role/group authorization not recognizing user groups.

From: TygerKrash <dave.mcgowan@xxxxxxxxx>
Date: Tue, 06 Nov 2007 04:35:14 -0800

I've seen other posts that seem to have a similar problem but none
with a posted solution, so here goes again..

My application does not allow anonymous access, and integrated windows
authentication is enabled.

In my web config I have the following:

<authentication mode="Windows"/>
<authorization>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
</authorization>
<identity impersonate="true"/>

As far as I can tell this should be all I need.

However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).

I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..
twice!).

Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:

WindowsPrincipal principal = new
WindowsPrincipal(WindowsIdentity.GetCurrent());
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

If I try to use :

IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).

This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.

My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.

Any Ideas, suggestions?

.

Follow-Ups:
- Re: role/group authorization not recognizing user groups.
  - From: Joe Kaplan

Prev by Date: Re: Cannot set specific authorization to a folder
Next by Date: Can groups be entered in the authorization tab?
Previous by thread: Re: Encrypt connectionstring in web.config
Next by thread: Re: role/group authorization not recognizing user groups.
Index(es):
- Date
- Thread

Relevant Pages

Re: Program crashes in msvcrt.dll
... It is not necessary for the development machine to be the same os-version as ... and look at the call stack when it crashes. ... > Windows 2003 Server or Windows 2000 Server. ...
(microsoft.public.vstudio.development)
Re: How to configure local PC group membership via Group Policy?
... The server is a W2003 Server, ... What I want to be able to do is make a Domain level Security Group a member ... of a Local Built In Windows XP Security Group on a selection of Windows XP ... The members and the members of that I am configuring just aren't working? ...
(microsoft.public.windows.group_policy)
FQDN Required to Access Resources
... Windows 2003 for a small office. ... DNS lives on all DCs ... Same goes for intranet addresses that use the server name: ... but is happening on ALL systems that are not members of the domain. ...
(microsoft.public.windows.server.dns)
Re: Group Policy
... As a matter of fact Lanwench, I should have posted this inquiry in Windows ... Server group, as I was actually talking about AD environment. ... machine on members of the ... AD = Active Directory. ...
(microsoft.public.windowsxp.security_admin)
installing Sharepoint Service 3.0 Tools for VS 2008
... I have a Sharepoint server running on Windows 2003 Server. ... to do some custom Web parts using VS 2008. ... does my development machine need to be running Windows Server 2003 in order ...
(microsoft.public.sharepoint.portalserver.development)