ASP.NET 2.0 Authorization Roles

[Dominick Baier [DevelopMentor]]

hi,

you have to use the domain\groupname format for windows groups.

 

[Atul]

Hi,

I am facing a weird problem related to ASP.NET 2.0 Roles.
I have web.Config file having security settings:

<authentication mode="Windows"/>

<authorization>

<allow roles=".\WMSAdmin" />

</authorization>

And during Page_Load() event, when I check whether current logged on user is
in the Role specified then it fails, however, the user is part of this Role
on the local machine:

If Not Page.User.IsInRole("WMSAdmin") Then

Trace.Write("Page user is NOT part of WMSAdminGroup")

Server.Transfer("~/NoAccess.aspx")

Else

Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
WMSAdmin Group.")

End If

Any guesses, what am I missing here.
Regards,
Atul

 

[Dominick Baier [DevelopMentor]]

in web.config

it is a single \

do a iisreset - maybe the token is cached somehow

 

[Dominick Baier [DevelopMentor]]

what does Context.User.Identity.Name say - the username you are expecting?

 

[Atul]

As you said, I have modified the web.config as:

<authorization>
<allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
</authorization>

And the Page_Load Code is:

protected void Page_Load(object sender, EventArgs e)
{
if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
{
Label1.Text = Context.User.Identity.Name + " is part of ROLE";
}
else
{
Label1.Text = Context.User.Identity.Name + " is NOT part of
ROLE";
}
}

What am I missing here? I have verified that current logged on user is part
of MyDomain\\WMS_ADMINISTRATORS group.

 

[Dominick Baier [DevelopMentor]]

try

a) whoami /groups from the command line (part of w2k3 or the resource kit)
b) drop this page in your app and see what roles you are member of (from
the view of asp.net)

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Yes!

MyDomain\atuls is NOT part of ROLE.

what does Context.User.Identity.Name say - the username you are
expecting?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

As you said, I have modified the web.config as:

<authorization>
<allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
</authorization>
And the Page_Load Code is:
protected void Page_Load(object sender, EventArgs e)
{
if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
{
Label1.Text = Context.User.Identity.Name + " is part of
ROLE";
}
else
{
Label1.Text = Context.User.Identity.Name + " is NOT part
of
ROLE";
}
}
What am I missing here? I have verified that current logged on user
is
part of MyDomain\\WMS_ADMINISTRATORS group.
"Dominick Baier [DevelopMentor]"

hi,
you have to use the domain\groupname format for windows groups.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am facing a weird problem related to ASP.NET 2.0 Roles. I have
web.Config file having security settings:

<authentication mode="Windows"/>

<authorization>

<allow roles=".\WMSAdmin" />

</authorization>

And during Page_Load() event, when I check whether current logged
on user is in the Role specified then it fails, however, the user
is part of this Role on the local machine:

If Not Page.User.IsInRole("WMSAdmin") Then

Trace.Write("Page user is NOT part of WMSAdminGroup")

Server.Transfer("~/NoAccess.aspx")

Else

Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
WMSAdmin Group.")

End If

Any guesses, what am I missing here.
Regards,
Atul

 

[Atul]

As you said, changed web.config and did a IISReset, but stilll same
response. It says "MyDomain\atuls is NOT part of Role"

 

[Atul]

Yes!

MyDomain\atuls is NOT part of ROLE.

what does Context.User.Identity.Name say - the username you are expecting?

