ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken

Discussion in 'ASP .Net Security' started by Howard Hoffman, Oct 10, 2007.

  1. I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).

    I've configured the web-site (following directions at
    http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
    Negotiate access, and the site itself is using Integrated Windows
    Authentication and allow-anonymous.

    I've added an entry to my local HOSTS file, since there is no real
    domain-name (yet) for the web-site DNS. So, my urls look like
    http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
    (127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I put
    it there) as http://*.mysite.com.

    I have a local group on the server computer (W2K3) named "Local PAIS
    Admins". I have added myself to that group, and logged out of Windows and
    logged back in (to the local machine -- the same computer that is hosting
    the web site).

    In web.config, I have a <location> element for the Admin.aspx page:

    <location path="Admin.aspx">
    <system.web>
    <authorization>
    <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    obviously, substituting the actual machine name for COMPUTER-NAME-HERE.

    If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
    defaultProvider="AspNetWindowsTokenRoleProvider"
    cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even though
    I am in that group. I am prompted 3 times for the my credentials, and I
    enter them correctly. Finally, I get the Access is Denied default error
    page, with a 401.2 error.

    If I run with the RoleManager element commented out, it works, and I can see
    the page.

    If I add myself to a BUILTIN group (say, Power Users), and change the above
    <location> element to allow only that BUILTIN group, with RoleManager
    enalbed for the WindowsTokenRoleProvider, it works. Only BUILTIN groups
    work though.

    I've not ever edited any of the
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.

    Can someone explain what is happening? Is this a known ASP.NET
    WindowsTokenRoleProvider limitation? Am I doing something wrong?

    I've a production deployment going on a similarly configured site, and we
    need to use local-machine groups.

    Thanks in advance,

    Howard Hoffman
    Howard Hoffman, Oct 10, 2007
    #1
    1. Advertising

  2. Howard Hoffman

    Joe Kaplan Guest

    I'm not sure what the problem is, but I would suggest writing some quick
    code that takes the WindowsIdentity object for the authenticated user (cast
    Context.User.Identity to WindowIdentity), take the objects in the Group
    property (IdentityReferenceCollection) and convert them to NTAccount objects
    via the Translate method. Then you can look at the names of the groups.
    That will help identify whether the group really isn't in the token or there
    is some weird string mismatch problem.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Howard Hoffman" <> wrote in message
    news:...
    > I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
    >
    > I've configured the web-site (following directions at
    > http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
    > Negotiate access, and the site itself is using Integrated Windows
    > Authentication and allow-anonymous.
    >
    > I've added an entry to my local HOSTS file, since there is no real
    > domain-name (yet) for the web-site DNS. So, my urls look like
    > http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
    > (127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
    > put it there) as http://*.mysite.com.
    >
    > I have a local group on the server computer (W2K3) named "Local PAIS
    > Admins". I have added myself to that group, and logged out of Windows and
    > logged back in (to the local machine -- the same computer that is hosting
    > the web site).
    >
    > In web.config, I have a <location> element for the Admin.aspx page:
    >
    > <location path="Admin.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    >
    > obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
    >
    > If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
    > defaultProvider="AspNetWindowsTokenRoleProvider"
    > cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
    > though I am in that group. I am prompted 3 times for the my credentials,
    > and I enter them correctly. Finally, I get the Access is Denied default
    > error page, with a 401.2 error.
    >
    > If I run with the RoleManager element commented out, it works, and I can
    > see the page.
    >
    > If I add myself to a BUILTIN group (say, Power Users), and change the
    > above <location> element to allow only that BUILTIN group, with
    > RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
    > BUILTIN groups work though.
    >
    > I've not ever edited any of the
    > C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
    >
    > Can someone explain what is happening? Is this a known ASP.NET
    > WindowsTokenRoleProvider limitation? Am I doing something wrong?
    >
    > I've a production deployment going on a similarly configured site, and we
    > need to use local-machine groups.
    >
    > Thanks in advance,
    >
    > Howard Hoffman
    >
    Joe Kaplan, Oct 11, 2007
    #2
    1. Advertising

  3. Joe -

    I appreciate your response, but I don't see how it helps me.

