From: Bernd Wechner on
"Bob Barrows" wrote:
> yes, an AD group can certainly be used instead of a user's
> name in the web.config file.

Alas I am unclear on this point. I have exactly the same wish. That a non
tech savvy manager without access to the web server per se, can via their
MS-Outlook Address book and managing a distribution list, win two immediate
benefits:

a) The ability to control who has access to a web site, and
b) The ability to email them as a group.

Now I find what you've suggested very encouraging Bob and am back here after
a good 20 minutes of reading google results varying my search without
successfully finding clear documentation or an example.

Here's what I have in my web.config now:

<authorization>
<allow roles="domain\websiteusers"/>
<deny users="*"/>
</authorization>

alas "domain\websiteusers" is a security group set by our IT staff and not
to my knowledge easily modified by a manager using the tools they have. Hence
the interest in a distribution list. Now let me suppose I have a distribution
list on Active Directory named "domain\websiteuserlist"

I have tested both of these scenarios quickly with no success:

<authorization>
<allow roles="domain\websiteuserlist"/>
<deny users="*"/>
</authorization>

and

<authorization>
<allow users="domain\websiteuserlist"/>
<deny users="*"/>
</authorization>

now I'm tempted to conclude from you cursory statement that the latter test
should function. Alas I haven't replicated it. I add a user to
domain\websiteuserlist and voila, the still can't access the website.

It may be that all I'm experience is latency. That ti would help if I
rebooted their PC, or had them log out and in again, and/or the server and/or
.... my point is simply groping for answers in the dark is a frustrating time
consumer and the lack of clear documentation has frustrated me.

I look at page like this:

http://msdn.microsoft.com/en-us/library/acsd09b0%28VS.80%29.aspx

and I feel like reprimanding a microsoft documenters (well, humility aside,
I've managed documentation for years and would indeed be having a chat with
my staff about a page like this). What exactly IS a user and role? Where are
they defined? At best it sends me off to some obtuse pages on ASP role
management which takes me down many paths not of immediate interest to me
(although it would no doubt of great benefit if I took the time to research
and understand the complete security model all the same I ma interested
primarily in a quick answer - greedy I am). In short this page ought to tell
me clearly what kinds of strings are valid as roles and users and where they
are defined. And it doesn't.

Anyhow, if you perchance have the time for a clear example I would be
grateful to you. In the mean time I am in the dark still unless I stumble
upon another clarification soon.

Cheers,

Bernd.