member 'xxx.AppIdentity,xxx.Data.DomainModel, Version=, Culture=neutral, PublicKeyToken=null'. [   Serializable] public class AppIdentity : IIdentity {...}

Mixed authorization on one webiste

I have an ASP.NET application that can be installed with either Forms Authentication or Windows Authentication.  All of my customers install using Windows Authentication.  I use Forms Authentication in-house as it is easier for me to work with different clients.  But enough about that. I have a module as part of my application for Mobile Users.  It displays a very simple HTML interface for low bandwith phones and air cards.  It seems that some phones when going to this type of site that is Windows Authentication, it throws an error saying that you aren't authorized to view the page.  From a computer, it will ask for credentials. What I would like to do is use Windows Authentication Or Forms for my Main Application, but in the MOBILE folder, it would be nice if I could use FORMS Authentication.  Can I mix the two?  Can I just add a Web.Config to the folder for the Mobile Files and put FORMS Authentication? The only other way I thought of doing this is: 1)  create a seperate installable application that is always FORMS Authentication that is not part of the main application.  Which sucks, as I now have to manage two applications. 2) In the main Web.Config I can set that folder to have no authentication and it will be avail to anyone, and then enforce my own authentication

WCF Authorization with Active Directory

Hi, I'm after comments and suggestions on the way forward on the following. Any information about past experience would be most appreciated. I'm trying to work out the best way to develop authentication for a WCF project. Currently I have an AD server with a domain setup by our systems admin. I'm not sure if it's AzMan. I'm not really upto speed on it. I developed the original version under pressure to deliver and wrote a "home-made" AD interface using LDAP and the DirectoryServices classes, on a saturday, which validated the username and password against AD then retrieved the username's roles. The original project was asmx services based on a previous framework and all worked but very rough and very stiff. We talked about changing the AD schema recently and I started sweating! I've now replaced asmx with WCF. I'm using... username authentication custom authentication manager custom authorization manager custom authorization policy I want to use Role based authorization. I've found the AuthorizationStoreRoleProvider. Can this be used over AD without it being AzMan? The project manager is not keen to change the AD schema. Also, I found the "How To: Use Authorization Manager (AzMan) with ASP.NET 2.0" which has a "Retired Content" note at the top!   Failing that I could follow the example of something like this (given in http://msdn.

My master page won't load when using authorization in web.config

I don't have any sub catalogs for the .aspx files and this is my web.config file:<system.web> <compilation debug="true" targetFramework="4.0" /> <authentication mode="Forms"> <forms loginUrl="Login.aspx" name="sqlAuthCookie" timeout="60" /> </authentication> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> It's as if the Login.aspx won't grab the Site.Master if I add this authorization.I get directed to the Login.aspx if I try to enter any other page, but without seeing the master page.Is this enough info to solve this or do you need to know how the other pages looks like? Let me know!Thanks in advance.Niklas
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend