Re: WindowsPrinciple.IsInRole not working with cached info
From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 01/28/05
- Previous message: Valery Pryamikov: "Re: .NET CLR Error 800700002"
- In reply to: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Next in thread: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Reply: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Jan 2005 00:14:49 -0500
Sorry, was being lazy. Very bad abbreviation for WindowsPrinciple. I
still think you can work around this issue with GenericPrinciple and
GenericIdentity. Naturally, you still need to authenticate at least once
before you disconnect to create both those objects. However, I wonder about
security there too. What happens if someone holds onto a GP for days (i.e.
keeps app open). You could have changed their group or even removed them
from AD, yet their local app would still have the GP object and CAS would
still allow. Some kind of expire date on GP could be derived. (don't
remember if base GP has Expires date or not.) HTH
-- William Stacey, MVP http://mvp.support.microsoft.com "John" <john@nospam.com> wrote in message news:Ofj8mG9AFHA.2676@TK2MSFTNGP12.phx.gbl... > I'm definitely not using the local SAM. I follow most of what you're > saying, but I'm not familiar with "winpric" - I assume you're abreviating > something here, but I'm not catching on. > > "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message > news:%23TQEuB9AFHA.1296@TK2MSFTNGP10.phx.gbl... > > I wonder if when disconnected, LogonUser is using the *local SAM to get > the > > WinIdent? Then your call to IsInRole will be looking at local SAM and > group > > may not exist locally. Another idea would be to verify via LogonUser, but > > create GenericID and GenericPrinciple instead of WindowsId/Princ objects. > > You will need to populate the groups yourself in the GP object. You can't > > really return a list from winpric, but you can make required calls to > > winpric to check required groups, then populate the GP. Then just the GP > > and GI, that should work disconnected. The user does not get a GP if it > was > > not a member of the role as you authenticated in your GetGP(string > username, > > string password) method. > >
- Previous message: Valery Pryamikov: "Re: .NET CLR Error 800700002"
- In reply to: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Next in thread: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Reply: John: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
