Re: role/group authorization not recognizing user groups.

From: TygerKrash <dave.mcgowan@xxxxxxxxx>
Date: Wed, 14 Nov 2007 07:38:51 -0800

Theres no Membership entry in our application web config, maybe it's
something set in the machine.config but looking at that makes me kind
of dizzy! Guess I'll mark this one up as 'weird' for the time being.
I'll work around it and move on.

thanks for your help.

On Nov 12, 5:35 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

If your app is using Windows security in IIS and web.config, the
authenticated user (Context.User) should be a WindowsPrincipal. Is it
possible something else has been added to the stack like membership or
something? I honestly don't know.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"TygerKrash" <dave.mcgo...@xxxxxxxxx> wrote in message

news:1194888499.408333.159770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi Joe,
Thanks for the reply.

I've just checked and Context.User is also appearing as a
GenericPrincipal (representing the same user).

I can ,and given time constraints I probably will, just identify the
users role programatically and enforce my authorization that way,
so this isn't that serious a problem, but I am curious to get to the
bottom of this.

Dave.

On Nov 10, 2:58 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

It is strange that your Thread.CurrentPrincipal isn't a WindowsPrincipal.
What is the Context.User property in this case? Thread.CurrentPrincipal
and
Context.User should be the same in an ASP.NET app in most circumstances.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--"TygerKrash" <dave.mcgo...@xxxxxxxxx> wrote in message

news:1194352514.662852.295560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I've seen other posts that seem to have a similar problem but none
with a posted solution, so here goes again..

My application does not allow anonymous access, and integrated windows
authentication is enabled.

In my web config I have the following:

<authentication mode="Windows"/>
<authorization>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
</authorization>
<identity impersonate="true"/>

As far as I can tell this should be all I need.

However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).

I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..
twice!).

Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:

WindowsPrincipal principal = new
WindowsPrincipal(WindowsIdentity.GetCurrent());
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

If I try to use :

IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).

This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.

My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.

Any Ideas, suggestions?

References:
- role/group authorization not recognizing user groups.
  - From: TygerKrash
- Re: role/group authorization not recognizing user groups.
  - From: Joe Kaplan
- Re: role/group authorization not recognizing user groups.
  - From: TygerKrash
- Re: role/group authorization not recognizing user groups.
  - From: Joe Kaplan

Prev by Date: How to check users against security groups in Active Directory
Next by Date: Out Of Process COM server unable to access resources
Previous by thread: Re: role/group authorization not recognizing user groups.
Next by thread: Can groups be entered in the authorization tab?
Index(es):
- Date
- Thread

Relevant Pages

Re: ADAM schema design
... In AD or ADAM, the directory service will limit the number of attribute ... you may need to do many many searches to read the group membership ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.windows.server.active_directory)
Re: ADAM schema design
... Do *not* attempt to load the complete group membership, remove one value, ... In AD or ADAM, the directory service will limit the number of attribute ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services ...
(microsoft.public.windows.server.active_directory)
Re: LDIFDE Error when trying to change passwords.
... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The -h adds the encryption. ... command or the bind command as I am not sure how to use them. ...
(microsoft.public.windows.server.active_directory)
Re: Integrated Windows Authentication Timeout?
... long as they are all on the same account. ... The problem I see frequently is that people have duplicate SPNs on more than ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: ADFS System.Web.Security.SingleSignOn.WebSsoConfigurationExcep
... claims app doesn't overlap with the federation server ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... entered the complete URL for the web site under "Base URL". ...
(microsoft.public.windows.server.active_directory)