Home/ Questions/Q 6326507
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T17:06:15+00:00

I’m working on an internal ASP.NET application that uses an Active Directory distribution list

  • 0

I’m working on an internal ASP.NET application that uses an Active Directory distribution list for managing who has access to the web site.

However, due to the fact that this distribution list could contain both users and groups, I had to develop a solution for checking to see if the current user is able to access this site (e.g. They could be in a group that is a part of this distribution list). The default Windows authentication mode does not support this type of hierarchical structure.

My question is how can I ensure that every resource in this web site can only be accessed by those who are in this distribution list? I am currently using a custom attribute applied to every page that checks the user’s credentials and redirects to a ‘No Access’ page if they are not a member of the DL. However, I’m thinking that there must be a better way to do this that doesn’t require me to use the attribute on every page which is created for this site?

Any help is appreciated!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I ended up rolling my own security class for checking to see if the currently logged in Active Directory user has access.

    I used the GroupPrincipal.GetMembers function in the System.DirectoryServices.AccountManagement namespace. This overloadedd method which takes a boolean value can be used to search for users recursively (satisfying my groups-within-groups issue).

    The security class is a Singleton, and the list allowed active directory users is stored inside the Singleton to keep this access check fast. I chose a Singleton to ensure that there was only 1 copy of this list on the server. I stored the list of allowed users as a SortedDictionary, which increased look-up speed greatly.

    When a user who does not exist tries to access the site, the original user lookup will come back negative. At this point, the security class refreshes the users list, saving the timestamp of this refresh to the list of allowed users. The method endures that this refresh is done at most once every 10 minutes to prevent users from hammering the site (and keeping the site responsive for other users).

    • 0