    There is no Group property on the WindowsIdentity object in .NET 2.0, is
    there?
    I can certainly instantiate a new NTIdentity object from the
    HttpContext.Current.User.Identity.Name (and domain) just fine.
    So, there is a real-SID for the user-name. Where do we go from here?

    There is no copy / paste error - I put the group name on the clipboard in
    Computer Management / Local Users and Groups / Groups, and pasted that into
    Web.config.

    Thanks in advance,

    Howard Hoffman

    "Joe Kaplan" <> wrote in message
    news:...
    > I'm not sure what the problem is, but I would suggest writing some quick
    > code that takes the WindowsIdentity object for the authenticated user
    > (cast Context.User.Identity to WindowIdentity), take the objects in the
    > Group property (IdentityReferenceCollection) and convert them to NTAccount
    > objects via the Translate method. Then you can look at the names of the
    > groups. That will help identify whether the group really isn't in the
    > token or there is some weird string mismatch problem.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Howard Hoffman" <> wrote in message
    > news:...
    >> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
    >>
    >> I've configured the web-site (following directions at
    >> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
    >> Negotiate access, and the site itself is using Integrated Windows
    >> Authentication and allow-anonymous.
    >>
    >> I've added an entry to my local HOSTS file, since there is no real
    >> domain-name (yet) for the web-site DNS. So, my urls look like
    >> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
    >> (127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
    >> put it there) as http://*.mysite.com.
    >>
    >> I have a local group on the server computer (W2K3) named "Local PAIS
    >> Admins". I have added myself to that group, and logged out of Windows
    >> and logged back in (to the local machine -- the same computer that is
    >> hosting the web site).
    >>
    >> In web.config, I have a <location> element for the Admin.aspx page:
    >>
    >> <location path="Admin.aspx">
    >> <system.web>
    >> <authorization>
    >> <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
    >> <deny users="*" />
    >> </authorization>
    >> </system.web>
    >> </location>
    >>
    >> obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
    >>
    >> If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
    >> defaultProvider="AspNetWindowsTokenRoleProvider"
    >> cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
    >> though I am in that group. I am prompted 3 times for the my credentials,
    >> and I enter them correctly. Finally, I get the Access is Denied default
    >> error page, with a 401.2 error.
    >>
    >> If I run with the RoleManager element commented out, it works, and I can
    >> see the page.
    >>
    >> If I add myself to a BUILTIN group (say, Power Users), and change the
    >> above <location> element to allow only that BUILTIN group, with
    >> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
    >> BUILTIN groups work though.
    >>
    >> I've not ever edited any of the
    >> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
    >>
    >> Can someone explain what is happening? Is this a known ASP.NET
    >> WindowsTokenRoleProvider limitation? Am I doing something wrong?
    >>
    >> I've a production deployment going on a similarly configured site, and we
    >> need to use local-machine groups.
    >>
    >> Thanks in advance,
    >>
    >> Howard Hoffman
    >>

    >
    >
    Howard Hoffman, Oct 11, 2007
    #3
  4. Howard Hoffman

    Joe Kaplan Guest

    There is a Groups property:

