ASP.NET 2.0 Authorization Roles

Discussion in 'ASP .Net Security' started by Dominick Baier [DevelopMentor], Apr 3, 2006.

  1. hi,

    you have to use the domain\groupname format for windows groups.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    > web.Config file having security settings:
    >
    > <authentication mode="Windows"/>
    >
    > <authorization>
    >
    > <allow roles=".\WMSAdmin" />
    >
    > </authorization>
    >
    > And during Page_Load() event, when I check whether current logged on
    > user is in the Role specified then it fails, however, the user is part
    > of this Role on the local machine:
    >
    > If Not Page.User.IsInRole("WMSAdmin") Then
    >
    > Trace.Write("Page user is NOT part of WMSAdminGroup")
    >
    > Server.Transfer("~/NoAccess.aspx")
    >
    > Else
    >
    > Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    > WMSAdmin Group.")
    >
    > End If
    >
    > Any guesses, what am I missing here.
    > Regards,
    > Atu
     
    Dominick Baier [DevelopMentor], Apr 3, 2006
    #1
    1. Advertising

  2. Dominick Baier [DevelopMentor]

    Atul Guest

    Hi,

    I am facing a weird problem related to ASP.NET 2.0 Roles.
    I have web.Config file having security settings:

    <authentication mode="Windows"/>

    <authorization>

    <allow roles=".\WMSAdmin" />

    </authorization>

    And during Page_Load() event, when I check whether current logged on user is
    in the Role specified then it fails, however, the user is part of this Role
    on the local machine:

    If Not Page.User.IsInRole("WMSAdmin") Then

    Trace.Write("Page user is NOT part of WMSAdminGroup")

    Server.Transfer("~/NoAccess.aspx")

    Else

    Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    WMSAdmin Group.")

    End If

    Any guesses, what am I missing here.
    Regards,
    Atul
     
    Atul, Apr 3, 2006
    #2
    1. Advertising

  3. in web.config

    it is a single \

    do a iisreset - maybe the token is cached somehow

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > As you said, I have modified the web.config as:
    >
    > <authorization>
    > <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    > </authorization>
    > And the Page_Load Code is:
    >
    > protected void Page_Load(object sender, EventArgs e)
    > {
    > if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    > {
    > Label1.Text = Context.User.Identity.Name + " is part of
    > ROLE";
    > }
    > else
    > {
    > Label1.Text = Context.User.Identity.Name + " is NOT part
    > of
    > ROLE";
    > }
    > }
    > What am I missing here? I have verified that current logged on user is
    > part of MyDomain\\WMS_ADMINISTRATORS group.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> hi,
    >> you have to use the domain\groupname format for windows groups.
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi,
    >>>
    >>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>> web.Config file having security settings:
    >>>
    >>> <authentication mode="Windows"/>
    >>>
    >>> <authorization>
    >>>
    >>> <allow roles=".\WMSAdmin" />
    >>>
    >>> </authorization>
    >>>
    >>> And during Page_Load() event, when I check whether current logged on
    >>> user is in the Role specified then it fails, however, the user is
    >>> part of this Role on the local machine:
    >>>
    >>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>
    >>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>
    >>> Server.Transfer("~/NoAccess.aspx")
    >>>
    >>> Else
    >>>
    >>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>> WMSAdmin Group.")
    >>>
    >>> End If
    >>>
    >>> Any guesses, what am I missing here.
    >>> Regards,
    >>> Atu
     
