Understanding ASP.NET authorization

Create an AzMan Policy Store

The Roles Management API in ASP.NET allows you to implement application-specific roles and manage user role membership. To achieve this, the Roles Management system stores its data in an underlying data store that it accesses through an appropriate role provider for that data store. Supported role providers include SqlRoleProvider, WindowsTokenRoleProvider, and AuthorizationStoreRoleProvider. All of these implement a standard set of role provider interfaces.

You can use an AzMan policy store in Active Directory Application Mode (ADAM) to store role data that is specific to an application or Web site (such as what roles a user belongs to), while keeping that data separate from the generic user information (such as full name and Windows group membership), which is stored in a domain's Active Directory. When a user logs on to a Web site running ADAM, the site authenticates the user with the Active Directory user store, and then uses the AuthorizationStoreRoleProvider to read which roles the user belongs to from the application roles that are kept in the AzMan policy store in ADAM. The ASP.NET application and the ADAM instance do not have to be on the same server.

Create the AzMan Policy Store in ADAM

To create the AzMan policy store in ADAM

1. At the command prompt, type azman.msc to open the Authorization Manager snap-in.

2. On the Action menu, click Options, and then click Developer mode.

3. On the Action menu, click New Authorization Store. Set the Authorization store type as Active Directory. Type the following Store name, leave the description field blank, and then click OK.

   msldap:// servername**:** portnumber**/CN=AzManADAMStore,** partition

   In the command above:

   • Change servername to the name of your server or to localhost to administer the instance on the local computer.
   • Change portnumber to the port number you used when you set up the ADAM instance.
   • Change partition to the partition name that you created when you installed ADAM. If you used the suggested name in Step 1, this would be OU=SecNetPartition,O=SecNet,C=US.
   • The container name for your AzMan policy store in ADAM is CN=AzManADAMStore. You can change this to something else if you prefer.

4. Right-click the AzManADAMStore, and then click Properties. In the Properties window, click the Security tab.

5. Under Authorization Manager user role, choose the required access level from the following options:

   • Administrator. The user can do full role management and perform access checks.
   • Reader. The user can read the store and perform access checks.
   • Delegated User. When combined with the Administrator setting, this allows the user to audit applications and scopes. See Authorization auditing in Authorization Manager Help for details.

   For the purposes of this How To, select Administrator. Click the Add button to add the account that ASP.NET uses (the Network Service account) to this role.

   Note   If your ASP.NET application uses impersonation to impersonate a fixed identity or if you have configured your ASP.NET application to run under a custom account, you must add the impersonated account or custom account as an Administrator or Reader, according to the level of access required.

Create Roles and Assign Users in AzMan

In this step, you use the AzMan administration MMC snap-in to create a role named Manager. You then assign the task that you created in the previous step to the role.

To define roles with the AzMan administration MMC snap-in

1. At the Windows command prompt, type azman.msc to open the Authorization Manager MMC snap-in.
2. On the Action menu, click Options, and then click Administrator mode. Administrator mode exposes fewer options than developer mode, but it exposes only those configuration options that can be changed at run time, such as assigning tasks to roles and assigning users to roles.
3. On the AzMan Management Console tree, expand AzManDemo, and then expand Definitions.
4. Right-click Role Definitions, and then click New Role Definition.
5. In the Name box, type Manager, and then click OK.

To assign a user to a role with the Administration UI

1. Right-click the Role Assignments folder, and then click Assign Roles.
2. In the dialog box that appears, click the Manager check box, and then click OK.
3. Right-click the Manager role listed after the Role Assignments folder in the console tree, and then click Assign Windows Users and Groups.
4. Type the name of the Windows user account you are logged on as, click Check Names, and then click OK. This assigns your user account to the Manager role.

To associate tasks with roles

1. In the Role Definitions folder, double-click the Manager role you created previously.
2. Click the Definition tab, and then click Add.
3. In the Add Definition dialog box, click the Tasks tab, and then click the Privileged Task check box (this is the task you created in the previous step). Click OK twice. This assigns the Privileged Task task to the Manager role.

AzMan is available for use in the following versions of Windows: Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, or Windows XP. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.