 

[Atul]

try

a) whoami /groups from the command line (part of w2k3 or the resource kit)

It lists all the groups logged on user belong to.

b) drop this page in your app and see what roles you are member of (from
the view of asp.net)

DOMAIN-LAN\Domain Users-----------> IsInRole=True
Everyone-----------> IsInRole=True
ATUL\BizTalk Application Users-----------> IsInRole=True
ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
ATUL\BizTalk Server Administrators-----------> IsInRole=True
ATUL\Debugger Users-----------> IsInRole=True
ATUL\EDI Subsystem Users-----------> IsInRole=True
ATUL\IIS_WPG-----------> IsInRole=True
ATUL\OLAP Administrators-----------> IsInRole=True
ATUL\OWS_1094864922_admin-----------> IsInRole=True
ATUL\SSO Administrators-----------> IsInRole=True
S-1-5-21-2875354219-2406699116-2307019780-1068-----------> IsInRole=False
BUILTIN\Administrators-----------> IsInRole=True
BUILTIN\Power Users-----------> IsInRole=True
BUILTIN\Users-----------> IsInRole=True
NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
NT AUTHORITY\Authenticated Users-----------> IsInRole=True
NT AUTHORITY\This Organization-----------> IsInRole=True
LOCAL-----------> IsInRole=True
DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True

"ATUL" is the machine name. I do not see the Group which has been created
newly on the domain. Also, there are two more local groups in the local
machine, and user is part of these two groups, but the group names are not
shown here. Why is it so?

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Yes!

MyDomain\atuls is NOT part of ROLE.

what does Context.User.Identity.Name say - the username you are
expecting?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
As you said, I have modified the web.config as:

<authorization>
<allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
</authorization>
And the Page_Load Code is:
protected void Page_Load(object sender, EventArgs e)
{
if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
{
Label1.Text = Context.User.Identity.Name + " is part of
ROLE";
}
else
{
Label1.Text = Context.User.Identity.Name + " is NOT part
of
ROLE";
}
}
What am I missing here? I have verified that current logged on user
is
part of MyDomain\\WMS_ADMINISTRATORS group.
"Dominick Baier [DevelopMentor]"

hi,
you have to use the domain\groupname format for windows groups.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am facing a weird problem related to ASP.NET 2.0 Roles. I have
web.Config file having security settings:

<authentication mode="Windows"/>

<authorization>

<allow roles=".\WMSAdmin" />

</authorization>

And during Page_Load() event, when I check whether current logged
on user is in the Role specified then it fails, however, the user
is part of this Role on the local machine:

If Not Page.User.IsInRole("WMSAdmin") Then

Trace.Write("Page user is NOT part of WMSAdminGroup")

Server.Transfer("~/NoAccess.aspx")

Else

Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
WMSAdmin Group.")

End If

Any guesses, what am I missing here.
Regards,
Atul

 

[Joe Kaplan \(MVP - ADSI\)]

Did you log out and log back in again?

Joe K.

try

a) whoami /groups from the command line (part of w2k3 or the resource
kit)

It lists all the groups logged on user belong to.

b) drop this page in your app and see what roles you are member of (from
the view of asp.net)

DOMAIN-LAN\Domain Users-----------> IsInRole=True
Everyone-----------> IsInRole=True
ATUL\BizTalk Application Users-----------> IsInRole=True
ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
ATUL\BizTalk Server Administrators-----------> IsInRole=True
ATUL\Debugger Users-----------> IsInRole=True
ATUL\EDI Subsystem Users-----------> IsInRole=True
ATUL\IIS_WPG-----------> IsInRole=True
ATUL\OLAP Administrators-----------> IsInRole=True
ATUL\OWS_1094864922_admin-----------> IsInRole=True
ATUL\SSO Administrators-----------> IsInRole=True
S-1-5-21-2875354219-2406699116-2307019780-1068-----------> IsInRole=False
BUILTIN\Administrators-----------> IsInRole=True
BUILTIN\Power Users-----------> IsInRole=True
BUILTIN\Users-----------> IsInRole=True
NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
NT AUTHORITY\Authenticated Users-----------> IsInRole=True
NT AUTHORITY\This Organization-----------> IsInRole=True
LOCAL-----------> IsInRole=True
DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True

"ATUL" is the machine name. I do not see the Group which has been created
newly on the domain. Also, there are two more local groups in the local
machine, and user is part of these two groups, but the group names are not
shown here. Why is it so?

