Re: WindowsPrinciple.IsInRole not working with cached info
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/26/05
- Next message: Dino Chiesa [Microsoft]: "Java and .NET AES encryption"
- Previous message: dotNETDavid: "Are there export restrictions due to .NET security code in Framewo"
- In reply to: William Stacey [MVP]: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 13:48:02 -0600
You've pretty much got it. LogonUser talks to the local LSA and it will
service the request if it can. That's the same principle that allows you to
log on to your machine when disconnected.
The problem is that the groups in the token are all stored as SIDs, not
names. To convert the SIDs to names for IsInRole, the .NET code calls a
Windows API function that generally results in an RPC call to the DC to do
the name resolution. This is the bit that is almost certainly failing.
I can't really think of a good way to get around this with IsInRole though.
If you somehow knew the SIDs for the group instead of the names, you could
use some p/invoke to check the token directly (from WindowsIdentity.Token),
but that's a lot of change. There are some nice wrappers for Win32 security
out there that have all this done for you, but it is pretty different.
HTH,
Joe K.
"William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
news:%23TQEuB9AFHA.1296@TK2MSFTNGP10.phx.gbl...
>I wonder if when disconnected, LogonUser is using the *local SAM to get the
> WinIdent? Then your call to IsInRole will be looking at local SAM and
> group
> may not exist locally. Another idea would be to verify via LogonUser, but
> create GenericID and GenericPrinciple instead of WindowsId/Princ objects.
> You will need to populate the groups yourself in the GP object. You can't
> really return a list from winpric, but you can make required calls to
> winpric to check required groups, then populate the GP. Then just the GP
> and GI, that should work disconnected. The user does not get a GP if it
> was
> not a member of the role as you authenticated in your GetGP(string
> username,
> string password) method.
>
> --
> William Stacey, MVP
> http://mvp.support.microsoft.com
>
> "John" <john@nospam.com> wrote in message
> news:u8t3a48AFHA.1556@TK2MSFTNGP10.phx.gbl...
>> > Are you caching role credentials in a Principal object or are you
> querying
>> network role credentials?
>> > If you're checking network credentials or roles I don't see how this is
>> going to work when
>> > disconnected.
>>
>> I'm not doing anything that I know about to cache role credentials. I'm
>> simply making the a call to IsInRole( "MyGroup" ). When I'm connected to
>> the network, this works properly. However, when the computer is
>> disconnected, it does not. My call to LogonUser does succeed when
>> disconnected, apparently using some sort of credentials cached by
>> Windows.
>> I was hoping that this caching mechanism would also hold the list of
> groups
>> the user is a member of, but apparently it does not. I need to have this
>> work if the user starts the application after the machine has been
>> disconnected, so I won't be able to cache anything myself. I'm really
>> looking to understand what Windows is caching.
>>
>> Thanks,
>>
>> John
>>
>>
>
- Next message: Dino Chiesa [Microsoft]: "Java and .NET AES encryption"
- Previous message: dotNETDavid: "Are there export restrictions due to .NET security code in Framewo"
- In reply to: William Stacey [MVP]: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
