Re: WindowsPrinciple.IsInRole not working with cached info
From: John (john_at_nospam.com)
Date: 01/28/05
- Previous message: sabs: "Re: Which type of digital certificate to get from VeriSign for SignedXML"
- In reply to: William Stacey [MVP]: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Next in thread: Gecko: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Reply: Gecko: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Jan 2005 17:06:53 -0500
Yeah, it looks like the user's groups are cached by windows but only as
SIDs. Therefore, when disconnected, the best I can do is compare all the
user's group SIDs against the desired group SID that I saved the last time
the application was connected. The problem is that I'll have to save this
SID somewhere on the machine and jump thru hoops to try to prevent the bad
guys from discovering its location and replacing it with the SID for "All
Users" or "Guests"
Thanks for all your help. BTW, you all probably know about this, but I
found a fantastic heap of sample code that implements seemingly complete
access to the win32 security api...
John
"William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
news:%23zJ1MlPBFHA.2788@TK2MSFTNGP15.phx.gbl...
> Sorry, was being lazy. Very bad abbreviation for WindowsPrinciple. I
> still think you can work around this issue with GenericPrinciple and
> GenericIdentity. Naturally, you still need to authenticate at least once
> before you disconnect to create both those objects. However, I wonder
about
> security there too. What happens if someone holds onto a GP for days
(i.e.
> keeps app open). You could have changed their group or even removed them
> from AD, yet their local app would still have the GP object and CAS would
> still allow. Some kind of expire date on GP could be derived. (don't
> remember if base GP has Expires date or not.) HTH
>
> --
> William Stacey, MVP
> http://mvp.support.microsoft.com
>
> "John" <john@nospam.com> wrote in message
> news:Ofj8mG9AFHA.2676@TK2MSFTNGP12.phx.gbl...
> > I'm definitely not using the local SAM. I follow most of what you're
> > saying, but I'm not familiar with "winpric" - I assume you're
abreviating
> > something here, but I'm not catching on.
> >
> > "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
> > news:%23TQEuB9AFHA.1296@TK2MSFTNGP10.phx.gbl...
> > > I wonder if when disconnected, LogonUser is using the *local SAM to
get
> > the
> > > WinIdent? Then your call to IsInRole will be looking at local SAM and
> > group
> > > may not exist locally. Another idea would be to verify via LogonUser,
> but
> > > create GenericID and GenericPrinciple instead of WindowsId/Princ
> objects.
> > > You will need to populate the groups yourself in the GP object. You
> can't
> > > really return a list from winpric, but you can make required calls to
> > > winpric to check required groups, then populate the GP. Then just the
> GP
> > > and GI, that should work disconnected. The user does not get a GP if
it
> > was
> > > not a member of the role as you authenticated in your GetGP(string
> > username,
> > > string password) method.
> >
> >
>
- Previous message: sabs: "Re: Which type of digital certificate to get from VeriSign for SignedXML"
- In reply to: William Stacey [MVP]: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Next in thread: Gecko: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Reply: Gecko: "Re: WindowsPrinciple.IsInRole not working with cached info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
