 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / June 2005User.IsInRole is always FALSE
Hi, I have the following problem... Pre-requisites: Installation of an Asp.net webservice on a IIS5 server (win2k). Anonymous access is not allowed, only using windows authentication (intranet app), webmethoda are using the Principalpermssion attribute ([PrincipalPermission(SecurityAction.Demand, Role=@"DomainName\WindowsGroup...")]) for identification. Result --> does not work When I change the to [PrincipalPermission(SecurityAction.Demand, name=@"DomainName\Windowsuser...")]) -> it runs fine --> conclusion: IIS cannot determine if a user belongs to an AD group --> IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE! I already found an article on the web (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share), but didn't solved the problem... Does anyone know more about this issue? Thanks Oliver Rainer June 7, 2005 hehe I actually have to go to a meeting right now, but a quick suggestion before I leave. Try switching the PrincipalPermission role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more to this change, but it should work.... depending on which role it is, so if you could post it, that would really help... until later! :-)  SignatureJoseph Bittman Microsoft Certified Application Developer Web Site: http://71.35.110.42 Dynamic IP -- Check here for future changes > Hi, I have the following problem... > [quoted text clipped - 21 lines] > Thanks > Oliver Rainer Thanks for your suggestion... that really works for local groups (BUILTIN), but IIS still has the problem to resolve AD groups (OURDOMAIN\...)... The strange thing is that on certain machines (our developer machines), IIS can succesfully determine if a user belongs to an AD group... Do you have other suggestions?? Thanks Oliver Rainer > June 7, 2005 > [quoted text clipped - 29 lines] > > Thanks > > Oliver Rainer June 9, 2005 :-) Yes, the BUILTIN will only work for local groups. AD groups are somewhat more mysterious and have had problems with them myself. When you call IsInRole, where is the IPrincipal coming from? Are you using the interface directly, or using an object taken from the System.Threading.Thread.CurrentPrincipal, or the User object???? This makes a big difference in the result that you will get, because I believe in your case that only a principal taken from User will reflect the user's identity and not ASPNET. If you could post how you got Iprincipal.IsInRole, then I believe that I can help you further! :-) Have a great day and until later!!! SignatureJoseph Bittman Beta ID# 678424 Microsoft Certified Application Developer Web Site: http://71.35.110.42 Dynamic IP -- Check here for future changes > Thanks for your suggestion... that really works for local groups > (BUILTIN), [quoted text clipped - 47 lines] >> > Thanks >> > Oliver Rainer Hi Joseph, I executed the following code for testing the stuff --> all booleans were false except the local admin groups... WindowsPrincipal windowsPrincipal = (WindowsPrincipal)Thread.CurrentPrincipal; IPrincipal iPrincipal = Thread.CurrentPrincipal; WindowsIdentity windowsIdentity = System.Security.Principal.WindowsIdentity.GetCurrent(); string user = windowsIdentity.Name; bool isLocalAdmin = windowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator); bool isInTestgroup1 = windowsPrincipal.IsInRole(@"DOMAIN\Testgroup1"); bool isInTestgroup2 = windowsPrincipal.IsInRole(@"DOMAIN\Testgroup2"); bool isLocalAdmin_2 = iPrincipal.IsInRole(@"BUILTIN\Administrators"); bool isInTestgroup1_2 = iPrincipal.IsInRole(@"DOMAIN\Testgroup1"); bool isInTestgroup2_2 = iPrincipal.IsInRole(@"DOMAIN\Testgroup2"); Thanks for your help... Oliver Rainer > June 9, 2005 > [quoted text clipped - 59 lines] > >> > Thanks > >> > Oliver Rainer Hi Oliver, I was able to fix this problem by changing the web.config file fro mode="None" to mode="Windows" in the authentication section, e.g. <authentication mode="Windows" /> Cheers -- WirelessBe Thanks for your suggestion... I checked the setting in web.configm and it was already set to "Windows".. ;-( > Hi Oliver, > [quoted text clipped - 4 lines] > > Cheers! Setting up an ASP.Net application to use Windows authentication is generally a two step process depending on how your server is configured. You need to set the mode atribute of the authentication element to "Windows" as stated. The second part that seems to trip people is you need to go the the IIS manager console, write click on your application, select properties, select the directory security tab, under Anonymous access and authentication control select the edit button, make sure Anonymous access is unchecked and Integrated Windows authentication is checked. This will now force requests to authenticate. You should be able to capture the actual requester. You may need to check the System.Thread.Threading.CurrentPrincipal, System.Web.HttpContext.Current.User, and System.Security.Principal.WindowsIdentity.GetCurrent() to see which one has the actual account you need. These values can be different based on your configuration settings. If you can't find the user in nay of these, you may also need to add an identity element to your web.config with the impersonate attribute set to true. IHTH Jon > Thanks for your suggestion... > I checked the setting in web.configm and it was already set to "Windows".. [quoted text clipped - 11 lines] > http://www.highdots.com/forums/member.php?userid=232 >> View this thread: http://www.highdots.com/forums/showthread.php?t=1482941 Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.