Re: WindowsTokenRoleProvider & Domain Groups

Hi Craig,

As Joe said, the ActiveDirectoryMembershipProvider only help validate a
given user(username/password credentials) against the certain DC or get
list of users info from there. The return values are of
"ActiveDirectoryMembershipUser" which doesn't provide any role/group info.
How did you get the roles/groups through Membershipprovider?

For the "WindowsTokenRoleProvider", based on my local test, it seems with
an authenticated windows user, all the groups(domain ,local domain and
built-in ones) can be correctly retrieved. But my test is performed in VS
2005 test webserver which is running under my logon user(domain account).
So I think the behavior may be related to yoru ASP.NET application's worker
process identity(since the AD query is performed under process identity if
no impersonate is using). What's the current security identity of your
ASP.NET worker process, are you using IIS5 or IIS6. I suggest you also try
configure the ASP.NET application to running under a domain account to see
whether you can get all the correct groups.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

.