Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 10 Oct 2007 20:03:50 -0500
I'm not sure what the problem is, but I would suggest writing some quick
code that takes the WindowsIdentity object for the authenticated user (cast
Context.User.Identity to WindowIdentity), take the objects in the Group
property (IdentityReferenceCollection) and convert them to NTAccount objects
via the Translate method. Then you can look at the names of the groups.
That will help identify whether the group really isn't in the token or there
is some weird string mismatch problem.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Howard Hoffman" <HowardH@xxxxxxxxxxxxxxxx> wrote in message
news:O2IPx14CIHA.4752@xxxxxxxxxxxxxxxxxxxxxxx
I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
I've configured the web-site (following directions at
http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
Negotiate access, and the site itself is using Integrated Windows
Authentication and allow-anonymous.
I've added an entry to my local HOSTS file, since there is no real
domain-name (yet) for the web-site DNS. So, my urls look like
http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
(127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
put it there) as http://*.mysite.com.
I have a local group on the server computer (W2K3) named "Local PAIS
Admins". I have added myself to that group, and logged out of Windows and
logged back in (to the local machine -- the same computer that is hosting
the web site).
In web.config, I have a <location> element for the Admin.aspx page:
<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>
obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"
cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
though I am in that group. I am prompted 3 times for the my credentials,
and I enter them correctly. Finally, I get the Access is Denied default
error page, with a 401.2 error.
If I run with the RoleManager element commented out, it works, and I can
see the page.
If I add myself to a BUILTIN group (say, Power Users), and change the
above <location> element to allow only that BUILTIN group, with
RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
BUILTIN groups work though.
I've not ever edited any of the
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
Can someone explain what is happening? Is this a known ASP.NET
WindowsTokenRoleProvider limitation? Am I doing something wrong?
I've a production deployment going on a similarly configured site, and we
need to use local-machine groups.
Thanks in advance,
Howard Hoffman
.
- Follow-Ups:
- Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- From: Howard Hoffman
- Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- References:
- ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- From: Howard Hoffman
- ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- Prev by Date: Re: Problems deploying website with membership features from XP to 2003 (take2)
- Next by Date: Re: Problems deploying website with membership features from XP to 2003 (take2)
- Previous by thread: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- Next by thread: Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- Index(es):
Relevant Pages
|
|
