AzMan non-admin problem under Win XP

Discussion in 'ASP .Net Security' started by Dominick Baier, Oct 10, 2006.

  1. does this uses have read access to the application partition - also in the
    AzMan GUI - is the user in the "reader" role (somewhere in the properties)?

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Hello All,
    >
    > I have a problem with AzMan under Windows XP.
    > On my web site I use AzMan/AD role management. Store installed on Win
    > 2003 SP1 server, but site works under WinXP SP2.
    > For IIS identity domain account with non-admin’s privileges is used.
    >
    > In this case the error occurs: "The parameter is incorrect. (Exception
    > from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after
    > role checking (Roles.IsUserInRole(User.Identity.Name,
    > "Administrator")). But if I add domain account to local Administrators
    > group - everything works correctly.
    >
    > We face this problem only if site runs under Win XP. If site runs
    > under Win 2003 – it is ok.
    >
    > It is forbidden to run the site under administrator. How could this
    > problem be resolved? Do you have an insight on this?
    >
    > I used microsoft sample from :
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpa
    > g2/html/PAGHT000018.asp?_r=1
    > with following web.config:
    >
    > add name="AzManADAMServer"
    > connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPar
    > tition,O=SecNet,C=US" />
    > /connectionStrings>
    > identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
    > authentication mode="Windows"/>
    > deny users="?"/>
    > /authorization>
    > roleManager
    > enabled="true"
    > cacheRolesInCookie="false"
    > defaultProvider="RoleManagerAzManADAMProvider"
    > cookieName=".ASPXROLES"
    > cookiePath="/"
    > cookieTimeout="1"
    > cookieRequireSSL="false"
    > cookieSlidingExpiration="false"
    > createPersistentCookie="false"
    > cookieProtection="None">
    > add name="RoleManagerAzManADAMProvider"
    > type="System.Web.Security.AuthorizationStoreRoleProvider,
    > System.Web, Version=2.0.0.0, Culture=neutral,
    > publicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="AzManADAMServer"
    > applicationName="iHomeOwner"
    > />
    > /providers>
    > /roleManager
     
    Dominick Baier, Oct 10, 2006
    #1
    1. Advertising

  2. Dominick Baier

    Vovan.Net Guest

    Hello All,

    I have a problem with AzMan under Windows XP.
    On my web site I use AzMan/AD role management. Store installed on Win 2003 SP1 server, but site works under WinXP SP2.

    For IIS identity domain account with non-admin’s privileges is used.

    In this case the error occurs: "The parameter is incorrect. (Exception from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after role checking (Roles.IsUserInRole(User.Identity.Name, "Administrator")). But if I add domain account to local Administrators group - everything works correctly.

    We face this problem only if site runs under Win XP. If site runs under Win 2003 – it is ok.

    It is forbidden to run the site under administrator. How could this problem be resolved? Do you have an insight on this?

    I used microsoft sample from :
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000018.asp?_r=1

    with following web.config:

    connectionStrings>
    add name="AzManADAMServer" connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPartition,O=SecNet,C=US" />
    /connectionStrings>

    identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
    authentication mode="Windows"/>
    authorization>
    deny users="?"/>
    /authorization>

    roleManager
    enabled="true"
    cacheRolesInCookie="false"
    defaultProvider="RoleManagerAzManADAMProvider"
    cookieName=".ASPXROLES"
    cookiePath="/"
    cookieTimeout="1"
    cookieRequireSSL="false"
    cookieSlidingExpiration="false"
    createPersistentCookie="false"
    cookieProtection="None">
    providers>
    add name="RoleManagerAzManADAMProvider"
    type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="AzManADAMServer"
    applicationName="iHomeOwner"
    />
    /providers>
    /roleManager>
     
    Vovan.Net, Oct 10, 2006
    #2
    1. Advertising

  3. Dominick Baier

    Vladimir Guest

    Yes. User is in "Administrator", "Reader", "Delegated User" roles

    "Dominick Baier" wrote:

    > does this uses have read access to the application partition - also in the
    > AzMan GUI - is the user in the "reader" role (somewhere in the properties)?
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hello All,
    > >
    > > I have a problem with AzMan under Windows XP.
    > > On my web site I use AzMan/AD role management. Store installed on Win
    > > 2003 SP1 server, but site works under WinXP SP2.
    > > For IIS identity domain account with non-admin’s privileges is used.
    > >
    > > In this case the error occurs: "The parameter is incorrect. (Exception
    > > from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after
    > > role checking (Roles.IsUserInRole(User.Identity.Name,
    > > "Administrator")). But if I add domain account to local Administrators
    > > group - everything works correctly.
    > >
    > > We face this problem only if site runs under Win XP. If site runs
    > > under Win 2003 – it is ok.
    > >
    > > It is forbidden to run the site under administrator. How could this
    > > problem be resolved? Do you have an insight on this?
    > >
    > > I used microsoft sample from :
    > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpa
    > > g2/html/PAGHT000018.asp?_r=1
    > > with following web.config:
    > >
    > > add name="AzManADAMServer"
    > > connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPar
    > > tition,O=SecNet,C=US" />
    > > /connectionStrings>
    > > identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
    > > authentication mode="Windows"/>
    > > deny users="?"/>
    > > /authorization>
    > > roleManager
    > > enabled="true"
    > > cacheRolesInCookie="false"
    > > defaultProvider="RoleManagerAzManADAMProvider"
    > > cookieName=".ASPXROLES"
    > > cookiePath="/"
    > > cookieTimeout="1"
    > > cookieRequireSSL="false"
    > > cookieSlidingExpiration="false"
    > > createPersistentCookie="false"
    > > cookieProtection="None">
    > > add name="RoleManagerAzManADAMProvider"
    > > type="System.Web.Security.AuthorizationStoreRoleProvider,
    > > System.Web, Version=2.0.0.0, Culture=neutral,
    > > publicKeyToken=b03f5f7f11d50a3a"
    > > connectionStringName="AzManADAMServer"
    > > applicationName="iHomeOwner"
    > > />
    > > /providers>
    > > /roleManager>

