RE: Windows Domain Groups in Authorization section sans AD

From: Mike Moore [Microsoft] (michmo@online.microsoft.com)
Date: 01/21/03

Next message: andrew: "Re: NT Service Security"
Previous message: Mike Moore [Microsoft]: "Re: app config file downloading (not) for winform deployment model"
In reply to: Mike Moore [MS]: "RE: Windows Domain Groups in Authorization section sans AD"
Next in thread: Greg Burns: "Re: Windows Domain Groups in Authorization section sans AD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: michmo@online.microsoft.com ("Mike Moore [Microsoft]")
Date: Tue, 21 Jan 2003 03:58:55 GMT

Hi Greg,

I just noticed that both Luke and I are working on your issue, but in
different newsgroups.

As I wrote on Friday, I've reproduced your problem here and I'm
investigating. I thought I would have more for you today, but I will have
to get back to you tomorrow.

---
Here is what I have reproduced:
I tried using User.IsInRole in the code-behind for an ASPX page:
   This returns true:    User.IsInRole("BUILTIN\Administrators")
   This returns false:   User.IsInRole("MyMachine1\Administrators")
       [MyMachine1 is the machine name for the ASP.NET server I'm using]
Then I set authorization as follows and it failed:
  <allow users="BUILTIN\Administrators" />
Thank you, Mike Moore
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
>X-Tomcat-ID: 58725021
>References: <#qKgANLvCHA.1636@TK2MSFTNGP12> <F0CVd1dvCHA.1340@cpmsftngxa09>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: michmo@online.microsoft.com ("Mike Moore [MS]")
>Organization: Microsoft
>Date: Sat, 18 Jan 2003 03:09:16 GMT
>Subject: RE: Windows Domain Groups in Authorization section sans AD
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>Message-ID: <T5o2y7pvCHA.2600@cpmsftngxa06>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Lines: 95        
>Path: cpmsftngxa06
>Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3674
>NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
>
>Hi Greg,
>
>I don't have an answer yet. I expect to have something for you late Monday.
>
>I found that this returns true:    User.IsInRole("BUILTIN\Administrators")
>While this returns false:   User.IsInRole("MyMachine1\Administrators")
>  [MyMachine1 is the machine name for the ASP.NET server I'm using]
>
>Then I tried:
>  <allow users="BUILTIN\Administrators" />
>Unfortunately, it failed.
>
>I'll look into this further on Monday.
>
>Thank you, Mike Moore
>Microsoft, ASP.NET
>
>This posting is provided "AS IS", with no warranties, and confers no 
rights.
>
>--------------------
>>X-Tomcat-ID: 109056668
>>References: <#qKgANLvCHA.1636@TK2MSFTNGP12>
>>MIME-Version: 1.0
>>Content-Type: text/plain
>>Content-Transfer-Encoding: 7bit
>>From: michmo@online.microsoft.com ("Mike Moore [MS]")
>>Organization: Microsoft
>>Date: Fri, 17 Jan 2003 04:03:22 GMT
>>Subject: RE: Windows Domain Groups in Authorization section sans AD
>>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>>Message-ID: <F0CVd1dvCHA.1340@cpmsftngxa09>
>>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>>Lines: 61        
>>Path: cpmsftngxa09
>>Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3669
>>NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
>>
>>Hi Greg,
>>
>>There is lots of documentation on authorization. The following article 
>>states that what you want is allowed.
>>
>>Building Secure ASP.NET Applications: Authentication, Authorization, and 
>>Secure Communication
>>http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch08.asp
>>
>>In the article, it says:
>>
>>URL Authorization. Configure URL authorization in Web.config. With 
Windows 
>>authentication, user names take the form DomainName\UserName and roles 
map 
>>one-to-one with Windows groups. 
>><authorization>
>>  <deny user="DomainName\UserName" />
>>  <allow roles="DomainName\WindowsGroup" />
>></authorization>
>>
>>---
>>However, I could not get it to work on my machine. I will look into this 
>>further tomorrow.
>>
>>Thank you, Mike Moore
>>Microsoft, ASP.NET
>>
>>This posting is provided "AS IS", with no warranties, and confers no 
>rights.
>>
>>--------------------
>>>From: "Greg Burns" <greg_burns@hotmail.com>
>>>Subject: Windows Domain Groups in Authorization section sans AD
>>>Date: Wed, 15 Jan 2003 11:29:35 -0500
>>>Lines: 34
>>>X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>>>Message-ID: <#qKgANLvCHA.1636@TK2MSFTNGP12>
>>>Newsgroups: 
>>microsoft.public.dotnet.framework.aspnet,microsoft.public.dotnet.framework

Next message: andrew: "Re: NT Service Security"
Previous message: Mike Moore [Microsoft]: "Re: app config file downloading (not) for winform deployment model"
In reply to: Mike Moore [MS]: "RE: Windows Domain Groups in Authorization section sans AD"
Next in thread: Greg Burns: "Re: Windows Domain Groups in Authorization section sans AD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Windows Domain Groups in Authorization section sans AD
... >Subject: RE: Windows Domain Groups in Authorization section sans AD ... >Hi Greg, ... Configure URL authorization in Web.config. ...
(microsoft.public.dotnet.framework.aspnet.security)
RE: Windows Domain Groups in Authorization section sans AD
... There is lots of documentation on authorization. ... Building Secure ASP.NET Applications: Authentication, Authorization, and ... authentication, user names take the form DomainName\UserName and roles map ... Windows Domain Groups in Authorization section sans AD ...
(microsoft.public.dotnet.framework.aspnet.security)
Windows Domain Groups in Authorization section sans AD
... I am having the same issue that Derrick did. ... the Authorization section if you do not have Active Directory? ... Windows Domain Groups in Authorization section ...
(microsoft.public.dotnet.framework.aspnet.security)