    Dominick Baier [DevelopMentor], Apr 3, 2006
    #3
  4. what does Context.User.Identity.Name say - the username you are expecting?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > As you said, I have modified the web.config as:
    >
    > <authorization>
    > <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    > </authorization>
    > And the Page_Load Code is:
    >
    > protected void Page_Load(object sender, EventArgs e)
    > {
    > if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    > {
    > Label1.Text = Context.User.Identity.Name + " is part of
    > ROLE";
    > }
    > else
    > {
    > Label1.Text = Context.User.Identity.Name + " is NOT part
    > of
    > ROLE";
    > }
    > }
    > What am I missing here? I have verified that current logged on user is
    > part of MyDomain\\WMS_ADMINISTRATORS group.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> hi,
    >> you have to use the domain\groupname format for windows groups.
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi,
    >>>
    >>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>> web.Config file having security settings:
    >>>
    >>> <authentication mode="Windows"/>
    >>>
    >>> <authorization>
    >>>
    >>> <allow roles=".\WMSAdmin" />
    >>>
    >>> </authorization>
    >>>
    >>> And during Page_Load() event, when I check whether current logged on
    >>> user is in the Role specified then it fails, however, the user is
    >>> part of this Role on the local machine:
    >>>
    >>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>
    >>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>
    >>> Server.Transfer("~/NoAccess.aspx")
    >>>
    >>> Else
    >>>
    >>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>> WMSAdmin Group.")
    >>>
    >>> End If
    >>>
    >>> Any guesses, what am I missing here.
    >>> Regards,
    >>> Atu
     
    Dominick Baier [DevelopMentor], Apr 3, 2006
    #4
  5. Dominick Baier [DevelopMentor]

    Atul Guest

    As you said, I have modified the web.config as:

    <authorization>
    <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    </authorization>

    And the Page_Load Code is:

    protected void Page_Load(object sender, EventArgs e)
    {
    if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    {
    Label1.Text = Context.User.Identity.Name + " is part of ROLE";
    }
    else
    {
    Label1.Text = Context.User.Identity.Name + " is NOT part of
    ROLE";
    }
    }

    What am I missing here? I have verified that current logged on user is part
    of MyDomain\\WMS_ADMINISTRATORS group.


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > hi,
    > you have to use the domain\groupname format for windows groups.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi,
    >>
    >> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >> web.Config file having security settings:
    >>
    >> <authentication mode="Windows"/>
    >>
    >> <authorization>
    >>
    >> <allow roles=".\WMSAdmin" />
    >>
    >> </authorization>
    >>
    >> And during Page_Load() event, when I check whether current logged on
    >> user is in the Role specified then it fails, however, the user is part
    >> of this Role on the local machine:
    >>
    >> If Not Page.User.IsInRole("WMSAdmin") Then
    >>
    >> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>
    >> Server.Transfer("~/NoAccess.aspx")
    >>
    >> Else
    >>
    >> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >> WMSAdmin Group.")
    >>
    >> End If
    >>
    >> Any guesses, what am I missing here.
    >> Regards,
    >> Atul

    >
    >
     
    Atul, Apr 3, 2006
    #5
  6. try

    a) whoami /groups from the command line (part of w2k3 or the resource kit)
    b) drop this page in your app and see what roles you are member of (from
    the view of asp.net)

    http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Yes!
    >
    > MyDomain\atuls is NOT part of ROLE.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> what does Context.User.Identity.Name say - the username you are
    >> expecting?
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> As you said, I have modified the web.config as:
    >>>
    >>> <authorization>
    >>> <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    >>> </authorization>
    >>> And the Page_Load Code is:
    >>> protected void Page_Load(object sender, EventArgs e)
    >>> {
    >>> if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    >>> {
    >>> Label1.Text = Context.User.Identity.Name + " is part of
    >>> ROLE";
    >>> }
    >>> else
    >>> {
    >>> Label1.Text = Context.User.Identity.Name + " is NOT part
    >>> of
    >>> ROLE";
    >>> }
    >>> }
    >>> What am I missing here? I have verified that current logged on user
    >>> is
    >>> part of MyDomain\\WMS_ADMINISTRATORS group.
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> hi,
    >>>> you have to use the domain\groupname format for windows groups.
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hi,
    >>>>>
    >>>>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>>>> web.Config file having security settings:
    >>>>>
    >>>>> <authentication mode="Windows"/>
    >>>>>
    >>>>> <authorization>
    >>>>>
    >>>>> <allow roles=".\WMSAdmin" />
    >>>>>
    >>>>> </authorization>
    >>>>>
    >>>>> And during Page_Load() event, when I check whether current logged
    >>>>> on user is in the Role specified then it fails, however, the user
    >>>>> is part of this Role on the local machine:
    >>>>>
    >>>>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>>>
    >>>>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>>>
    >>>>> Server.Transfer("~/NoAccess.aspx")
    >>>>>
    >>>>> Else
    >>>>>
    >>>>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>>>> WMSAdmin Group.")
    >>>>>
    >>>>> End If
    >>>>>
    >>>>> Any guesses, what am I missing here.
    >>>>> Regards,
    >>>>> Atul
     
