Re: How to use WindowsPrincipal properly??
From: Ed leNoir (EDLENO@safeco.com)
Date: 10/31/02
- Next message: Ed leNoir: "Re: ASP.NET security issue"
- Previous message: Ed leNoir: "Re: How do I give ASP.NET process network credentials?"
- In reply to: Kevin Yu: "How to use WindowsPrincipal properly??"
- Next in thread: Kevin Yu: "Re: How to use WindowsPrincipal properly??"
- Reply: Kevin Yu: "Re: How to use WindowsPrincipal properly??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: EDLENO@safeco.com (Ed leNoir) Date: 30 Oct 2002 21:08:22 -0800
Kevin,
The IsInRole is documented to require that you provide BOTH a domain
name and user name in the format domain\username. The enumeration to
string ONLY returns the string "Administrator", so you would have to
write the code as user.IsInRole("BUILTIN\" &
WindowsBuiltInRole.Administrator).
I'm not sure I understand your question about impersonation or
LogonUser. For some strange reason dotnet allows you to make an
impersonation call, but it's not easy to get the identity that you
want to impersonate! So, the LogonUser API has to be used via a call
to unmanaged code to get an impersonation token. You can then build a
WindowsIdentity using that token, and from THAT you can do an
impersonate.
If you want to validate just the username and domain I think you can
do a SID lookup to the domain controller using LookupAccountName. If
you get a SID back then the name is valid in the domain (and the
domain is valid also).
The security API's are very confusing and are easily misused, and they
don't report anything in the event log, so you REALLY have to be able
to catch the error codes that are returned via GetLastError.
- Ed
"Kevin Yu" <kyu@nrcan.gc.ca> wrote in message news:<OBfTo72fCHA.1308@tkmsftngp11>...
> I am working on this intranet app here need proper authentication for users
> and redirect them according
> to their roles. I set app on IIS to use windows integrated authentication
> and in my code, I check when user
> login and get their identity, now I run into some minor problem, seems like
> the following statement return
> different result:
>
> user.IsInRole(WindowsBuiltInRole.Administrator) this return false
>
> and this
>
> user.IsInRole("BUILTIN\Administrators") this return true
>
> for the same user? what is the difference?
>
> another question is how can I make sure user enter a proper domain in the
> popup login?
> say if the user dont enter the domain/computername that supposed to
> authenticate him/her,
> then I need to check domain in my code as well? since the
> user.Indentity.Name will return
> DOMAIN\username, then in code need to parse the domain and username and
> validate both
> of them, I saw some other code that use Impersonation as the following:
>
> <DllImport("C:\\WINNT\\System32\\advapi32.dll")> _
> Public Shared Function LogonUser(lpszUsername As String, lpszDomain As
> String, lpszPassword As String, _
> dwLogonType As Integer, dwLogonProvider As Integer, ByRef
> phToken As Integer) As Boolean
> End Function
>
> seems like with Impersonation, there are lots more code needed. can anyone
> clarify what the differences are between
> the two?
>
> thanks
- Next message: Ed leNoir: "Re: ASP.NET security issue"
- Previous message: Ed leNoir: "Re: How do I give ASP.NET process network credentials?"
- In reply to: Kevin Yu: "How to use WindowsPrincipal properly??"
- Next in thread: Kevin Yu: "Re: How to use WindowsPrincipal properly??"
- Reply: Kevin Yu: "Re: How to use WindowsPrincipal properly??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
