Re: WindowsPrinciple.IsInRole not working with cached info

From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 01/30/05 

Date: Sun, 30 Jan 2005 12:36:54 -0500

That is why I would not use SIDs at all. Authenticate your WindowsIdentity
against the AD. And verify its membership in role using IsInRole. Then
create your GenericIdentity and GenericPriniciple for CAS. Seems simple to
me. 

-- 
William Stacey, MVP
http://mvp.support.microsoft.com
"John" <john@nospam.com> wrote in message
news:ORS8OmaBFHA.3588@TK2MSFTNGP11.phx.gbl...
> Thanks Gecko, you got it right.  The one thing I did not mention is that
> this software will be deployed to many domains, so the custom group SID
will
> be different in each case.
>
> John
>
> "Gecko" <nada@nada.com> wrote in message
> news:e4N6hyZBFHA.4072@TK2MSFTNGP10.phx.gbl...
> > Assumptions:
> >
> > 1)      I am not sure if I a missed something here but from what I read
it
> > looks like when the user logs on (disconnected) it uses the SIDs that
were
> > cached from the server the last time the user logged on (I think).
> >
> > 2)      If you are using the windows built-in groups, they have a
hardcode
> > SID (I think).
> >
> > 3)      If you have to create custom groups or users then you will have
> > access to their SIDs, which will never change unless you recreate the
> group
> > (I think).
> >
> > 4)      I am assuming that you currently hardcode the name of the groups
> in
> > you code to enforce your security (I think).
> >
> > Based on those assumptions, why don't you use the SID numbers to enforce
> > security in the first place? Instead of searching for the Administrator
> > group, search for its SID? this way you don't have to save anithing.
> >
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
> >
> >  I am probably missing something but just trying to help.
>
>

Relevant Pages

  • Re: Determine if IdentityReference is a Security Group
    ... bins to enforce Windows Security business logic (order of Allow/Deny ... Allow and Deny are easily obtained from IdentityReference. ... However, given an IdentityReference (or SID), ... WindowsIdentity will give me a list of the user's groups. ...
    (microsoft.public.dotnet.security)
  • Determine if IdentityReference is a Security Group
    ... bins to enforce Windows Security business logic (order of Allow/Deny ... Allow and Deny are easily obtained from IdentityReference. ... However, given an IdentityReference (or SID), ... WindowsIdentity will give me a list of the user's groups. ...
    (microsoft.public.dotnet.security)
  • Re: WindowsPrinciple.IsInRole not working with cached info
    ... this software will be deployed to many domains, so the custom group SID will ... > SID. ... > you code to enforce your security. ... Instead of searching for the Administrator ...
    (microsoft.public.dotnet.security)
  • Re: Security hole? - domain vs local user.
    ... if the user is a member of a group is to call CheckTokenMembership. ... WindowsIdentity wi = WindowsIdentity.GetCurrent; ... Then Compare this SID with the local user ...
    (microsoft.public.platformsdk.security)
  • Re: Determine if IdentityReference is a Security Group
    ... I think there is a p/invoke you can use to get the type of the SID, ... bins to enforce Windows Security business logic (order of Allow/Deny ... Allow and Deny are easily obtained from IdentityReference. ... WindowsIdentity will give me a list of the user's groups. ...
    (microsoft.public.dotnet.security)