Re: WindowsPrinciple.IsInRole not working with cached info

From: Gecko (nada_at_nada.com)
Date: 01/29/05 

Date: Fri, 28 Jan 2005 18:51:39 -0600

Assumptions:

1) I am not sure if I a missed something here but from what I read it
looks like when the user logs on (disconnected) it uses the SIDs that were
cached from the server the last time the user logged on (I think).

2) If you are using the windows built-in groups, they have a hardcode
SID (I think).

3) If you have to create custom groups or users then you will have
access to their SIDs, which will never change unless you recreate the group
(I think).

4) I am assuming that you currently hardcode the name of the groups in
you code to enforce your security (I think).

Based on those assumptions, why don't you use the SID numbers to enforce
security in the first place? Instead of searching for the Administrator
group, search for its SID? this way you don't have to save anithing.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330

 I am probably missing something but just trying to help.

"John" <john@nospam.com> wrote in message
news:u4lcuWYBFHA.1296@TK2MSFTNGP10.phx.gbl...
> Yeah, it looks like the user's groups are cached by windows but only as
> SIDs. Therefore, when disconnected, the best I can do is compare all the
> user's group SIDs against the desired group SID that I saved the last time
> the application was connected. The problem is that I'll have to save this
> SID somewhere on the machine and jump thru hoops to try to prevent the bad
> guys from discovering its location and replacing it with the SID for "All
> Users" or "Guests"
>
> Thanks for all your help. BTW, you all probably know about this, but I
> found a fantastic heap of sample code that implements seemingly complete
> access to the win32 security api...
>
> http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
>
> John
>
> "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
> news:%23zJ1MlPBFHA.2788@TK2MSFTNGP15.phx.gbl...
>> Sorry, was being lazy. Very bad abbreviation for WindowsPrinciple. I
>> still think you can work around this issue with GenericPrinciple and
>> GenericIdentity. Naturally, you still need to authenticate at least once
>> before you disconnect to create both those objects. However, I wonder
> about
>> security there too. What happens if someone holds onto a GP for days
> (i.e.
>> keeps app open). You could have changed their group or even removed them
>> from AD, yet their local app would still have the GP object and CAS would
>> still allow. Some kind of expire date on GP could be derived. (don't
>> remember if base GP has Expires date or not.) HTH
>>
>> --
>> William Stacey, MVP
>> http://mvp.support.microsoft.com
>>
>> "John" <john@nospam.com> wrote in message
>> news:Ofj8mG9AFHA.2676@TK2MSFTNGP12.phx.gbl...
>> > I'm definitely not using the local SAM. I follow most of what you're
>> > saying, but I'm not familiar with "winpric" - I assume you're
> abreviating
>> > something here, but I'm not catching on.
>> >
>> > "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
>> > news:%23TQEuB9AFHA.1296@TK2MSFTNGP10.phx.gbl...
>> > > I wonder if when disconnected, LogonUser is using the *local SAM to
> get
>> > the
>> > > WinIdent? Then your call to IsInRole will be looking at local SAM
>> > > and
>> > group
>> > > may not exist locally. Another idea would be to verify via
>> > > LogonUser,
>> but
>> > > create GenericID and GenericPrinciple instead of WindowsId/Princ
>> objects.
>> > > You will need to populate the groups yourself in the GP object. You
>> can't
>> > > really return a list from winpric, but you can make required calls to
>> > > winpric to check required groups, then populate the GP. Then just
>> > > the
>> GP
>> > > and GI, that should work disconnected. The user does not get a GP if
> it
>> > was
>> > > not a member of the role as you authenticated in your GetGP(string
>> > username,
>> > > string password) method.
>> >
>> >
>>
>
>

Relevant Pages

  • Re: GetOwner and IdentityNotMappedException
    ... Our domain (Windows 2003) is trusted by the other domain. ... just to be clear on this - the Windows Explorer also only displays the SID ... Co-author of "The .NET Developer's Guide to Directory Services ... especially when deleted security principals are involved. ...
    (microsoft.public.dotnet.security)
  • Re: Microsoft Windows Validation
    ... Computers that run the Windows XP operating system use a security ID (SID) as a unique identifier. ... The Microsoft Policy Concerning Disk Duplication of Windows XP Installations ...
    (microsoft.public.windowsupdate)
  • Re: WindowsPrinciple.IsInRole not working with cached info
    ... it looks like the user's groups are cached by windows but only as ... SID somewhere on the machine and jump thru hoops to try to prevent the bad ... > before you disconnect to create both those objects. ... Some kind of expire date on GP could be derived. ...
    (microsoft.public.dotnet.security)
  • Re: IIS6.0 MSCS DCOM setting
    ... the SELF is Prinicpal Self SID and SYSTEM is Local ... 243330 Well Known Security Identifiers in Windows Server Operating Systems ... A placeholder in an inheritable ACE on an account object or ...
    (microsoft.public.windows.server.clustering)
  • RE: How to change the SID on a Windows XP, Windows 2000, or Windows NT computer...
    ... How to change the SID on a Windows XP, Windows 2000, or Windows ... | How to change the SID on a Windows XP, Windows 2000, or Windows NT ... | Ghost Walker is a Ghost utility included in the corporate Ghost ... | Microsoft provides the SysPrep utility for preparing a source ...
    (microsoft.public.win2000.active_directory)