Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken

It's been a while since I could get back to this issue.

Still stuck.

I have to use a RoleProvider because of other needs in the application -- there's another library that leverages RolePrincipal for authorization.

I have confirmed, via the code that Joe Kaplans suggested, that the current user is indeed in the group listed in the <location> element. In fact, I copied and pasted from the output-log of Groups to web.config for the next run

I've tried

<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="MACHINE-NAME\GroupName" />
<deny users="*" />
</authorization>
</system.web>
</location>

but that does not work, though at Global.asax Application_EndRequest time, the HttpContext.Current.User contains a WindowsIdentity that I can query Groups (via Joe's corrective example) on.

Application_EndRequest is called 2 times in this case -- once with an non-Authenticated HttpContext.Current.User.Identity (a WindowsIdentity), and the other with a properly constructed, authenticated assigned value. Indeed, that is the instance of User.Identity that has the group in the list. This results in 401.1. In between the 2 calls, IE pops for credentials, and I enter valid credentials.

If I remove the MACHINE-NAME from the above configuration, Application_EndRequest is only called 1 time, without an authenticated identity. IE still pops for credentials here.

The data still appears to show a limitation, near as I can tell.

Any and all guidance appreciated.

Howard Hoffman

..
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:8e6a913a16b728c9dc90bd3b0b30@xxxxxxxxxxxxxxxxxxxxx
IIRC

if you use the WindowsTokenRoleProvider you have to omit the machine name
for local groups.

Why do you use the provider at all?

I wrote about it here:
http://www.leastprivilege.com/SearchView.aspx?q=TokenRole

but meanwhile i came to the conclusion that all the optimization is also
done by the LSA - so i really not see the point of this provider at all.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a
web-site).

I've configured the web-site (following directions at
http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM
and Negotiate access, and the site itself is using Integrated Windows
Authentication and allow-anonymous.

I've added an entry to my local HOSTS file, since there is no real
domain-name (yet) for the web-site DNS. So, my urls look like
http://mysite.com/Admin.aspx, where I've an entry in HOSTS for
mysite.com (127.0.0.1). The mysite.com site is in my Local Intranet
sites in IE (I put it there) as http://*.mysite.com.

I have a local group on the server computer (W2K3) named "Local PAIS
Admins". I have added myself to that group, and logged out of Windows
and logged back in (to the local machine -- the same computer that is
hosting the web site).

In web.config, I have a <location> element for the Admin.aspx page:

<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>
obviously, substituting the actual machine name for
COMPUTER-NAME-HERE.

If I run with RoleManager enabled in ASP.NET (<roleManager
enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"
cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
though I am in that group. I am prompted 3 times for the my
credentials, and I enter them correctly. Finally, I get the Access is
Denied default error page, with a 401.2 error.

If I run with the RoleManager element commented out, it works, and I
can see the page.

If I add myself to a BUILTIN group (say, Power Users), and change the
above <location> element to allow only that BUILTIN group, with
RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
BUILTIN groups work though.

I've not ever edited any of the
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.

Can someone explain what is happening? Is this a known ASP.NET
WindowsTokenRoleProvider limitation? Am I doing something wrong?

I've a production deployment going on a similarly configured site, and
we need to use local-machine groups.

Thanks in advance,

Howard Hoffman