Re: role/group authorization not recognizing user groups.
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 12 Nov 2007 11:35:47 -0600
If your app is using Windows security in IIS and web.config, the
authenticated user (Context.User) should be a WindowsPrincipal. Is it
possible something else has been added to the stack like membership or
something? I honestly don't know.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"TygerKrash" <dave.mcgowan@xxxxxxxxx> wrote in message
news:1194888499.408333.159770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Joe,
Thanks for the reply.
I've just checked and Context.User is also appearing as a
GenericPrincipal (representing the same user).
I can ,and given time constraints I probably will, just identify the
users role programatically and enforce my authorization that way,
so this isn't that serious a problem, but I am curious to get to the
bottom of this.
Dave.
On Nov 10, 2:58 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
It is strange that your Thread.CurrentPrincipal isn't a WindowsPrincipal.
What is the Context.User property in this case? Thread.CurrentPrincipal
and
Context.User should be the same in an ASP.NET app in most circumstances.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--"TygerKrash" <dave.mcgo...@xxxxxxxxx> wrote in message
news:1194352514.662852.295560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I've seen other posts that seem to have a similar problem but none
with a posted solution, so here goes again..
My application does not allow anonymous access, and integrated windows
authentication is enabled.
In my web config I have the following:
<authentication mode="Windows"/>
<authorization>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
</authorization>
<identity impersonate="true"/>
As far as I can tell this should be all I need.
However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).
I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..
twice!).
Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:
WindowsPrincipal principal = new
WindowsPrincipal(WindowsIdentity.GetCurrent());
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");
If I try to use :
IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");
memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).
This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.
My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.
Any Ideas, suggestions?
.
- Follow-Ups:
- Re: role/group authorization not recognizing user groups.
- From: TygerKrash
- Re: role/group authorization not recognizing user groups.
- References:
- role/group authorization not recognizing user groups.
- From: TygerKrash
- Re: role/group authorization not recognizing user groups.
- From: Joe Kaplan
- Re: role/group authorization not recognizing user groups.
- From: TygerKrash
- role/group authorization not recognizing user groups.
- Prev by Date: Re: role/group authorization not recognizing user groups.
- Next by Date: How to check users against security groups in Active Directory
- Previous by thread: Re: role/group authorization not recognizing user groups.
- Next by thread: Re: role/group authorization not recognizing user groups.
- Index(es):
Relevant Pages
|
