Re: ASP.NET 2.0 Authorization Roles..Got Solution.

the only difference is see with the provider and a normal WindowsPrincipal is, that the machine name for local groups gets stipped out.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I know this is not perfect solution, but this solution is working, as
regular solution is not working.

I never used WindowsTokenRoleProvider earlier.

"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be631996558c827723dce2450@xxxxxxxxxxxxxxxxxxxxx

i don't really see how this is a solution - but if it works for you -
fair enough.

did you use the WindowsTokenRoleProvider before?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi, After struggling for 2 days, I finally got the solution.

Here are the changes in my web.config file.
<appSettings>
<add key="GroupName" value="DomainName\WMSAdmin"/>
</appSettings>
<authentication mode="Windows"/>
<authorization>
<allow roles="DomainName\WMSAdmin"/>
</authorization>
<roleManager defaultProvider="WindowsProvider" enabled="true"
cacheRolesInCookie="false">
<providers>
<add name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
Here are the Code Changes:
module level variable declaration:
private string mstrUserRoleName =
System.Configuration.ConfigurationManager.AppSettings["GroupName"];
Method Code:
private void GetTokenInfo()
{
WindowsTokenRoleProvider instance = new
WindowsTokenRoleProvider();
string strUserNameToMatch=User.Identity.Name;
if (instance.IsUserInRole(strUserNameToMatch,
mstrUserRoleName))
Label1.Text = strUserNameToMatch + " <u>is part of</u>
<b>" + mstrUserRoleName + "</b>";
else
Label1.Text = strUserNameToMatch + " <u>is not part of</u>
<b>" + mstrUserRoleName + "</b>";
}
Hope this will help others.
Thanks
Atul
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be631995108c82698fb8d5580@xxxxxxxxxxxxxxxxxxxxx
no - everything normally works as expected - must be something

different...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes!
But again it is not working.
Is it a known issue that it doesn't work in W2k3 Server?
"Joe Kaplan (MVP - ADSI)"
<joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:uRtAQ2yVGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Did you log out and log back in again?

Joe K.

"Atul" <pyaarey@xxxxxxxxxxx> wrote in message
news:ekS9y2xVGHA.5044@xxxxxxxxxxxxxxxxxxxxxxx
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be631993808c8253b0db91c80@xxxxxxxxxxxxxxxxxxxxx

try

a) whoami /groups from the command line (part of w2k3 or the
resource kit)

It lists all the groups logged on user belong to.

b) drop this page in your app and see what roles you are member
of (from the view of asp.net)

DOMAIN-LAN\Domain Users-----------> IsInRole=True
Everyone-----------> IsInRole=True
ATUL\BizTalk Application Users-----------> IsInRole=True
ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
ATUL\BizTalk Server Administrators-----------> IsInRole=True
ATUL\Debugger Users-----------> IsInRole=True
ATUL\EDI Subsystem Users-----------> IsInRole=True
ATUL\IIS WPG-----------> IsInRole=True
ATUL\OLAP Administrators-----------> IsInRole=True
ATUL\OWS 1094864922 admin-----------> IsInRole=True
ATUL\SSO Administrators-----------> IsInRole=True
S-1-5-21-2875354219-2406699116-2307019780-1068----------->
IsInRole=False
BUILTIN\Administrators-----------> IsInRole=True
BUILTIN\Power Users-----------> IsInRole=True
BUILTIN\Users-----------> IsInRole=True
NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
NT AUTHORITY\Authenticated Users-----------> IsInRole=True
NT AUTHORITY\This Organization-----------> IsInRole=True
LOCAL-----------> IsInRole=True
DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True
"ATUL" is the machine name. I do not see the Group which has
been
created newly on the domain. Also, there are two more local
groups
in the local machine, and user is part of these two groups, but
the
group names are not shown here. Why is it so?
http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.asp

x

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes!

MyDomain\atuls is NOT part of ROLE.

"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be631993748c825346c6fb540@xxxxxxxxxxxxxxxxxxxxx

what does Context.User.Identity.Name say - the username you
are expecting?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
As you said, I have modified the web.config as:

<authorization>
<allow roles="MyDomain\\WMS ADMINISTRATORS"/>
</authorization>
And the Page Load Code is:
protected void Page Load(object sender, EventArgs e)
{
if (Context.User.IsInRole("MyDomain\\WMS ADMINISTRATORS"))
{
Label1.Text = Context.User.Identity.Name + " is part of
ROLE";
}
else
{
Label1.Text = Context.User.Identity.Name + " is NOT part
of
ROLE";
}
}
What am I missing here? I have verified that current logged
on
user
is
part of MyDomain\\WMS ADMINISTRATORS group.
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6319936c8c8252d26f58370@xxxxxxxxxxxxxxxxxxxxx
hi,
you have to use the domain\groupname format for windows
groups.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am facing a weird problem related to ASP.NET 2.0 Roles.
I have web.Config file having security settings:

<authentication mode="Windows"/>

<authorization>

<allow roles=".\WMSAdmin" />

</authorization>

And during Page Load() event, when I check whether current
logged on user is in the Role specified then it fails,
however, the user is part of this Role on the local
machine:

If Not Page.User.IsInRole("WMSAdmin") Then

Trace.Write("Page user is NOT part of WMSAdminGroup")

Server.Transfer("~/NoAccess.aspx")

Else

Trace.Write("Page user " & Page.User.Identity.Name & " is

PART

of WMSAdmin Group.")

End If

Any guesses, what am I missing here.
Regards,
Atul


.

Relevant Pages

  • Re: encrypting app.config with RSA
    ... OK - but the app is running in the security context of the user - so everyting ... Dominick Baier - DevelopMentor ... That means I have to use the RSA provider, but by default, it still ...
    (microsoft.public.dotnet.security)
  • Re: ASP.NET 2.0 Authorization Roles..Got Solution.
    ... I never used WindowsTokenRoleProvider earlier. ... Dominick Baier - DevelopMentor ... the user is part of this Role on the local machine: ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to Change MinRequiredNonAlphanumericCharacters in AspNetSq
    ... Dominick Baier - DevelopMentor ... If I modify the existing provider in my app, do the changes apply only to my app? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Membership custom provider - logout function
    ... Dominick Baier - DevelopMentor ... The custom membership provider should work against this security server. ... the data store does not generate a sessionID - the data store says yes/no to the credentials - and afterwards the login control creates something called an "authentication ticket" - this tickets get "attached" to the current request/response using either a cookie or query string mangling. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET 2.0 Authorization Roles..Got Solution.
    ... did you use the WindowsTokenRoleProvider before? ... Dominick Baier - DevelopMentor ... the user is part of this Role on the local machine: ...
    (microsoft.public.dotnet.framework.aspnet.security)