Re: Check group membership, the sequel

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/22/05 

Date: Mon, 21 Feb 2005 22:29:17 -0600

So, you need to look up the group membership for a user that you don't have
a security token for? That is a little bit harder.

The absolute best way to deal with that situation is to use the protocol
transition (S4U) feature of Windows Server 2003 AD by creating a
WindowsIdentity for the use with their userPrincipalName. You don't need a
password for this. You get a lower privileged token, but you can still
create a WindowsPrincipal that can be used for role checks.

If you don't have a native mode 2003 AD, then this problem is harder to deal
with. You'll probably need to do some directory services code to do the
group membership expansion (although the AzMan APIs may be an option as
well). The secret with LDAP calls is to use the tokenGroups attribute which
is a calculated attribute that contains the fully expanded security group
membership for the object.

Joe K.

"Sameh Ahmed" <essoplus@hotmail.com> wrote in message
news:uokivaIGFHA.2156@TK2MSFTNGP10.phx.gbl...
>I need to specify a different use the one used to run the code
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:u1k4QLEGFHA.1392@tk2msftngp13.phx.gbl...
>> IsInRole supports fully nested security group membership (assuming you
>> are on a 2000 native AD domain that supports nested groups). You don't
>> have to do anything extra to make this work.
>>
>> Joe K.

Relevant Pages

  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... IIS is being consistent with security while what you are doing is not ... identity changes group membership to have Group1 and accesses data. ... Thus, to be secure, the process identity must be in ... IIS never allowed such behavior in Application Pool Identity (let's ...
    (microsoft.public.inetserver.iis.security)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... IIS is being consistent with security while what you are doing is not ... identity changes group membership to have Group1 and accesses data. ... Thus, to be secure, the process identity must be in ... IIS never allowed such behavior in Application Pool Identity (let's ...
    (microsoft.public.inetserver.iis.security)
  • Re: WindowsTokenRoleProvider & Domain Groups
    ... It looks to me that if Windows auth in ASP.NET works for you, ... just use Context.User.IsInRole to look at group membership. ... IIS vdir Directory Security is set to only Integrated Windows ... account to my domain account and leaving impersonate on. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Security using positions and organizations
    ... security, so we do need to stick with security groups. ... group membership and would need to rely on LDAP queries to the memberOf ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... if John Smith is in position "Accountant ...
    (microsoft.public.windows.server.active_directory)
  • Re: Check group membership, the sequel
    ... you need to look up the group membership for a user that you don't have ... transition feature of Windows Server 2003 AD by creating a ... is a calculated attribute that contains the fully expanded security group ... >> IsInRole supports fully nested security group membership (assuming you ...
    (microsoft.public.dotnet.languages.vb)