    Dominick Baier [DevelopMentor], Apr 3, 2006
    #6
  7. Dominick Baier [DevelopMentor]

    Atul Guest

    As you said, changed web.config and did a IISReset, but stilll same
    response. It says "MyDomain\atuls is NOT part of Role"

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > in web.config
    >
    > it is a single \
    >
    > do a iisreset - maybe the token is cached somehow
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> As you said, I have modified the web.config as:
    >>
    >> <authorization>
    >> <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    >> </authorization>
    >> And the Page_Load Code is:
    >>
    >> protected void Page_Load(object sender, EventArgs e)
    >> {
    >> if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    >> {
    >> Label1.Text = Context.User.Identity.Name + " is part of
    >> ROLE";
    >> }
    >> else
    >> {
    >> Label1.Text = Context.User.Identity.Name + " is NOT part
    >> of
    >> ROLE";
    >> }
    >> }
    >> What am I missing here? I have verified that current logged on user is
    >> part of MyDomain\\WMS_ADMINISTRATORS group.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> hi,
    >>> you have to use the domain\groupname format for windows groups.
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi,
    >>>>
    >>>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>>> web.Config file having security settings:
    >>>>
    >>>> <authentication mode="Windows"/>
    >>>>
    >>>> <authorization>
    >>>>
    >>>> <allow roles=".\WMSAdmin" />
    >>>>
    >>>> </authorization>
    >>>>
    >>>> And during Page_Load() event, when I check whether current logged on
    >>>> user is in the Role specified then it fails, however, the user is
    >>>> part of this Role on the local machine:
    >>>>
    >>>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>>
    >>>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>>
    >>>> Server.Transfer("~/NoAccess.aspx")
    >>>>
    >>>> Else
    >>>>
    >>>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>>> WMSAdmin Group.")
    >>>>
    >>>> End If
    >>>>
    >>>> Any guesses, what am I missing here.
    >>>> Regards,
    >>>> Atul

    >
    >
     
    Atul, Apr 3, 2006
    #7
  8. Dominick Baier [DevelopMentor]

    Atul Guest

    Yes!

    MyDomain\atuls is NOT part of ROLE.



    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > what does Context.User.Identity.Name say - the username you are expecting?
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> As you said, I have modified the web.config as:
    >>
    >> <authorization>
    >> <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    >> </authorization>
    >> And the Page_Load Code is:
    >>
    >> protected void Page_Load(object sender, EventArgs e)
    >> {
    >> if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    >> {
    >> Label1.Text = Context.User.Identity.Name + " is part of
    >> ROLE";
    >> }
    >> else
    >> {
    >> Label1.Text = Context.User.Identity.Name + " is NOT part
    >> of
    >> ROLE";
    >> }
    >> }
    >> What am I missing here? I have verified that current logged on user is
    >> part of MyDomain\\WMS_ADMINISTRATORS group.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> hi,
    >>> you have to use the domain\groupname format for windows groups.
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi,
    >>>>
    >>>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>>> web.Config file having security settings:
    >>>>
    >>>> <authentication mode="Windows"/>
    >>>>
    >>>> <authorization>
    >>>>
    >>>> <allow roles=".\WMSAdmin" />
    >>>>
    >>>> </authorization>
    >>>>
    >>>> And during Page_Load() event, when I check whether current logged on
    >>>> user is in the Role specified then it fails, however, the user is
    >>>> part of this Role on the local machine:
    >>>>
    >>>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>>
    >>>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>>
    >>>> Server.Transfer("~/NoAccess.aspx")
    >>>>
    >>>> Else
    >>>>
    >>>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>>> WMSAdmin Group.")
    >>>>
    >>>> End If
    >>>>
    >>>> Any guesses, what am I missing here.
    >>>> Regards,
    >>>> Atul

