Why AspNetTokenRoleProvider?

by Dominick Baier

Related link: http://www.leastprivilege.com/WhyAspNetTokenRoleProvider.aspx



ASP.NET 2.0 ships with three role providers - one for SQL Server, one for AzMan and one for Windows tokens...


The Windows token provider is special - it only works with Windows authentication whereas all the other providers seem to be more targeted at Forms Authentication (the AzMan provider supports both).


Why do I need a role provider for Windows accounts? You don't have to take care of getting roles for Windows users as they come packaged in the token that gets procuced during authentication in IIS.


Well - the WindowsTokenRole provider can do some optimizations to Windows authentication



  • Instead of a WindowsPrincipal you get a RolePrincipal which features a method called GetRoles() that returns all roles as a string array. This is more straightforward than using the code I showed here. You still have access to the underlying WindowsIdentity (Context.User.Identity) and can create a WindowsPrincipal if you have to.
  • RoleManager can cache the roles. The first time you call IsInRole, RolePrincipal will fetch all roles from the token (which requires round trips to the DC to translate the SIDs to "human-readable" names. These names can get cached in the roles cookie (.aspxroles). This saves the roundtrip to the DC on subsequent requests.

So this is really just an (optional) optimization for Windows authentication based web apps. If you want to use role caching make sure to set reasonable timeouts (e.g. 30mins) - otherwise group membership changes for the user will have a high latency in your application.