Re: role/group authorization not recognizing user groups.

It is strange that your Thread.CurrentPrincipal isn't a WindowsPrincipal.
What is the Context.User property in this case? Thread.CurrentPrincipal and
Context.User should be the same in an ASP.NET app in most circumstances.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"TygerKrash" <dave.mcgowan@xxxxxxxxx> wrote in message
news:1194352514.662852.295560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I've seen other posts that seem to have a similar problem but none
with a posted solution, so here goes again..

My application does not allow anonymous access, and integrated windows
authentication is enabled.

In my web config I have the following:

<authentication mode="Windows"/>
<authorization>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
</authorization>
<identity impersonate="true"/>

As far as I can tell this should be all I need.


However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).


I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..
twice!).

Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:

WindowsPrincipal principal = new
WindowsPrincipal(WindowsIdentity.GetCurrent());
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

If I try to use :

IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).


This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.


My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.

Any Ideas, suggestions?



.

Relevant Pages

  • Re: How to configure local PC group membership via Group Policy?
    ... The server is a W2003 Server, ... What I want to be able to do is make a Domain level Security Group a member ... of a Local Built In Windows XP Security Group on a selection of Windows XP ... The members and the members of that I am configuring just aren't working? ...
    (microsoft.public.windows.group_policy)
  • FQDN Required to Access Resources
    ... Windows 2003 for a small office. ... DNS lives on all DCs ... Same goes for intranet addresses that use the server name: ... but is happening on ALL systems that are not members of the domain. ...
    (microsoft.public.windows.server.dns)
  • Re: Group Policy
    ... As a matter of fact Lanwench, I should have posted this inquiry in Windows ... Server group, as I was actually talking about AD environment. ... machine on members of the ... AD = Active Directory. ...
    (microsoft.public.windowsxp.security_admin)
  • installing Sharepoint Service 3.0 Tools for VS 2008
    ... I have a Sharepoint server running on Windows 2003 Server. ... to do some custom Web parts using VS 2008. ... does my development machine need to be running Windows Server 2003 in order ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: FQDN Required to Access Resources
    ... > DNS lives on all DCs (only, no member server have DNS). ... > This only seems to be happening on SOME systems that are members of ... From a non-working client ... Microsoft Windows MVP - Windows Server - Directory Services Security Is Like An Onion, ...
    (microsoft.public.windows.server.dns)
Quantcast