    >
    >
     
    Atul, Apr 3, 2006
    #8
  9. Dominick Baier [DevelopMentor]

    Atul Guest

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > try
    >
    > a) whoami /groups from the command line (part of w2k3 or the resource kit)

    It lists all the groups logged on user belong to.

    > b) drop this page in your app and see what roles you are member of (from
    > the view of asp.net)

    DOMAIN-LAN\Domain Users-----------> IsInRole=True
    Everyone-----------> IsInRole=True
    ATUL\BizTalk Application Users-----------> IsInRole=True
    ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
    ATUL\BizTalk Server Administrators-----------> IsInRole=True
    ATUL\Debugger Users-----------> IsInRole=True
    ATUL\EDI Subsystem Users-----------> IsInRole=True
    ATUL\IIS_WPG-----------> IsInRole=True
    ATUL\OLAP Administrators-----------> IsInRole=True
    ATUL\OWS_1094864922_admin-----------> IsInRole=True
    ATUL\SSO Administrators-----------> IsInRole=True
    S-1-5-21-2875354219-2406699116-2307019780-1068-----------> IsInRole=False
    BUILTIN\Administrators-----------> IsInRole=True
    BUILTIN\Power Users-----------> IsInRole=True
    BUILTIN\Users-----------> IsInRole=True
    NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
    NT AUTHORITY\Authenticated Users-----------> IsInRole=True
    NT AUTHORITY\This Organization-----------> IsInRole=True
    LOCAL-----------> IsInRole=True
    DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True

    "ATUL" is the machine name. I do not see the Group which has been created
    newly on the domain. Also, there are two more local groups in the local
    machine, and user is part of these two groups, but the group names are not
    shown here. Why is it so?

    >
    > http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Yes!
    >>
    >> MyDomain\atuls is NOT part of ROLE.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> what does Context.User.Identity.Name say - the username you are
    >>> expecting?
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> As you said, I have modified the web.config as:
    >>>>
    >>>> <authorization>
    >>>> <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    >>>> </authorization>
    >>>> And the Page_Load Code is:
    >>>> protected void Page_Load(object sender, EventArgs e)
    >>>> {
    >>>> if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    >>>> {
    >>>> Label1.Text = Context.User.Identity.Name + " is part of
    >>>> ROLE";
    >>>> }
    >>>> else
    >>>> {
    >>>> Label1.Text = Context.User.Identity.Name + " is NOT part
    >>>> of
    >>>> ROLE";
    >>>> }
    >>>> }
    >>>> What am I missing here? I have verified that current logged on user
    >>>> is
    >>>> part of MyDomain\\WMS_ADMINISTRATORS group.
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> hi,
    >>>>> you have to use the domain\groupname format for windows groups.
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Hi,
    >>>>>>
    >>>>>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>>>>> web.Config file having security settings:
    >>>>>>
    >>>>>> <authentication mode="Windows"/>
    >>>>>>
    >>>>>> <authorization>
    >>>>>>
    >>>>>> <allow roles=".\WMSAdmin" />
    >>>>>>
    >>>>>> </authorization>
    >>>>>>
    >>>>>> And during Page_Load() event, when I check whether current logged
    >>>>>> on user is in the Role specified then it fails, however, the user
    >>>>>> is part of this Role on the local machine:
    >>>>>>
    >>>>>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>>>>
    >>>>>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>>>>
    >>>>>> Server.Transfer("~/NoAccess.aspx")
    >>>>>>
    >>>>>> Else
    >>>>>>
    >>>>>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>>>>> WMSAdmin Group.")
    >>>>>>
    >>>>>> End If
    >>>>>>
    >>>>>> Any guesses, what am I missing here.
    >>>>>> Regards,
    >>>>>> Atul

    >
    >
     
    Atul, Apr 3, 2006
    #9
  10. Did you log out and log back in again?