    >
    >
    >
     
    Vladimir, Oct 11, 2006
    #3
  4. Dominick Baier

    Vladimir Guest

    Addition info : following code pass successufully with admins rights, but
    with user's rights it causes error "Value does not fall within the expected
    range"

    String azManConnectionString =
    "msldap://server:50000/CN=AzManADAMStore,OU=SecNetPartition,O=SecNet,C=US";
    String azManApplicationName = "test";

    AzAuthorizationStore _azStore = new AzAuthorizationStoreClass();
    _azStore.Initialize(0, azManConnectionString, null);


    "Vladimir" wrote:

    > Yes. User is in "Administrator", "Reader", "Delegated User" roles
    >
    > "Dominick Baier" wrote:
    >
    > > does this uses have read access to the application partition - also in the
    > > AzMan GUI - is the user in the "reader" role (somewhere in the properties)?
    > >
    > > ---
    > > Dominick Baier, DevelopMentor
    > > http://www.leastprivilege.com
    > >
    > > > Hello All,
    > > >
    > > > I have a problem with AzMan under Windows XP.
    > > > On my web site I use AzMan/AD role management. Store installed on Win
    > > > 2003 SP1 server, but site works under WinXP SP2.
    > > > For IIS identity domain account with non-admin’s privileges is used.
    > > >
    > > > In this case the error occurs: "The parameter is incorrect. (Exception
    > > > from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after
    > > > role checking (Roles.IsUserInRole(User.Identity.Name,
    > > > "Administrator")). But if I add domain account to local Administrators
    > > > group - everything works correctly.
    > > >
    > > > We face this problem only if site runs under Win XP. If site runs
    > > > under Win 2003 – it is ok.
    > > >
    > > > It is forbidden to run the site under administrator. How could this
    > > > problem be resolved? Do you have an insight on this?
    > > >
    > > > I used microsoft sample from :
    > > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpa
    > > > g2/html/PAGHT000018.asp?_r=1
    > > > with following web.config:
    > > >
    > > > add name="AzManADAMServer"
    > > > connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPar
    > > > tition,O=SecNet,C=US" />
    > > > /connectionStrings>
    > > > identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
    > > > authentication mode="Windows"/>
    > > > deny users="?"/>
    > > > /authorization>
    > > > roleManager
    > > > enabled="true"
    > > > cacheRolesInCookie="false"
    > > > defaultProvider="RoleManagerAzManADAMProvider"
    > > > cookieName=".ASPXROLES"
    > > > cookiePath="/"
    > > > cookieTimeout="1"
    > > > cookieRequireSSL="false"
    > > > cookieSlidingExpiration="false"
    > > > createPersistentCookie="false"
    > > > cookieProtection="None">
    > > > add name="RoleManagerAzManADAMProvider"
    > > > type="System.Web.Security.AuthorizationStoreRoleProvider,
    > > > System.Web, Version=2.0.0.0, Culture=neutral,
    > > > publicKeyToken=b03f5f7f11d50a3a"
    > > > connectionStringName="AzManADAMServer"
    > > > applicationName="iHomeOwner"
    > > > />
    > > > /providers>
    > > > /roleManager>

    > >
    > >
    > >
     
    Vladimir, Oct 11, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Krist
    Replies:
    6
    Views:
    756
    Arne Vajhøj
    May 7, 2010
  2. sarah Fernandes
    Replies:
    0
    Views:
    521
    sarah Fernandes
    Nov 1, 2010
  3. Michael Herman \(Parallelspace/OpenCanal\)

    AzMan: Has anyone created an HTML/Web management console as an alternative to the AzMan MMC?

    Michael Herman \(Parallelspace/OpenCanal\), Jan 6, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    264
    Michael Herman \(Parallelspace/OpenCanal\)
    Jan 6, 2006
  4. Vladimir

    AzMan non-admin problem under Win XP

    Vladimir, Oct 11, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    128
    Vladimir
    Oct 11, 2006
  5. Lars Sundstrom

    Azman. Unable to recive rolls from Azman.

    Lars Sundstrom, Oct 9, 2008, in forum: ASP .Net Security
    Replies:
    0
    Views:
    766
    Lars Sundstrom
    Oct 9, 2008
Loading...

Share This Page