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Yes!

MyDomain\atuls is NOT part of ROLE.

"Dominick Baier [DevelopMentor]"

what does Context.User.Identity.Name say - the username you are
expecting?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
As you said, I have modified the web.config as:

<authorization>
<allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
</authorization>
And the Page_Load Code is:
protected void Page_Load(object sender, EventArgs e)
{
if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
{
Label1.Text = Context.User.Identity.Name + " is part of
ROLE";
}
else
{
Label1.Text = Context.User.Identity.Name + " is NOT part
of
ROLE";
}
}
What am I missing here? I have verified that current logged on user
is
part of MyDomain\\WMS_ADMINISTRATORS group.
"Dominick Baier [DevelopMentor]"

hi,
you have to use the domain\groupname format for windows groups.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am facing a weird problem related to ASP.NET 2.0 Roles. I have
web.Config file having security settings:

<authentication mode="Windows"/>

<authorization>

<allow roles=".\WMSAdmin" />

</authorization>

And during Page_Load() event, when I check whether current logged
on user is in the Role specified then it fails, however, the user
is part of this Role on the local machine:

If Not Page.User.IsInRole("WMSAdmin") Then

Trace.Write("Page user is NOT part of WMSAdminGroup")

Server.Transfer("~/NoAccess.aspx")

Else

Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
WMSAdmin Group.")

End If

Any guesses, what am I missing here.
Regards,
Atul

 

[Dominick Baier [DevelopMentor]]

no - everything normally works as expected - must be something different...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Yes!
But again it is not working.
Is it a known issue that it doesn't work in W2k3 Server?

Did you log out and log back in again?

Joe K.

"Dominick Baier [DevelopMentor]"

try

a) whoami /groups from the command line (part of w2k3 or the
resource kit)

It lists all the groups logged on user belong to.

b) drop this page in your app and see what roles you are member of
(from the view of asp.net)

DOMAIN-LAN\Domain Users-----------> IsInRole=True
Everyone-----------> IsInRole=True
ATUL\BizTalk Application Users-----------> IsInRole=True
ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
ATUL\BizTalk Server Administrators-----------> IsInRole=True
ATUL\Debugger Users-----------> IsInRole=True
ATUL\EDI Subsystem Users-----------> IsInRole=True
ATUL\IIS_WPG-----------> IsInRole=True
ATUL\OLAP Administrators-----------> IsInRole=True
ATUL\OWS_1094864922_admin-----------> IsInRole=True
ATUL\SSO Administrators-----------> IsInRole=True
S-1-5-21-2875354219-2406699116-2307019780-1068----------->
IsInRole=False
BUILTIN\Administrators-----------> IsInRole=True
BUILTIN\Power Users-----------> IsInRole=True
BUILTIN\Users-----------> IsInRole=True
NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
NT AUTHORITY\Authenticated Users-----------> IsInRole=True
NT AUTHORITY\This Organization-----------> IsInRole=True
LOCAL-----------> IsInRole=True
DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True
"ATUL" is the machine name. I do not see the Group which has been
created newly on the domain. Also, there are two more local groups
in the local machine, and user is part of these two groups, but the
group names are not shown here. Why is it so?

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.asp
x

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes!

MyDomain\atuls is NOT part of ROLE.

