Monday, March 23, 2009

An Active Directory Role Provider That Works

Most of our web apps to date have used SqlMembershipProvider and SqlRoleProvider, however a recent app had a need for ActiveDirectoryMembershipProvider.  The client wanted to authenticate against AD, but also wanted to allow users to sign out of the app, or allow different users to log in.

Setting the Membership provider up is fairly trivial, but the Role Provider is a little counter-intuitive.  First, there's no "ADRoleProvider".  AuthorizationStoreRoleProvider is supposed to work with AD, as is WindowsTokenRoleProvider, but each had some unique errors.  I'm a little fuzzy on exactly why the errors occurred, but both seemed to be assuming the current process's principal would be a WindowsPrincipal - in other words, they assumed we'd be using Windows authentication, not forms. 

After some digging, I decided a custom ADRoleProvider was in order.  After trying a few, this was the only one that allowed specifying credentials, similar to the way the AD Membership Provider works:  http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html

Usage was trivial - just cut-and-paste the class, then add to web config with the same connection info as the Membership Provider, and everything Just Worked.  I do have a nagging suspicion that MS didn't _want_ role provider to work this way, possibly due to security or performance concerns, but we'll see.

No comments: