I haven't done this with Kartris, but have with our in-house database so hopefully I can point you in the right direction.
First you will need to add the following into your web.config under the <ConnectionStrings> tag, depending on your AD organisational units, the following is based on an SBS network with the fictional domain of test.local.
'User connection string
<add name="ADUsersConnectionString" connectionString="LDAP://TEST.local/OU=SBSUsers,OU=Users,OU=MyBusiness,DC=TEST,DC=local" />
'Groups connection string
<add name="ADGroupsConnectionString" connectionString="LDAP://TEST.local/OU=Security Groups,OU=MyBusiness,DC=TEST,DC=local"/>
The two connection strings above allow you connect to both the users OU and also the Security Groups OU so you can restrict or allow access based on groups or individual users.
You also require the following under <system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="43200"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" attributeMapUsername="sAMAccountName" connectionStringName="ADUsersConnectionString"/>
</providers>
</membership>
You can then put the following in the code behind of your login page:
Public Function CheckADGroup(ByVal Username As String, ByVal GroupToCheck As String) As Boolean
'Function that receives a username to check if it's a member of a specific group in Active Directory.
Try
'Setup the LDAP connection entry string.
Dim adEntry As String
adEntry = ConfigurationManager.ConnectionStrings("ADGroupsConnectionString").ConnectionString
'The groups returned may have different combinations of lowercase and uppercase, so make grouptoCheck lowercase.
GroupToCheck = GroupToCheck.ToLower()
'Define DirectorySearcher
Dim adSearcher As New DirectorySearcher(adEntry)
'Specify to filter our results where sAMAccountName is equal to our username passed in.
adSearcher.Filter = "sAMAccountName=" & Username
'Specify MemberOf Properties to view only the groups the username is a member of
adSearcher.PropertiesToLoad.Add("MemberOf")
'Define SearchResult
Dim adResult As SearchResult
adResult = adSearcher.FindOne()
'Define a variable to hold the number of groups the user is a member of
Dim NumberOfGroups As Integer
NumberOfGroups = adResult.Properties("MemberOf").Count() - 1
'Define a variable to hold only what is needed from the MemberOf string property
Dim tempString As String
'Loop through results until specified group is found
While (NumberOfGroups >= 0)
'Set tempString to first index of "," starting from the 0 element
tempString = adResult.Properties("MemberOf").Item(NumberOfGroups)
tempString = tempString.Substring(0, tempString.IndexOf(",", 0))
'Remove the "CN=" from the beginning of the string
tempString = tempString.Replace("CN=", "")
'Make all letters Lowercase
tempString = tempString.ToLower()
'Trim any blank characters from the ends of the string
tempString = tempString.Trim()
'Check if "GroupToCheck" equals tempString and exit function if True
If (GroupToCheck = tempString) Then
Return True
End If
'Reduce NumberOfGroups variable by 1 and loop again
NumberOfGroups = NumberOfGroups - 1
End While
'If code reaches here, there was no match.
'Return false
Return False
'Catch any errors and return false
Catch ex As Exception
Return False
End Try
End Function
And also:
Protected Sub Login1_LoggingIn(ByVal sender As Object, ByVal e As LoginCancelEventArgs) Handles Login1.LoggingIn
'Invoke CheckADGroup Function to ensure user is a member of the relevant group
If CheckADGroup(Login1.UserName, "Allowed Users") = False Then
'If no match, or error, cancel authentication and return message
e.Cancel = True
Login1.InstructionText = "Access Denied"
Login1.InstructionTextStyle.ForeColor = Drawing.Color.Red
End If
End Sub
The above code checks to see if the login credentials supplied are a member of the AD group 'Allowed Users' and if not, denies the login.