    http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsidentity.groups.aspx

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Howard Hoffman" <> wrote in message
    news:...
    > Joe -
    >
    > I appreciate your response, but I don't see how it helps me.
    >
    > There is no Group property on the WindowsIdentity object in .NET 2.0, is
    > there?
    > I can certainly instantiate a new NTIdentity object from the
    > HttpContext.Current.User.Identity.Name (and domain) just fine.
    > So, there is a real-SID for the user-name. Where do we go from here?
    >
    > There is no copy / paste error - I put the group name on the clipboard in
    > Computer Management / Local Users and Groups / Groups, and pasted that
    > into Web.config.
    >
    > Thanks in advance,
    >
    > Howard Hoffman
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> I'm not sure what the problem is, but I would suggest writing some quick
    >> code that takes the WindowsIdentity object for the authenticated user
    >> (cast Context.User.Identity to WindowIdentity), take the objects in the
    >> Group property (IdentityReferenceCollection) and convert them to
    >> NTAccount objects via the Translate method. Then you can look at the
    >> names of the groups. That will help identify whether the group really
    >> isn't in the token or there is some weird string mismatch problem.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Howard Hoffman" <> wrote in message
    >> news:...
    >>> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
    >>>
    >>> I've configured the web-site (following directions at
    >>> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM
    >>> and Negotiate access, and the site itself is using Integrated Windows
    >>> Authentication and allow-anonymous.
    >>>
    >>> I've added an entry to my local HOSTS file, since there is no real
    >>> domain-name (yet) for the web-site DNS. So, my urls look like
    >>> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for
    >>> mysite.com (127.0.0.1). The mysite.com site is in my Local Intranet
    >>> sites in IE (I put it there) as http://*.mysite.com.
    >>>
    >>> I have a local group on the server computer (W2K3) named "Local PAIS
    >>> Admins". I have added myself to that group, and logged out of Windows
    >>> and logged back in (to the local machine -- the same computer that is
    >>> hosting the web site).
    >>>
    >>> In web.config, I have a <location> element for the Admin.aspx page:
    >>>
    >>> <location path="Admin.aspx">
    >>> <system.web>
    >>> <authorization>
    >>> <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
    >>> <deny users="*" />
    >>> </authorization>
    >>> </system.web>
    >>> </location>
    >>>
    >>> obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
    >>>
    >>> If I run with RoleManager enabled in ASP.NET (<roleManager
    >>> enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"
    >>> cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
    >>> though I am in that group. I am prompted 3 times for the my
    >>> credentials, and I enter them correctly. Finally, I get the Access is
    >>> Denied default error page, with a 401.2 error.
    >>>
    >>> If I run with the RoleManager element commented out, it works, and I can
    >>> see the page.
    >>>
    >>> If I add myself to a BUILTIN group (say, Power Users), and change the
    >>> above <location> element to allow only that BUILTIN group, with
    >>> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
    >>> BUILTIN groups work though.
    >>>
    >>> I've not ever edited any of the
    >>> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
    >>>
    >>> Can someone explain what is happening? Is this a known ASP.NET
    >>> WindowsTokenRoleProvider limitation? Am I doing something wrong?
    >>>
    >>> I've a production deployment going on a similarly configured site, and
    >>> we need to use local-machine groups.
    >>>
    >>> Thanks in advance,
    >>>
    >>> Howard Hoffman
    >>>

    >>
    >>

    >
    >
    Joe Kaplan, Oct 11, 2007
    #4
  5. Howard Hoffman

    IfThenElse Guest

    Does this help you out? <deny users="*" /> might be killing <allow
    roles="COMPUTER-NAME-HERE\Local PAIS Admins" />

    <location path="Admin.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
    </authorization>
    </system.web>
    </location>



    "Howard Hoffman" <> wrote in message
    news:...
    > I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
    >
    > I've configured the web-site (following directions at
    > http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
    > Negotiate access, and the site itself is using Integrated Windows
    > Authentication and allow-anonymous.
    >
    > I've added an entry to my local HOSTS file, since there is no real
    > domain-name (yet) for the web-site DNS. So, my urls look like
    > http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
    > (127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
    > put it there) as http://*.mysite.com.
    >
    > I have a local group on the server computer (W2K3) named "Local PAIS
    > Admins". I have added myself to that group, and logged out of Windows and
    > logged back in (to the local machine -- the same computer that is hosting
    > the web site).
    >
    > In web.config, I have a <location> element for the Admin.aspx page:
    >
    > <location path="Admin.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    >
    > obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
    >
    > If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
    > defaultProvider="AspNetWindowsTokenRoleProvider"
    > cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
    > though I am in that group. I am prompted 3 times for the my credentials,
    > and I enter them correctly. Finally, I get the Access is Denied default
    > error page, with a 401.2 error.
    >
    > If I run with the RoleManager element commented out, it works, and I can
    > see the page.
    >
    > If I add myself to a BUILTIN group (say, Power Users), and change the
    > above <location> element to allow only that BUILTIN group, with
    > RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
    > BUILTIN groups work though.
    >
    > I've not ever edited any of the
    > C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
    >
    > Can someone explain what is happening? Is this a known ASP.NET
    > WindowsTokenRoleProvider limitation? Am I doing something wrong?
    >
    > I've a production deployment going on a similarly configured site, and we
    > need to use local-machine groups.
    >
    > Thanks in advance,
    >
    > Howard Hoffman
    >
    IfThenElse, Oct 12, 2007
    #5
  6. IIRC