    Joe K.

    "Atul" <> wrote in message
    news:...
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    >> try
    >>
    >> a) whoami /groups from the command line (part of w2k3 or the resource
    >> kit)

    > It lists all the groups logged on user belong to.
    >
    >> b) drop this page in your app and see what roles you are member of (from
    >> the view of asp.net)

    > DOMAIN-LAN\Domain Users-----------> IsInRole=True
    > Everyone-----------> IsInRole=True
    > ATUL\BizTalk Application Users-----------> IsInRole=True
    > ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
    > ATUL\BizTalk Server Administrators-----------> IsInRole=True
    > ATUL\Debugger Users-----------> IsInRole=True
    > ATUL\EDI Subsystem Users-----------> IsInRole=True
    > ATUL\IIS_WPG-----------> IsInRole=True
    > ATUL\OLAP Administrators-----------> IsInRole=True
    > ATUL\OWS_1094864922_admin-----------> IsInRole=True
    > ATUL\SSO Administrators-----------> IsInRole=True
    > S-1-5-21-2875354219-2406699116-2307019780-1068-----------> IsInRole=False
    > BUILTIN\Administrators-----------> IsInRole=True
    > BUILTIN\Power Users-----------> IsInRole=True
    > BUILTIN\Users-----------> IsInRole=True
    > NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
    > NT AUTHORITY\Authenticated Users-----------> IsInRole=True
    > NT AUTHORITY\This Organization-----------> IsInRole=True
    > LOCAL-----------> IsInRole=True
    > DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True
    >
    > "ATUL" is the machine name. I do not see the Group which has been created
    > newly on the domain. Also, there are two more local groups in the local
    > machine, and user is part of these two groups, but the group names are not
    > shown here. Why is it so?
    >
    >>
    >> http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >>> Yes!
    >>>
    >>> MyDomain\atuls is NOT part of ROLE.
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> what does Context.User.Identity.Name say - the username you are
    >>>> expecting?
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> As you said, I have modified the web.config as:
    >>>>>
    >>>>> <authorization>
    >>>>> <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    >>>>> </authorization>
    >>>>> And the Page_Load Code is:
    >>>>> protected void Page_Load(object sender, EventArgs e)
    >>>>> {
    >>>>> if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    >>>>> {
    >>>>> Label1.Text = Context.User.Identity.Name + " is part of
    >>>>> ROLE";
    >>>>> }
    >>>>> else
    >>>>> {
    >>>>> Label1.Text = Context.User.Identity.Name + " is NOT part
    >>>>> of
    >>>>> ROLE";
    >>>>> }
    >>>>> }
    >>>>> What am I missing here? I have verified that current logged on user
    >>>>> is
    >>>>> part of MyDomain\\WMS_ADMINISTRATORS group.
    >>>>> "Dominick Baier [DevelopMentor]"
    >>>>> <> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> hi,
    >>>>>> you have to use the domain\groupname format for windows groups.
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> Hi,
    >>>>>>>
    >>>>>>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>>>>>> web.Config file having security settings:
    >>>>>>>
    >>>>>>> <authentication mode="Windows"/>
    >>>>>>>
    >>>>>>> <authorization>
    >>>>>>>
    >>>>>>> <allow roles=".\WMSAdmin" />
    >>>>>>>
    >>>>>>> </authorization>
    >>>>>>>
    >>>>>>> And during Page_Load() event, when I check whether current logged
    >>>>>>> on user is in the Role specified then it fails, however, the user
    >>>>>>> is part of this Role on the local machine:
    >>>>>>>
    >>>>>>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>>>>>
    >>>>>>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>>>>>
    >>>>>>> Server.Transfer("~/NoAccess.aspx")
    >>>>>>>
    >>>>>>> Else
    >>>>>>>
    >>>>>>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>>>>>> WMSAdmin Group.")
    >>>>>>>
    >>>>>>> End If
    >>>>>>>
    >>>>>>> Any guesses, what am I missing here.
    >>>>>>> Regards,
    >>>>>>> Atul

