Now, the Windows Server 2003 Authorization Manager exposes a COM API, which has the unfortunate name, AzMan , that can be used to query the authorization store at run-time to identify the operations that a current user is permitted to perform. Specifically...

So, let us follow these four steps to populate the authorization store for our application. We begin by creating operations that map to menu options and buttons on the main form of the application. An additional operation, called, Miscellaneous , is created...

Once one has created an authorization store, one can proceed to use the Management Console snap-in to populate that store for that application. There are four steps to complete. One begins by defining operations. Those are atomic actions that a...

So much for the user authentication requirements of application security; what about user authorization? Most applications have user interfaces with menus, button bars and buttons and we often want to restrict users' access to those operations based on...

Here is the code for the main form of our Smart Client that handles the event of the user changing his or her language preference. private bool fLanguage_Switch(string sLanguage, System.Windows.Forms.MenuItem rMenuItem) { try { if(!...

Back in the code for the start-up of the primary form of the Smart Client, static void Main (string[] asArguments) { Hashtable rArguments = null; try { rArguments = CUtility.rParseCommandLineArguments(asArguments,frmMain.c_sArgumentSeparator_Prefix...

The Authentication Web Service is configured for Windows Authentication, so the credentials are automatically encrypted and validated against the Active Directory for the domain. As we know already, though, not all of the users identified in Active Directory...

I've been working on a Compact Framework application this week. My most-excellent colleague, Rockin' Ryan Storgaard (go read his blog instead of mine) referred me to SOTI ( www.soti.net ) 's terrific Pocket Controller tool. It displays the screen of your...

Alright: at this point we have the foundation of our user authentication strategy set up. Let see how our application actually authenticates its users. We’ll begin at the entry point of the application, the static Main method of the primary form...

Everything is now in place for the users in the YourApplicationUsers group within Active Directory to be provisioned in ADAM . So, we go to the MIIS Identity Manager and clear out the connector spaces for the ADAM and Active Directory management agents...

Remember, however, that we don’t want all of the users in Active Directory provisioned in ADAM , but only those that belong to the YourApplicationUsers group within Active Directory, yet nothing in the code for our meta-verse rule extension checked...

Now, our MIIS management agents can be configured to do either imports or exports when they execute. Importing means, as one might expect, moving objects into the connector space and potentially projecting them into the meta-verse. Exporting means moving...

Let’s start with the basic problem of how to provision users in ADAM that exist in Active Directory. The solution lies in MIIS rule extensions . Rule extensions are .NET DLLs with classes that implement either one of two interfaces defined in the...

At this point, let’s return to our scenario. Remember that our client organization has Active Directory as its directory service, while our application uses ADAM as its user data repository. Everyone in the organization is catalogued in the Active...

Terrific Ted Neward was kind enough to post a link to my ongoing Application Security series on the ServerSide.NET. Thanks, Ted: I've read your stuff too, and I'm a huge fan. Anyone who is reading my blog should be reading his instead!

Okay: so now that we have our ADAM directory service configured for TaskVision II, thereby completing the first step in our deployment of that application. The next step, you will recall, was that of setting up a channel of communication to ADAM from...

I would like to mention to you that a tool that I find invaluable for working with both Active Directory and ADAM is the simple Active Directory Service Viewer, ADSVW.EXE , that shipped with the Windows 2000 Resource Kit. When you absolutely, positively...

Manipulating ADAM programmatically can be a little challenging. First, the documentation that is installed with ADAM does not cover its programming interfaces. However, that documentation can be found within MSDN, under Networking and Directory Services...

So, that is the theory of how ADAM, MIIS, and Authorization Manager can facilitate application security. Let's see how they work together in practice. For that purpose, let us assume that we are a software vendor selling an applicationI to an organization...

Darrell wrote: If the organization you are developing for does have a directory service, but you need to modify the schema. In those cases, I have relied on AD for authentication, and then additional attributes linking userIDs to permissions for...

COM+ provided an infrastructure for role-based security. With role-based security, users are grouped according to their function, and are assigned permissions to perform abstract operations, each of which may involve a number of actions performed on a...

So, what we would really like to be able to do in administering permissions for an application is the following: · we would like to be able to define abstract operations for which we would want to control authorization, abstract operations...

The .NET Framework Class Library provides authorization facilities in its System.Security.Principal namespace. It defines an interface, IPrincipal , that incorporates a method, IsInRole , that one can use for manual authorization checks. For example,...

Now, we said that application security was about authentication—controlling who accessed your application—as well as about authorization—controlling what folk who were permitted access would be allowed to do. ADAM and MIIS are the tools...

Access control lists are available in Windows NT, Windows 2000, Windows XP and Windows Server 2003. They provide for what may be described as object-centric authorization, in which permissions are associated with objects, such as files and folders. Object...