Re: Problems with IsInRole

• Previous message: kabuki18ban: "RE: asp.net impersonation limits?"
• In reply to: John Rusk: "Re: Problems with IsInRole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Nov 2004 21:08:15 -0600

That's too bad. I've seen these kinds of problems, but they are pretty
mysterious.

You could also try using some Directory Services code to do this to overcome
the issue with the LSA, but that will require more config and potentially be
more brittle.

Perhaps there is a way to solve the trust issue though. I'm the wrong guy
to ask there, but I'm sure someone understands the options.

Joe K.

"John Rusk" <JohnRusk@discussions.microsoft.com> wrote in message
news:AE2E348F-4FF9-444B-9B6B-B2E0A397C315@microsoft.com...
>I think I've found the problem. I think its something like this:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;262958
>
> While I'm not 100% sure that I'm suffering from _exactly_ the same
> problem,
> it seems that its possible to configure domain controllers in a way that
> breaks .NET's role based security.
>
> I ended up dropping .NET's IsInRole, and using equivalent code from Keith
> Brown's security library
> (http://www.theserverside.net/discussions/thread.tss?thread_id=25074).
> That
> was when I finally got the error 1789, which means "The trust relationship
> between this workstation and the primary domain failed". It's a shame
> that
> .NET's IsInRole doesn't log anything to indicate what's going wrong. The
> only sign was blank/missing names for global groups when I called
> _GetRoles.
>
> In the code I used, from Keith Brown's library, it was the translation
> from
> names to SIDs that was failing.
>
> Thanks for your suggestions Joe.
>
> John
>
>

• Previous message: kabuki18ban: "RE: asp.net impersonation limits?"
• In reply to: John Rusk: "Re: Problems with IsInRole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]