Re: User.IsInRole

From: Willy Denoyette [MVP] (willy.denoyette@pandora.be)
Date: 08/11/02 

From: "Willy Denoyette [MVP]" <willy.denoyette@pandora.be>
Date: Sun, 11 Aug 2002 11:32:50 +0200

Frank,

Excellent catch, "IsInrole" is still broken in SP2 when a user is a member of more than 22 groups.
Please note that other methods using "IsInRole", like PrincipalPermission.Demand() will suffer from this inconsistency.

Willy.

"Frank Racis" <frank.racis@smed.com> wrote in message news:#JEMHsMQCHA.1916@tkmsftngp13...
> I did some more testing today, and we're both right.
> WindowsPrincipal.IsInRole is case insensitive, unless you're a member of 23
> or more groups, then it becomes case sensitive.
>
> Looking in the debugger, the WindowsPrincipal class has two places to store
> roles, string[] m_roles and HashTable m_rolesTable. When the user is a
> member of a 22 or fewer groups, m_roles is populated, m_rolesTable is null,
> and the match is insensitive. When the number of groups is 23 or more,
> m_roles is null, m_rolesTable is populated, and the matching becomes case
> sensitive. My guess is that is has a different algorithm for caching small
> and large sets of roles, and the large set algorithm (with hashing) is doing
> a case-sensitive lookup when it shouldn't.
>
> This seems a bit like Q321562, but SP2 didn't fix it. Also, the length of
> the group name didn't affect the outcome. The 23rd group was only 2
> characters long. I went back to 22 but made the group names a lot longer,
> and it still worked.
>
> -Frank
>
> "Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
> news:#7BTztAMCHA.1312@tkmsftngp04...
> > Are you sure?
> > All tests I've done so far indicate that it is case insensitive.
> >
> > Willy.
> >
> > "Frank Racis" <frank.racis@smed.com> wrote in message
> news:e1V4oKyICHA.1636@tkmsftngp10...
> > > That didn't work for me. I needed to use "BUILTIN\\Administrators"
> (with a
> > > capital A). The IsInRole check is case sensitive on the entire string,
> > > both the machine/domain name and the user name. From some quick
> testing,
> > > the machine/domain is always uppercase, and the group is however it's
> > > entered in user manager.
> > >
> > > I'm wondering whether this should be reported as a bug. Everywhere else
> in
> > > Windows, the names of users, groups, and domains are case-insensitive.
> > > Having them case-sensitive for this call just seems wrong.
> > >
> > > -Frank
>
>
>
>
>
>
>

Relevant Pages

  • Re: How to determine if the logged on user is in a group
    ... I saw that isinrole works with domains OK but I just found that when I ran the whoami.exe /groups the custom groups that Bob belongs to on the DC do not appear in his membership list although he is a member of these groups. ... I tried using my.user.isinrolebut I'm told that that only looks at the local user groups, ...
    (microsoft.public.dotnet.security)
  • RE: isInRole doesnt work for one user, but works for everyone else
    ... added them as a member. ... The isInRole works fine for that user when comparing ... > IPrincipal object to check for role membership. ... > correctly identifying this user with the correct domain/username, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • IsInRole from ASP.NET failing
    ... In code I check IsInRole for a local machine group, ... I found code on the internet that lets you see what groups IsInRole is ... member of, and nothing works. ... I still have 99 entries, ...
    (microsoft.public.dotnet.framework)
  • RE: How to determine if an user belongs to a specific group?
    ... I am sorry that the IsInRole does not match my need. ... not determine if i am a member of a distribution group, ... could not be used to set security permission as it's not a security principle. ...
    (microsoft.public.dotnet.framework.aspnet)