Re: Other than BuiltIn groups for Windows Authentication

From: Joey Lee (joeylta1979_at_hotmail.com)
Date: 09/15/05

Next message: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Previous message: Dominick Baier [DevelopMentor]: "Re: Authenticating on a remote domain via ASP.Net"
In reply to: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Next in thread: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Reply: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 15 Sep 2005 12:58:25 +0800

Hi,

I tried <domain>\Gamers but it does not work

Here is my code

Class File
---------------------------------------------------------------
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)prin.Identity;

----------------------------------------------------------------

Web config
-------------------------------------------------------------
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
-------------------------------------------------------------

When I try to get the role thru this code below which i found on the web

Code--------------------------------------------------------------------------
public static string GetUserRoles(WindowsPrincipal winPrincipal)
{
string userRoles = "";
WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;

  if (identity != null)
  {
    Type t = identity.GetType();
    string[] roles = (string[]) t.InvokeMember("GetRoles",
BindingFlags.Instance | BindingFlags.NonPublic |
BindingFlags.InvokeMethod,null,identity,null);

    if (roles != null)
    {
       foreach (string role in roles)
       {
           if(userRoles != "")
           {
               userRoles += ",";
           }
           userRoles += role;
       }
     }
  }
  return userRoles;
}
-----------------------------------------------------------------

I got the results as following

<domainname>\Domain Users,Everyone,BUILTIN\Administrators,BUILTIN\Users,NT
AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,

It does not have <domainname\Gamers>

However by using LDAP i am able to get CN=Gamers

Did I configure something wrong?.Thanks

Joey

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:42565460e17098c787d65ba82170@news.microsoft.com...
> Hello Joey,
>
> WindowsPrincipal.IsInRole expects fully qualified group names - these are
> AUTHORITY\GROUP
>
> e.g. DOMAIN\Gamers for domain accounts
>
> or MyMachine\Gamers for local accounts
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Hi,
>>
>> I am using windows authentication on my ASP.Net application. With the
>> WindowsPrincipal I can authenticate myself against groups such as
>>
>> BUILTIN\Users
>>
>> I am assuming that this group is supplied by the active directory when
>> i log into the domain using my pc.
>>
>> The problem now is I have added another custom group - Gamers. I tried
>> authentication using IsInRole("Gamers") but this give me false. How do
>> I do it with Windows Authentication for this new group?
>>
>> I have another way of doing this but that is using ldap
>> authentication, but I am trying to understand and make the Windows
>> Authentication work. Please help. Thanks
>>
>> Joey
>>
>
>

Next message: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Previous message: Dominick Baier [DevelopMentor]: "Re: Authenticating on a remote domain via ASP.Net"
In reply to: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Next in thread: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Reply: Dominick Baier [DevelopMentor]: "Re: Other than BuiltIn groups for Windows Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: authorization and authentication
... Use the WindowsPrincipal and WindowsIdentity Objects to accomplish the same. ... >> Authentication section then enable the typeof authentication you ... >> (only the root). ...
(microsoft.public.dotnet.framework.aspnet.security)
Authentication Nightmare
... I've been going round and round with this authentication business to no ... however I continue to get the challenge/response while I'm ... impersonating the user and trying to redirect to their personal directory. ... WindowsIdentity widTempIdentity = new WindowsIdentity; ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: ActiveDirectory authentication - more issues
... To create a WindowsIdentity you have to create a token - you could do that yourself - you have username/password - but this has to be done on every single request - so you would have to cache/store the credentials of the user on the web server - nothing i would recommend. ... are authenticated via ActiveDirectory and IsInRole hits ... no -you are doing forms authentication. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: ActiveDirectory authentication - more issues
... Only IWA results in a WindowsIdentity. ... In the case of the AD Provider, LDAP is used to verify credentials - IsInRole ... yourself - you have username/password - but this has to be done on every ... no -you are doing forms authentication. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Have half working
... I've done this in client apps before and never ... Is there some security permission I must have granted for this to work? ... For authentication of: ... WindowsIdentity wi = user.Identity as WindowsIdentity; ...
(microsoft.public.dotnet.framework.aspnet.security)