You can then put the following into your master page:
<asp:LoginStatus ID="LoginStatus1" runat="server" />
<asp:LoginName ID="LoginName1" runat="server" />
<asp:TextBox ID="CurrentUserTextBox" runat="server" Visible="False" />
and the following in the code-behind
Protected Property strCurrentUser As String
Protected Sub Page_PreRender(sender As Object, e As System.EventArgs) Handles Me.PreRender
'Call PopulateVersionInfo() function
PopulateVersionInfo()
If Session("CurrentUser") = "" Then
'Retrieve users name from Active directory based on their userID and set strCurrentUser
If Page.User.Identity.Name <> "" Then
'Set up the lookup to AD
Dim adEntry As New DirectoryEntry(System.Web.Configuration.WebConfigurationManager.ConnectionStrings("ADUsersConnectionString").ConnectionString)
'Define which fields to retrieve from AD
Dim adSearcher As New DirectorySearcher(adEntry)
adSearcher.Filter = "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=" & Page.User.Identity.Name & "))"
adSearcher.PropertiesToLoad.Add("cn")
Dim adResults As SearchResult
adResults = adSearcher.FindOne()
'Set strCurrentUser Variable to the search result and then populate CurrentUserTextBox textbox value
strCurrentUser = adResults.Properties("cn")(0).ToString()
Session("CurrentUser") = strCurrentUser
'Set session variable so that we don't need to check the AD everytime the master page loads
CurrentUserTextBox.Text = Session("CurrentUser")
'Invoke CheckADGroup Function to check if user is a member of the admin group and set Session variable accordingly
If CheckADGroup(Page.User.Identity.Name, "Database Admin") = True Then
Session("IsDBAdmin") = True
Else
Session("IsDBAdmin") = False
End If
End If
Else
CurrentUserTextBox.Text = Session("CurrentUser")
If Not Session("IsDBAdmin") = True Then
hyperlink_Admin.Visible = False
End If
End If
End Sub
Public Function CheckADGroup(ByVal Username As String, ByVal GroupToCheck As String) As Boolean
'Function that receives a username to check if it's a member of a specific group in Active Directory.
Try
'Setup the LDAP connection entry string.
Dim adEntry As String
adEntry = ConfigurationManager.ConnectionStrings("ADGroupsConnectionString").ConnectionString
'The groups returned may have different combinations of lowercase and uppercase, so make grouptoCheck lowercase.
GroupToCheck = GroupToCheck.ToLower()
'Define DirectorySearcher
Dim adSearcher As New DirectorySearcher(adEntry)
'Specify to filter our results where sAMAccountName is equal to our username passed in.
adSearcher.Filter = "sAMAccountName=" & Username
'Specify MemberOf Properties to view only the groups the username is a member of
adSearcher.PropertiesToLoad.Add("MemberOf")
'Define SearchResult
Dim adResult As SearchResult
adResult = adSearcher.FindOne()
'Define a variable to hold the number of groups the user is a member of
Dim NumberOfGroups As Integer
NumberOfGroups = adResult.Properties("MemberOf").Count() - 1
'Define a variable to hold only what is needed from the MemberOf string property
Dim tempString As String
'Loop through results until specified group is found
While (NumberOfGroups >= 0)
'Set tempString to first index of "," starting from the 0 element
tempString = adResult.Properties("MemberOf").Item(NumberOfGroups)
tempString = tempString.Substring(0, tempString.IndexOf(",", 0))
'Remove the "CN=" from the beginning of the string
tempString = tempString.Replace("CN=", "")
'Make all letters Lowercase
tempString = tempString.ToLower()
'Trim any blank characters from the ends of the string
tempString = tempString.Trim()
'Check if "GroupToCheck" equals tempString and exit function if True
If (GroupToCheck = tempString) Then
Return True
End If
'Reduce NumberOfGroups variable by 1 and loop again
NumberOfGroups = NumberOfGroups - 1
End While
'If code reaches here, there was no match.
'Return false
Return False
'Catch any errors and return false
Catch ex As Exception
Return False
End Try
End Function
Protected Sub LoginStatus1_LoggedOut(sender As Object, e As EventArgs) Handles LoginStatus1.LoggedOut
'Clear session variables, abandon session and redirect to Login page
Session("CurrentUser") = ""
Session("IsDBAdmin") = ""
Session.Clear()
Session.Abandon()
Response.Redirect("Login.aspx")
End Sub
The above code basically just checks to see if there is a session matching the users login id and if not attempts to re-authenticate the user, checks their group security etc, if the authentication fails, it redirects to the login page.
If authentication is successful, and the user is a member of the 'Database Admin' group, it will display the link to the Admin page.
On the admin page, you can put the following code:
Protected Sub Page_PreInit(sender As Object, e As EventArgs) Handles Me.PreInit
'Check if current user has permission to see this page
If Not Session("IsDBAdmin") = True Then
Response.Redirect("Default.aspx")
End If
End Sub
This checks if the IsDBAdmin session is True and redirects if not.
As I said, the above is what we use on one of our internal applications, but I'm sure it could be adapted for use with Kartris without too many headaches.
Hope it helps.