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Apr 3, 2006
    #10
  11. no - everything normally works as expected - must be something different...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Yes!
    > But again it is not working.
    > Is it a known issue that it doesn't work in W2k3 Server?
    >
    > "Joe Kaplan (MVP - ADSI)" <>
    > wrote in message news:...
    >
    >> Did you log out and log back in again?
    >>
    >> Joe K.
    >>
    >> "Atul" <> wrote in message
    >> news:...
    >>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> try
    >>>>
    >>>> a) whoami /groups from the command line (part of w2k3 or the
    >>>> resource kit)
    >>>>
    >>> It lists all the groups logged on user belong to.
    >>>
    >>>> b) drop this page in your app and see what roles you are member of
    >>>> (from the view of asp.net)
    >>>>
    >>> DOMAIN-LAN\Domain Users-----------> IsInRole=True
    >>> Everyone-----------> IsInRole=True
    >>> ATUL\BizTalk Application Users-----------> IsInRole=True
    >>> ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
    >>> ATUL\BizTalk Server Administrators-----------> IsInRole=True
    >>> ATUL\Debugger Users-----------> IsInRole=True
    >>> ATUL\EDI Subsystem Users-----------> IsInRole=True
    >>> ATUL\IIS_WPG-----------> IsInRole=True
    >>> ATUL\OLAP Administrators-----------> IsInRole=True
    >>> ATUL\OWS_1094864922_admin-----------> IsInRole=True
    >>> ATUL\SSO Administrators-----------> IsInRole=True
    >>> S-1-5-21-2875354219-2406699116-2307019780-1068----------->
    >>> IsInRole=False
    >>> BUILTIN\Administrators-----------> IsInRole=True
    >>> BUILTIN\Power Users-----------> IsInRole=True
    >>> BUILTIN\Users-----------> IsInRole=True
    >>> NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
    >>> NT AUTHORITY\Authenticated Users-----------> IsInRole=True
    >>> NT AUTHORITY\This Organization-----------> IsInRole=True
    >>> LOCAL-----------> IsInRole=True
    >>> DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True
    >>> "ATUL" is the machine name. I do not see the Group which has been
    >>> created newly on the domain. Also, there are two more local groups
    >>> in the local machine, and user is part of these two groups, but the
    >>> group names are not shown here. Why is it so?
    >>>
    >>>> http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.asp
    >>>> x
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Yes!
    >>>>>
    >>>>> MyDomain\atuls is NOT part of ROLE.
    >>>>>
    >>>>> "Dominick Baier [DevelopMentor]"
    >>>>> <> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> what does Context.User.Identity.Name say - the username you are
    >>>>>> expecting?
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> As you said, I have modified the web.config as:
    >>>>>>>
    >>>>>>> <authorization>
    >>>>>>> <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    >>>>>>> </authorization>
    >>>>>>> And the Page_Load Code is:
    >>>>>>> protected void Page_Load(object sender, EventArgs e)
    >>>>>>> {
    >>>>>>> if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    >>>>>>> {
    >>>>>>> Label1.Text = Context.User.Identity.Name + " is part of
    >>>>>>> ROLE";
    >>>>>>> }
    >>>>>>> else
    >>>>>>> {
    >>>>>>> Label1.Text = Context.User.Identity.Name + " is NOT part
    >>>>>>> of
    >>>>>>> ROLE";
    >>>>>>> }
    >>>>>>> }
    >>>>>>> What am I missing here? I have verified that current logged on
    >>>>>>> user
    >>>>>>> is
    >>>>>>> part of MyDomain\\WMS_ADMINISTRATORS group.
    >>>>>>> "Dominick Baier [DevelopMentor]"
    >>>>>>> <> wrote in message
    >>>>>>> news:...
    >>>>>>>> hi,
    >>>>>>>> you have to use the domain\groupname format for windows groups.
    >>>>>>>> ---------------------------------------
    >>>>>>>> Dominick Baier - DevelopMentor
    >>>>>>>> http://www.leastprivilege.com
    >>>>>>>>> Hi,
    >>>>>>>>>
    >>>>>>>>> I am facing a weird problem related to ASP.NET 2.0 Roles. I
    >>>>>>>>> have web.Config file having security settings:
    >>>>>>>>>
    >>>>>>>>> <authentication mode="Windows"/>
    >>>>>>>>>
    >>>>>>>>> <authorization>
    >>>>>>>>>
    >>>>>>>>> <allow roles=".\WMSAdmin" />
    >>>>>>>>>
    >>>>>>>>> </authorization>
    >>>>>>>>>
    >>>>>>>>> And during Page_Load() event, when I check whether current
    >>>>>>>>> logged on user is in the Role specified then it fails,
    >>>>>>>>> however, the user is part of this Role on the local machine:
    >>>>>>>>>
    >>>>>>>>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>>>>>>>
    >>>>>>>>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>>>>>>>
    >>>>>>>>> Server.Transfer("~/NoAccess.aspx")
    >>>>>>>>>
    >>>>>>>>> Else
    >>>>>>>>>
    >>>>>>>>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART
    >>>>>>>>> of WMSAdmin Group.")
    >>>>>>>>>
    >>>>>>>>> End If
    >>>>>>>>>
    >>>>>>>>> Any guesses, what am I missing here.
    >>>>>>>>> Regards,
    >>>>>>>>> Atul
     
