Re: WindowsPrinciple.IsInRole not working with cached info

From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 01/26/05

• Next message: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Previous message: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• In reply to: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Next in thread: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Reply: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: WindowsPrinciple.IsInRole not working with cached info"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 26 Jan 2005 12:49:46 -0500

I wonder if when disconnected, LogonUser is using the *local SAM to get the
WinIdent? Then your call to IsInRole will be looking at local SAM and group
may not exist locally. Another idea would be to verify via LogonUser, but
create GenericID and GenericPrinciple instead of WindowsId/Princ objects.
You will need to populate the groups yourself in the GP object. You can't
really return a list from winpric, but you can make required calls to
winpric to check required groups, then populate the GP. Then just the GP
and GI, that should work disconnected. The user does not get a GP if it was
not a member of the role as you authenticated in your GetGP(string username,
string password) method.

-- 
William Stacey, MVP
http://mvp.support.microsoft.com
"John" <john@nospam.com> wrote in message
news:u8t3a48AFHA.1556@TK2MSFTNGP10.phx.gbl...
> > Are you caching role credentials in a Principal object or are you
querying
> network role credentials?
> > If you're checking network credentials or roles I don't see how this is
> going to work when
> > disconnected.
>
> I'm not doing anything that I know about to cache role credentials.  I'm
> simply making the a call to IsInRole( "MyGroup" ).  When I'm connected to
> the network, this works properly.  However, when the computer is
> disconnected, it does not.  My call to LogonUser does succeed when
> disconnected, apparently using some sort of credentials cached by Windows.
> I was hoping that this caching mechanism would also hold the list of
groups
> the user is a member of, but apparently it does not.  I need to have this
> work if the user starts the application after the machine has been
> disconnected, so I won't be able to cache anything myself.  I'm really
> looking to understand what Windows is caching.
>
> Thanks,
>
> John
>
>

---

• Next message: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Previous message: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• In reply to: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Next in thread: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Reply: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: WindowsPrinciple.IsInRole not working with cached info"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: WindowsPrinciple.IsInRole not working with cached info ... LogonUser talks to the local LSA and it will ... Windows API function that generally results in an RPC call to the DC to do ... I can't really think of a good way to get around this with IsInRole though. ... >> I'm not doing anything that I know about to cache role credentials. ... (microsoft.public.dotnet.security) Re: WindowsPrinciple.IsInRole not working with cached info ... I'm using IsInRole to determine a user's authority to use various features ... Everything works fine while the client machine ... Are you caching role credentials in a Principal object or are you querying network role credentials? ... (microsoft.public.dotnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)