"Dominick Baier [DevelopMentor]"

what does Context.User.Identity.Name say - the username you are
expecting?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
As you said, I have modified the web.config as:

<authorization>
<allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
</authorization>
And the Page_Load Code is:
protected void Page_Load(object sender, EventArgs e)
{
if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
{
Label1.Text = Context.User.Identity.Name + " is part of
ROLE";
}
else
{
Label1.Text = Context.User.Identity.Name + " is NOT part
of
ROLE";
}
}
What am I missing here? I have verified that current logged on
user
is
part of MyDomain\\WMS_ADMINISTRATORS group.
"Dominick Baier [DevelopMentor]"
hi,
you have to use the domain\groupname format for windows groups.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am facing a weird problem related to ASP.NET 2.0 Roles. I
have web.Config file having security settings:

<authentication mode="Windows"/>

<authorization>

<allow roles=".\WMSAdmin" />

</authorization>

And during Page_Load() event, when I check whether current
logged on user is in the Role specified then it fails,
however, the user is part of this Role on the local machine:

If Not Page.User.IsInRole("WMSAdmin") Then

Trace.Write("Page user is NOT part of WMSAdminGroup")

Server.Transfer("~/NoAccess.aspx")

Else

Trace.Write("Page user " & Page.User.Identity.Name & " is PART
of WMSAdmin Group.")

End If

Any guesses, what am I missing here.
Regards,
Atul

 

[Atul]

Yes!
But again it is not working.

Is it a known issue that it doesn't work in W2k3 Server?

Did you log out and log back in again?

Joe K.

try

a) whoami /groups from the command line (part of w2k3 or the resource
kit)

It lists all the groups logged on user belong to.

b) drop this page in your app and see what roles you are member of (from
the view of asp.net)

DOMAIN-LAN\Domain Users-----------> IsInRole=True
Everyone-----------> IsInRole=True
ATUL\BizTalk Application Users-----------> IsInRole=True
ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
ATUL\BizTalk Server Administrators-----------> IsInRole=True
ATUL\Debugger Users-----------> IsInRole=True
ATUL\EDI Subsystem Users-----------> IsInRole=True
ATUL\IIS_WPG-----------> IsInRole=True
ATUL\OLAP Administrators-----------> IsInRole=True
ATUL\OWS_1094864922_admin-----------> IsInRole=True
ATUL\SSO Administrators-----------> IsInRole=True
S-1-5-21-2875354219-2406699116-2307019780-1068-----------> IsInRole=False
BUILTIN\Administrators-----------> IsInRole=True
BUILTIN\Power Users-----------> IsInRole=True
BUILTIN\Users-----------> IsInRole=True
NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
NT AUTHORITY\Authenticated Users-----------> IsInRole=True
NT AUTHORITY\This Organization-----------> IsInRole=True
LOCAL-----------> IsInRole=True
DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True

"ATUL" is the machine name. I do not see the Group which has been created
newly on the domain. Also, there are two more local groups in the local
machine, and user is part of these two groups, but the group names are
not shown here. Why is it so?

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Yes!

MyDomain\atuls is NOT part of ROLE.

"Dominick Baier [DevelopMentor]"

what does Context.User.Identity.Name say - the username you are
expecting?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
As you said, I have modified the web.config as:

<authorization>
<allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
</authorization>
And the Page_Load Code is:
protected void Page_Load(object sender, EventArgs e)
{
if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
{
Label1.Text = Context.User.Identity.Name + " is part of
ROLE";
}
else
{
Label1.Text = Context.User.Identity.Name + " is NOT part
of
ROLE";
}
}
What am I missing here? I have verified that current logged on user
is
part of MyDomain\\WMS_ADMINISTRATORS group.
"Dominick Baier [DevelopMentor]"

hi,
you have to use the domain\groupname format for windows groups.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am facing a weird problem related to ASP.NET 2.0 Roles. I have
web.Config file having security settings:

<authentication mode="Windows"/>

<authorization>

<allow roles=".\WMSAdmin" />

</authorization>

And during Page_Load() event, when I check whether current logged
on user is in the Role specified then it fails, however, the user
is part of this Role on the local machine:

If Not Page.User.IsInRole("WMSAdmin") Then

Trace.Write("Page user is NOT part of WMSAdminGroup")

Server.Transfer("~/NoAccess.aspx")

Else

Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
WMSAdmin Group.")

End If

Any guesses, what am I missing here.
Regards,
Atul