Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- From: "Howard Hoffman" <HowardH@xxxxxxxxxxxxxxxx>
- Date: Thu, 11 Oct 2007 08:57:37 -0400
Joe -
I appreciate your response, but I don't see how it helps me.
There is no Group property on the WindowsIdentity object in .NET 2.0, is
there?
I can certainly instantiate a new NTIdentity object from the
HttpContext.Current.User.Identity.Name (and domain) just fine.
So, there is a real-SID for the user-name. Where do we go from here?
There is no copy / paste error - I put the group name on the clipboard in
Computer Management / Local Users and Groups / Groups, and pasted that into
Web.config.
Thanks in advance,
Howard Hoffman
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ufRXXK6CIHA.4308@xxxxxxxxxxxxxxxxxxxxxxx
I'm not sure what the problem is, but I would suggest writing some quick
code that takes the WindowsIdentity object for the authenticated user
(cast Context.User.Identity to WindowIdentity), take the objects in the
Group property (IdentityReferenceCollection) and convert them to NTAccount
objects via the Translate method. Then you can look at the names of the
groups. That will help identify whether the group really isn't in the
token or there is some weird string mismatch problem.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Howard Hoffman" <HowardH@xxxxxxxxxxxxxxxx> wrote in message
news:O2IPx14CIHA.4752@xxxxxxxxxxxxxxxxxxxxxxx
I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
I've configured the web-site (following directions at
http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
Negotiate access, and the site itself is using Integrated Windows
Authentication and allow-anonymous.
I've added an entry to my local HOSTS file, since there is no real
domain-name (yet) for the web-site DNS. So, my urls look like
http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
(127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
put it there) as http://*.mysite.com.
I have a local group on the server computer (W2K3) named "Local PAIS
Admins". I have added myself to that group, and logged out of Windows
and logged back in (to the local machine -- the same computer that is
hosting the web site).
In web.config, I have a <location> element for the Admin.aspx page:
<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>
obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"
cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
though I am in that group. I am prompted 3 times for the my credentials,
and I enter them correctly. Finally, I get the Access is Denied default
error page, with a 401.2 error.
If I run with the RoleManager element commented out, it works, and I can
see the page.
If I add myself to a BUILTIN group (say, Power Users), and change the
above <location> element to allow only that BUILTIN group, with
RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
BUILTIN groups work though.
I've not ever edited any of the
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
Can someone explain what is happening? Is this a known ASP.NET
WindowsTokenRoleProvider limitation? Am I doing something wrong?
I've a production deployment going on a similarly configured site, and we
need to use local-machine groups.
Thanks in advance,
Howard Hoffman
.
- Follow-Ups:
- Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- From: Joe Kaplan
- Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- References:
- ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- From: Howard Hoffman
- Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- From: Joe Kaplan
- ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- Prev by Date: Re: Problems deploying website with membership features from XP to 2003 (take2)
- Next by Date: Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- Previous by thread: Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- Next by thread: Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
- Index(es):
Relevant Pages
|
