Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken

There is a Groups property:

http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsidentity.groups.aspx

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Howard Hoffman" <HowardH@xxxxxxxxxxxxxxxx> wrote in message
news:uSK3gYADIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Joe -

I appreciate your response, but I don't see how it helps me.

There is no Group property on the WindowsIdentity object in .NET 2.0, is
there?
I can certainly instantiate a new NTIdentity object from the
HttpContext.Current.User.Identity.Name (and domain) just fine.
So, there is a real-SID for the user-name. Where do we go from here?

There is no copy / paste error - I put the group name on the clipboard in
Computer Management / Local Users and Groups / Groups, and pasted that
into Web.config.

Thanks in advance,

Howard Hoffman

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ufRXXK6CIHA.4308@xxxxxxxxxxxxxxxxxxxxxxx
I'm not sure what the problem is, but I would suggest writing some quick
code that takes the WindowsIdentity object for the authenticated user
(cast Context.User.Identity to WindowIdentity), take the objects in the
Group property (IdentityReferenceCollection) and convert them to
NTAccount objects via the Translate method. Then you can look at the
names of the groups. That will help identify whether the group really
isn't in the token or there is some weird string mismatch problem.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Howard Hoffman" <HowardH@xxxxxxxxxxxxxxxx> wrote in message
news:O2IPx14CIHA.4752@xxxxxxxxxxxxxxxxxxxxxxx
I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).

I've configured the web-site (following directions at
http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM
and Negotiate access, and the site itself is using Integrated Windows
Authentication and allow-anonymous.

I've added an entry to my local HOSTS file, since there is no real
domain-name (yet) for the web-site DNS. So, my urls look like
http://mysite.com/Admin.aspx, where I've an entry in HOSTS for
mysite.com (127.0.0.1). The mysite.com site is in my Local Intranet
sites in IE (I put it there) as http://*.mysite.com.

I have a local group on the server computer (W2K3) named "Local PAIS
Admins". I have added myself to that group, and logged out of Windows
and logged back in (to the local machine -- the same computer that is
hosting the web site).

In web.config, I have a <location> element for the Admin.aspx page:

<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>

obviously, substituting the actual machine name for COMPUTER-NAME-HERE.

If I run with RoleManager enabled in ASP.NET (<roleManager
enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"
cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
though I am in that group. I am prompted 3 times for the my
credentials, and I enter them correctly. Finally, I get the Access is
Denied default error page, with a 401.2 error.

If I run with the RoleManager element commented out, it works, and I can
see the page.

If I add myself to a BUILTIN group (say, Power Users), and change the
above <location> element to allow only that BUILTIN group, with
RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
BUILTIN groups work though.

I've not ever edited any of the
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.

Can someone explain what is happening? Is this a known ASP.NET
WindowsTokenRoleProvider limitation? Am I doing something wrong?

I've a production deployment going on a similarly configured site, and
we need to use local-machine groups.

Thanks in advance,

Howard Hoffman







.

Relevant Pages

  • Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error
    ... tokenGroups to simulate what the protocol transition logon is doing. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... WindowsIdentity id = HttpContext.Current.User.Identity; ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonating when creating a process from inside a SQL Server Assembly
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... the current WindowsIdentity is still WINDOWS SERVICE. ... I'm trying to impersonate a different user when ...
    (microsoft.public.dotnet.security)
  • Re: refreshing windowsidentity for user group changes
    ... Are you saying that you use the WindowsIdentity constructor that just takes ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... contains the user group that the user was removed from. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Web Single Sign On
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... current Windows credentials to the server, ... This common identity is the user's username used to logon to the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Changing ADAM user password
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Running the bind from another W2K3SP1 machine ... support in digest or something like that. ...
    (microsoft.public.windows.server.active_directory)