Re: How to use WindowsPrincipal properly??

From: Kevin Yu (kyu@nrcan.gc.ca)
Date: 10/31/02 

From: "Kevin Yu" <kyu@nrcan.gc.ca>
Date: Thu, 31 Oct 2002 14:22:45 -0700

Ed
thanks for the reply.

in the IsInRole() function, I think the "BUILTIN\Administrators" and
WindowsBuiltInRole.Administrator refer to
different role, see we add users to administrators group, so if I am one of
the administrators in the computer e.g. win2k
machine, then the ("BUILTIN\Administrators") will return true while
(WindowsBuiltInRole.Administrator) return false,
I think this role is refer to the default admin account when the system is
installed.

I am basically confused with the role base authentication and the
impersonation, not sure what exactly is the difference.
now I have to check the machinename/domain name to validate the user, see if
they have an account on the domain, also
have an account at the win2k machine in their office, that way, if they type
in office computer name instead of the domain
computer name, since win2k dont have whatever socall PDC or BDC anymore,
it's just a computer that contain the user
list. so if I write code just to verify the user
IsInRole("BUILTIN\Administrators") then it will return true if the user is
an administrator
in his/her computer in office, right?

I can see that the LoginUser API call doesn take the user name and password
and validate the user again the specific "domain", but
it need to get the user password, in windows integrated authentication, how
to get the password? do I need form authentication instead?
but integrated authentication is more secure, correct?

Kevin

"Ed leNoir" <EDLENO@safeco.com> wrote in message
news:57f8df53.0210302108.58a1f76@posting.google.com...
> Kevin,
>
> The IsInRole is documented to require that you provide BOTH a domain
> name and user name in the format domain\username. The enumeration to
> string ONLY returns the string "Administrator", so you would have to
> write the code as user.IsInRole("BUILTIN\" &
> WindowsBuiltInRole.Administrator).
>
> I'm not sure I understand your question about impersonation or
> LogonUser. For some strange reason dotnet allows you to make an
> impersonation call, but it's not easy to get the identity that you
> want to impersonate! So, the LogonUser API has to be used via a call
> to unmanaged code to get an impersonation token. You can then build a
> WindowsIdentity using that token, and from THAT you can do an
> impersonate.
>
> If you want to validate just the username and domain I think you can
> do a SID lookup to the domain controller using LookupAccountName. If
> you get a SID back then the name is valid in the domain (and the
> domain is valid also).
>
> The security API's are very confusing and are easily misused, and they
> don't report anything in the event log, so you REALLY have to be able
> to catch the error codes that are returned via GetLastError.
>
> - Ed
>
> "Kevin Yu" <kyu@nrcan.gc.ca> wrote in message
news:<OBfTo72fCHA.1308@tkmsftngp11>...
> > I am working on this intranet app here need proper authentication for
users
> > and redirect them according
> > to their roles. I set app on IIS to use windows integrated
authentication
> > and in my code, I check when user
> > login and get their identity, now I run into some minor problem, seems
like
> > the following statement return
> > different result:
> >
> > user.IsInRole(WindowsBuiltInRole.Administrator) this return false
> >
> > and this
> >
> > user.IsInRole("BUILTIN\Administrators") this return true
> >
> > for the same user? what is the difference?
> >
> > another question is how can I make sure user enter a proper domain in
the
> > popup login?
> > say if the user dont enter the domain/computername that supposed to
> > authenticate him/her,
> > then I need to check domain in my code as well? since the
> > user.Indentity.Name will return
> > DOMAIN\username, then in code need to parse the domain and username and
> > validate both
> > of them, I saw some other code that use Impersonation as the following:
> >
> > <DllImport("C:\\WINNT\\System32\\advapi32.dll")> _
> > Public Shared Function LogonUser(lpszUsername As String, lpszDomain
As
> > String, lpszPassword As String, _
> > dwLogonType As Integer, dwLogonProvider As Integer, ByRef
> > phToken As Integer) As Boolean
> > End Function
> >
> > seems like with Impersonation, there are lots more code needed. can
anyone
> > clarify what the differences are between
> > the two?
> >
> > thanks

Relevant Pages

  • Re: How to use WindowsPrincipal properly??
    ... string ONLY returns the string "Administrator", ... impersonation call, but it's not easy to get the identity that you ... I set app on IIS to use windows integrated authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: System.IO.Directoryinfo throwing exception
    ... With basic authentication and impersonation you need to ... use a domain account which can delegate and you can check how to mark your ... ASP.NET MVP ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Access denied ( From one site to another, that is in another server)
    ... server. ... you can implement impersonation through code and revert ... This posting is provided "AS IS", with no warranties, and confers no rights. ... | Integrated Authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: localhost vs. macinename in URL (access denied)
    ... Impersonation with Integrated Authentication will work if you are accessing ... a resource on the same machine. ... being delegated to allow delegation or change the computer account to allow ...
    (microsoft.public.dotnet.security)
  • Re: IIS Folder and file security. Impersonation does not work.
    ... Custom URL navigation. ... First -- what you want to do does NOT need the impersonation DLL at all. ... Second -- you are muddling HTML and IIS concepts together and hoping for the ... Now, with IIS6, we have a custom authentication sample ISAPI that should ...
    (microsoft.public.inetserver.iis)