    Dominick Baier [DevelopMentor], Apr 5, 2006
    #11
  12. Dominick Baier [DevelopMentor]

    Atul Guest

    Yes!
    But again it is not working.

    Is it a known issue that it doesn't work in W2k3 Server?

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > Did you log out and log back in again?
    >
    > Joe K.
    >
    > "Atul" <> wrote in message
    > news:...
    >>
    >> "Dominick Baier [DevelopMentor]" <>
    >> wrote in message news:...
    >>> try
    >>>
    >>> a) whoami /groups from the command line (part of w2k3 or the resource
    >>> kit)

    >> It lists all the groups logged on user belong to.
    >>
    >>> b) drop this page in your app and see what roles you are member of (from
    >>> the view of asp.net)

    >> DOMAIN-LAN\Domain Users-----------> IsInRole=True
    >> Everyone-----------> IsInRole=True
    >> ATUL\BizTalk Application Users-----------> IsInRole=True
    >> ATUL\BizTalk Isolated Host Users-----------> IsInRole=True
    >> ATUL\BizTalk Server Administrators-----------> IsInRole=True
    >> ATUL\Debugger Users-----------> IsInRole=True
    >> ATUL\EDI Subsystem Users-----------> IsInRole=True
    >> ATUL\IIS_WPG-----------> IsInRole=True
    >> ATUL\OLAP Administrators-----------> IsInRole=True
    >> ATUL\OWS_1094864922_admin-----------> IsInRole=True
    >> ATUL\SSO Administrators-----------> IsInRole=True
    >> S-1-5-21-2875354219-2406699116-2307019780-1068-----------> IsInRole=False
    >> BUILTIN\Administrators-----------> IsInRole=True
    >> BUILTIN\Power Users-----------> IsInRole=True
    >> BUILTIN\Users-----------> IsInRole=True
    >> NT AUTHORITY\INTERACTIVE-----------> IsInRole=True
    >> NT AUTHORITY\Authenticated Users-----------> IsInRole=True
    >> NT AUTHORITY\This Organization-----------> IsInRole=True
    >> LOCAL-----------> IsInRole=True
    >> DOMAIN-LAN\SSOAdminGroup-----------> IsInRole=True
    >>
    >> "ATUL" is the machine name. I do not see the Group which has been created
    >> newly on the domain. Also, there are two more local groups in the local
    >> machine, and user is part of these two groups, but the group names are
    >> not shown here. Why is it so?
    >>
    >>>
    >>> http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>
    >>>> Yes!
    >>>>
    >>>> MyDomain\atuls is NOT part of ROLE.
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> what does Context.User.Identity.Name say - the username you are
    >>>>> expecting?
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> As you said, I have modified the web.config as:
    >>>>>>
    >>>>>> <authorization>
    >>>>>> <allow roles="MyDomain\\WMS_ADMINISTRATORS"/>