    if you use the WindowsTokenRoleProvider you have to omit the machine name
    for local groups.

    Why do you use the provider at all?

    I wrote about it here:
    http://www.leastprivilege.com/SearchView.aspx?q=TokenRole

    but meanwhile i came to the conclusion that all the optimization is also
    done by the LSA - so i really not see the point of this provider at all.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a
    > web-site).
    >
    > I've configured the web-site (following directions at
    > http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM
    > and Negotiate access, and the site itself is using Integrated Windows
    > Authentication and allow-anonymous.
    >
    > I've added an entry to my local HOSTS file, since there is no real
    > domain-name (yet) for the web-site DNS. So, my urls look like
    > http://mysite.com/Admin.aspx, where I've an entry in HOSTS for
    > mysite.com (127.0.0.1). The mysite.com site is in my Local Intranet
    > sites in IE (I put it there) as http://*.mysite.com.
    >
    > I have a local group on the server computer (W2K3) named "Local PAIS
    > Admins". I have added myself to that group, and logged out of Windows
    > and logged back in (to the local machine -- the same computer that is
    > hosting the web site).
    >
    > In web.config, I have a <location> element for the Admin.aspx page:
    >
    > <location path="Admin.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > obviously, substituting the actual machine name for
    > COMPUTER-NAME-HERE.
    >
    > If I run with RoleManager enabled in ASP.NET (<roleManager
    > enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"
    > cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
    > though I am in that group. I am prompted 3 times for the my
    > credentials, and I enter them correctly. Finally, I get the Access is
    > Denied default error page, with a 401.2 error.
    >
    > If I run with the RoleManager element commented out, it works, and I
    > can see the page.
    >
    > If I add myself to a BUILTIN group (say, Power Users), and change the
    > above <location> element to allow only that BUILTIN group, with
    > RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
    > BUILTIN groups work though.
    >
    > I've not ever edited any of the
    > C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
    >
    > Can someone explain what is happening? Is this a known ASP.NET
    > WindowsTokenRoleProvider limitation? Am I doing something wrong?
    >
    > I've a production deployment going on a similarly configured site, and
    > we need to use local-machine groups.
    >
    > Thanks in advance,
    >
    > Howard Hoffman
    >
    Dominick Baier, Oct 14, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. anonymous
    Replies:
    1
    Views:
    4,564
    Francisco Padron
    May 8, 2005
  2. progrock

    WindowsTokenRoleProvider Anyone?

    progrock, Mar 23, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    3,854
    Erik Funkenbusch
    Mar 23, 2006
  3. Craig Wagner

    WindowsTokenRoleProvider & Domain Groups

    Craig Wagner, Feb 21, 2007, in forum: ASP .Net Security
    Replies:
    20
    Views:
    978
    Steven Cheng[MSFT]
    Feb 23, 2007
  4. Naraendirakumar R.R.

    Using WindowsTokenRoleProvider with Forms Authentication ...

    Naraendirakumar R.R., Jan 10, 2008, in forum: ASP .Net Security
    Replies:
    4
    Views:
    213
    Joe Kaplan
    Jan 10, 2008
  5. Bill
    Replies:
    0
    Views:
    209
Loading...

Share This Page