Re: WindowsPrinciple.IsInRole not working with cached info

From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 01/28/05

  • Next message: Coco: "RE: Saving & Running on Network Share"
    Date: Fri, 28 Jan 2005 00:14:49 -0500
    
    

    Sorry, was being lazy. Very bad abbreviation for WindowsPrinciple. I
    still think you can work around this issue with GenericPrinciple and
    GenericIdentity. Naturally, you still need to authenticate at least once
    before you disconnect to create both those objects. However, I wonder about
    security there too. What happens if someone holds onto a GP for days (i.e.
    keeps app open). You could have changed their group or even removed them
    from AD, yet their local app would still have the GP object and CAS would
    still allow. Some kind of expire date on GP could be derived. (don't
    remember if base GP has Expires date or not.) HTH

    -- 
    William Stacey, MVP
    http://mvp.support.microsoft.com
    "John" <john@nospam.com> wrote in message
    news:Ofj8mG9AFHA.2676@TK2MSFTNGP12.phx.gbl...
    > I'm definitely not using the local SAM.  I follow most of what you're
    > saying, but I'm not familiar with "winpric" - I assume you're abreviating
    > something here, but I'm not catching on.
    >
    > "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
    > news:%23TQEuB9AFHA.1296@TK2MSFTNGP10.phx.gbl...
    > > I wonder if when disconnected, LogonUser is using the *local SAM to get
    > the
    > > WinIdent?  Then your call to IsInRole will be looking at local SAM and
    > group
    > > may not exist locally.  Another idea would be to verify via LogonUser,
    but
    > > create GenericID and GenericPrinciple instead of WindowsId/Princ
    objects.
    > > You will need to populate the groups yourself in the GP object.  You
    can't
    > > really return a list from winpric, but you can make required calls to
    > > winpric to check required groups, then populate the GP.  Then just the
    GP
    > > and GI, that should work disconnected.  The user does not get a GP if it
    > was
    > > not a member of the role as you authenticated in your GetGP(string
    > username,
    > > string password) method.
    >
    >
    

  • Next message: Coco: "RE: Saving & Running on Network Share"