I am looking for a way to use Active Directory to limit access to a web page. I am not just looking for the "if the account exists, then the user is authenticated". I need to use custom authentication methods.

I know that I can set a property in IIS that will prompt the user for their domain user name and password using the standard Windows username/password popup. Is it possible to get the information that they enter into those boxes(just the domain\username is fine) and use that to authenticate?

I have a database table that contains a list of users with an "Admin" flag as part of the table. I need to use the domain username to query the table to see if the user has the "Admin" flag set to true. Is this possible?

Using .Net 2.0 and C#.

Did you do any searching? Microsoft directly addresses this question in part (http://msdn.microsoft.com/en-us/library/ms998358.aspx). The second part about using a database is also highly covered across the internet.

the problem wasn't that I didn't search...I have searched plenty. The problem was that I didn't know that when IIS prompts for domain access, that account that is entered overrides the Windows user that is currently logged in. I did not know that. I thought that they would be stored separately and that I was trying to figure out how to use the account that was typed in(there were plenty of examples on how to get the user currently logged into Windows).

well, I was able to get this working. For anybody who might find this topic through a search, I will describe what I was trying to do and how I accomplished it.

First, let me explain what I was trying to accomplish. I was given the task of securing a number of web applications that I had written for a client. This client had an "Employee" table in a SQL Server database which is what I needed to use to authenticate visitors. In the "Employee" table, there was three columns that would deal with authentication: a "BadgeID" column, a "JobTitleClass" column, and a "ActiveDirectory" column.

The "BadgeID" column is pretty self-explanatory.

The "JobTitleClass" column would contain a department code. Certain department codes would determine "administrators" which would be allowed to view the web applications.

The "ActiveDirectory" column would contain the name of their active directory account. Only users who had this column populated were considered "administrators".

All visitors were going to be local intranet users.

So the first authentication method I needed to use was Windows/Domain authentication. I needed to get the visitor's domain account(the one that they logged into windows with), and use it to query into the "Employee" table. If the domain account was found in the "Employee" table, then the visitor was authenticated, and it continued to the page they were trying to get to.

The second method of authentication was a custom "Login" page. The "Login" page would only show if the domain account was not found in the "Employee" table. This login page would allow the user to type in a Badge ID, and would then query to see if the Badge ID was part of a certain "JobTitleClass". If the Badge ID was part of an administration "JobTitleClass", then the visitor was authenticated and continued to the original page they were trying to get to.

Here is how I accomplished it:

I added this code to the "web.config" file

<system.web>
<authentication mode="Forms">
<forms name=".LOGINAUTH" loginUrl="Login.aspx"/>
</authentication>

<authorization>
<deny users="?"/>
</authorization>
</system.web>

the "<deny users="?"/>" will deny all non-authenticated and all anonymous users.

In the "Page_Load" event of the "Login.aspx" page, I added this code:

// Gets the domain account.
// -- If the IIS prompt is shown, this will return the
// authenticated account that was entered into the prompt
// -- If the user's current domain account is authenticated(no IIS prompt),
// then this will return their windows/domain account
userName = Request.LogonUserIdentity.Name;

using (SqlConnection cn = new SqlConnection(s.ConnectionString.ConnectionString))
{
SqlCommand cmd = new SqlCommand();
cmd.Connection = cn;
cmd.CommandText = "tsp_AuthenticateAD";
cmd.CommandType = CommandType.StoredProcedure;

SqlParameterCollection sqlParams = cmd.Parameters;
sqlParams.AddWithValue("@ADAccount", userName);

cn.Open();

badgeID = (string)cmd.ExecuteScalar();
// the stored procedure will return the badgeID
// of the user if they are authenticated.
}

if (!string.IsNullOrEmpty(badgeID))
{
// IS AUTHENTICATED
FormsAuthentication.SetAuthCookie(badgeID, false);
FormsAuthentication.RedirectFromLoginPage(badgeID, false); // This will redirect the visitor to the page they were trying to get to.
}



Now, if the windows/domain authentication fails, then the user is shown the login form. Here is the code for the "Login Button":

protected void btnLogin_Click(object sender, EventArgs e)
{
lblErrorText1.Visible = false;
lblErrorText2.Visible = false;

string badgeID = txtBadgeID.Text.Trim();

if (!string.IsNullOrEmpty(badgeID))
{
if (ValidateBadgeLogin(badgeID))
{
// the ValidateBadgeLogin will return true if
// the badge ID was found in the "Employee" table
// and the badge ID had an administration "JobTitleClass"
FormsAuthentication.SetAuthCookie(badgeID, false);
FormsAuthentication.RedirectFromLoginPage(badgeID, false);
}
else
{
lblErrorText1.Text = "Invalid Badge ID or";
lblErrorText2.Text = "Badge does not have authority to continue.";
lblErrorText1.Visible = true;
lblErrorText2.Visible = true;
}
}
}


Finally, I changed the "Directory Security" setting for the IIS Virtual Directory to use windows authentication only.
http://img232.imageshack.us/img232/3789/iissettingshl4.jpg

NOTE: The changes to the IIS setting will open a security hole. Hopefully, I won't have a problem since it's on a local domain.

It was actually a lot simpler than I thought it would be. Finding out about the FormsAuthentication class was a huge help.