    >>>>>> </authorization>
    >>>>>> And the Page_Load Code is:
    >>>>>> protected void Page_Load(object sender, EventArgs e)
    >>>>>> {
    >>>>>> if (Context.User.IsInRole("MyDomain\\WMS_ADMINISTRATORS"))
    >>>>>> {
    >>>>>> Label1.Text = Context.User.Identity.Name + " is part of
    >>>>>> ROLE";
    >>>>>> }
    >>>>>> else
    >>>>>> {
    >>>>>> Label1.Text = Context.User.Identity.Name + " is NOT part
    >>>>>> of
    >>>>>> ROLE";
    >>>>>> }
    >>>>>> }
    >>>>>> What am I missing here? I have verified that current logged on user
    >>>>>> is
    >>>>>> part of MyDomain\\WMS_ADMINISTRATORS group.
    >>>>>> "Dominick Baier [DevelopMentor]"
    >>>>>> <> wrote in message
    >>>>>> news:...
    >>>>>>
    >>>>>>> hi,
    >>>>>>> you have to use the domain\groupname format for windows groups.
    >>>>>>> ---------------------------------------
    >>>>>>> Dominick Baier - DevelopMentor
    >>>>>>> http://www.leastprivilege.com
    >>>>>>>> Hi,
    >>>>>>>>
    >>>>>>>> I am facing a weird problem related to ASP.NET 2.0 Roles. I have
    >>>>>>>> web.Config file having security settings:
    >>>>>>>>
    >>>>>>>> <authentication mode="Windows"/>
    >>>>>>>>
    >>>>>>>> <authorization>
    >>>>>>>>
    >>>>>>>> <allow roles=".\WMSAdmin" />
    >>>>>>>>
    >>>>>>>> </authorization>
    >>>>>>>>
    >>>>>>>> And during Page_Load() event, when I check whether current logged
    >>>>>>>> on user is in the Role specified then it fails, however, the user
    >>>>>>>> is part of this Role on the local machine:
    >>>>>>>>
    >>>>>>>> If Not Page.User.IsInRole("WMSAdmin") Then
    >>>>>>>>
    >>>>>>>> Trace.Write("Page user is NOT part of WMSAdminGroup")
    >>>>>>>>
    >>>>>>>> Server.Transfer("~/NoAccess.aspx")
    >>>>>>>>
    >>>>>>>> Else
    >>>>>>>>
    >>>>>>>> Trace.Write("Page user " & Page.User.Identity.Name & " is PART of
    >>>>>>>> WMSAdmin Group.")
    >>>>>>>>
    >>>>>>>> End If
    >>>>>>>>
    >>>>>>>> Any guesses, what am I missing here.
    >>>>>>>> Regards,
    >>>>>>>> Atul
    >>>
    >>>

    >>
    >>

    >
    >
     
    Atul, Apr 5, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. 00_DotNetWarrior
    Replies:
    1
    Views:
    424
    Erik Funkenbusch
    May 18, 2006
  2. Steven Cheng[MSFT]
    Replies:
    6
    Views:
    431
    Steven Cheng[MSFT]
    Jan 16, 2007
  3. Douglas J. Badin
    Replies:
    0
    Views:
    492
    Douglas J. Badin
    Feb 14, 2007
  4. SeanRW
    Replies:
    1
    Views:
    367
    Dominick Baier [DevelopMentor]
    May 25, 2006
  5. Douglas J. Badin
    Replies:
    1
    Views:
    310
    Walter Wang [MSFT]
    Feb 15, 2007
Loading...

Share This Page