Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / December 2007

Tip: Looking for answers? Try searching our database.

WindowsPrincipal.IsInRole throwing exceptions...

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
djkveton - 07 Dec 2007 10:42 GMT
Hello,

 here comes the description of the trouble:

I try to guard my code by PrincipalPermissionAttribute (but I did also try
to call IsInRole directly and even LsaLookupNames2...).
When I ask for role that exists I receive reply "true", which is good.
When I ask for role that doesn't exist, I sometimes receive "false", which
is also good, and sometimes System.Exception (trust related error), which is
not so good - especially in the case of declarative security...

Interesting observations:
- Query for roles begining with domain name (i.e. "DOMAIN\GROUP") work
always OK (returning "true" or "false")
- Query for role "Personal" would return "false"
- Query for role "PersonalPlus" would throw exception.
OS: Windows Vista in domain

Did anybody experienced (and solved) this?

Thank for your comments.
Reply to this Message
Dominick Baier - 08 Dec 2007 14:26 GMT
if you omit the Domain\ part - local groups are assumed.

What exact exception do you get (including inner exception) ?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hello,
>
[quoted text clipped - 18 lines]
>
> Thank for your comments.
Reply to this Message
djkveton - 09 Dec 2007 12:02 GMT
Hi Dominick,

> if you omit the Domain\ part - local groups are assumed.
I know this. What I tried to express is that I would expect the call to
return false
for non-existent group, not exception.

> What exact exception do you get (including inner exception) ?
There is no inner exception. Just System.Exception with message (I do not
remember the exact message).
.NET Framework calls internally Win32 native function (LsaLookupNames2).
Return value of this function is C000018C (STATUS_TRUSTED_DOMAIN_FAILURE).
This coverts into windows error message "The trust relationship between the
primary domain and the trusted domain failed."

Please note interesting point, that for some calls it fails and for others
it does not. And it does not depend on whether the group exists or not, if
account that runs the request is administrator or member of the group in
question or not.

Regards

 djk

> -----
> Dominick Baier (http://www.leastprivilege.com)
[quoted text clipped - 23 lines]
> >
> > Thank for your comments.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.