Have <authentication mode="Windows"> half working

D

David Thielen

Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>

I get the user and the user is authenticated. But IsInRole is failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;

// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");

Any ideas?
 
J

Joe Kaplan \(MVP - ADSI\)

This should work if you logged in with a user who is a member of domain
users:

bool du3 = user.IsInRole("windward\\Domain Users");

What does user.Identity.Name return? Are you sure you disabled anonymous
access in IIS?

Joe K.
 
D

David Thielen

user.Identity:
AuthenticationType = NTLM
IsAuthenticated = true
Name = WINDWARD\\dave
 
D

David Thielen

groups below - I am in them.

Is there some security permission I must have granted for this to work?
(Although if that's the issue, shouldn't I get a SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
 
J

Joe Kaplan \(MVP - ADSI\)

So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That makes no
sense.

Joe K.

David Thielen said:
groups below - I am in them.

Is there some security permission I must have granted for this to work?
(Although if that's the issue, shouldn't I get a SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Dominick Baier said:
hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

or even better - use my showcontexts tool - drop it into your web dir and
inspect the values

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx
 
D

David Thielen

Hi;

Yes on both counts. I've done this in client (not ASP) apps before and never
had a problem. Very weird.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That makes no
sense.

Joe K.

David Thielen said:
groups below - I am in them.

Is there some security permission I must have granted for this to work?
(Although if that's the issue, shouldn't I get a SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Dominick Baier said:
hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

or even better - use my showcontexts tool - drop it into your web dir and
inspect the values

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
J

Joe Kaplan \(MVP - ADSI\)

I can only think that there is something weird in the environment that is
preventing IsInRole from working correctly, but I really don't know.

Just for giggles, can you enable impersonation to see if that fixes it?
<identity impersonate="true" /> I'm curious.

Joe K.

David Thielen said:
Hi;

Yes on both counts. I've done this in client (not ASP) apps before and
never
had a problem. Very weird.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That makes
no
sense.

Joe K.

David Thielen said:
groups below - I am in them.

Is there some security permission I must have granted for this to work?
(Although if that's the issue, shouldn't I get a SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

or even better - use my showcontexts tool - drop it into your web dir
and
inspect the values

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
D

David Thielen

Good idea - but still fails :(

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
I can only think that there is something weird in the environment that is
preventing IsInRole from working correctly, but I really don't know.

Just for giggles, can you enable impersonation to see if that fixes it?
<identity impersonate="true" /> I'm curious.

Joe K.

David Thielen said:
Hi;

Yes on both counts. I've done this in client (not ASP) apps before and
never
had a problem. Very weird.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That makes
no
sense.

Joe K.

groups below - I am in them.

Is there some security permission I must have granted for this to work?
(Although if that's the issue, shouldn't I get a SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

or even better - use my showcontexts tool - drop it into your web dir
and
inspect the values

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
D

Dominick Baier [DevelopMentor]

giggle :)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I can only think that there is something weird in the environment that
is preventing IsInRole from working correctly, but I really don't
know.

Just for giggles, can you enable impersonation to see if that fixes
it? <identity impersonate="true" /> I'm curious.

Joe K.

Hi;

Yes on both counts. I've done this in client (not ASP) apps before
and
never
had a problem. Very weird.
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
Joe Kaplan (MVP - ADSI) said:
So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That
makes
no
sense.
Joe K.


groups below - I am in them.

Is there some security permission I must have granted for this to
work? (Although if that's the issue, shouldn't I get a
SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member
of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountIn
NET20.aspx

or even better - use my showcontexts tool - drop it into your web
dir
and
inspect the values
http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.as
px

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas
 
D

David Thielen

Even weirder - this is a plain old console app. It lists all of my groups
correctly but then returns false for each group.

static void Main(string[] args)
{

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
IPrincipal user = Thread.CurrentPrincipal;
WindowsIdentity sys =
System.Security.Principal.WindowsIdentity.GetCurrent();
List<string> groups = new List<string>();
IdentityReferenceCollection irc = sys.Groups.Translate(typeof(NTAccount));
foreach (NTAccount acc in irc)
groups.Add(acc.Value);
string[] grps = groups.ToArray();

bool[] mem = new bool[grps.Length];
int ind = 0;
foreach (string group in grps)
mem[ind] = user.IsInRole(group);
}


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
I can only think that there is something weird in the environment that is
preventing IsInRole from working correctly, but I really don't know.

Just for giggles, can you enable impersonation to see if that fixes it?
<identity impersonate="true" /> I'm curious.

Joe K.

David Thielen said:
Hi;

Yes on both counts. I've done this in client (not ASP) apps before and
never
had a problem. Very weird.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That makes
no
sense.

Joe K.

groups below - I am in them.

Is there some security permission I must have granted for this to work?
(Although if that's the issue, shouldn't I get a SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

or even better - use my showcontexts tool - drop it into your web dir
and
inspect the values

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
D

David Thielen

Slight mistake - forgot the ++ in mem[ind++]=

Everything works fine in the console app. Everything fails in the ASP .NET
app. Do I need to call:
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
somewhere in the ASP .NET app?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



David Thielen said:
Even weirder - this is a plain old console app. It lists all of my groups
correctly but then returns false for each group.

static void Main(string[] args)
{

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
IPrincipal user = Thread.CurrentPrincipal;
WindowsIdentity sys =
System.Security.Principal.WindowsIdentity.GetCurrent();
List<string> groups = new List<string>();
IdentityReferenceCollection irc = sys.Groups.Translate(typeof(NTAccount));
foreach (NTAccount acc in irc)
groups.Add(acc.Value);
string[] grps = groups.ToArray();

bool[] mem = new bool[grps.Length];
int ind = 0;
foreach (string group in grps)
mem[ind] = user.IsInRole(group);
}


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
I can only think that there is something weird in the environment that is
preventing IsInRole from working correctly, but I really don't know.

Just for giggles, can you enable impersonation to see if that fixes it?
<identity impersonate="true" /> I'm curious.

Joe K.

David Thielen said:
Hi;

Yes on both counts. I've done this in client (not ASP) apps before and
never
had a problem. Very weird.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



:

So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That makes
no
sense.

Joe K.

groups below - I am in them.

Is there some security permission I must have granted for this to work?
(Although if that's the issue, shouldn't I get a SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

or even better - use my showcontexts tool - drop it into your web dir
and
inspect the values

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
D

Dominick Baier [DevelopMentor]

maybe you should add a

ind++;

in your foreach loop ;)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Even weirder - this is a plain old console app. It lists all of my
groups correctly but then returns false for each group.

static void Main(string[] args)
{

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrin
cipal);
IPrincipal user = Thread.CurrentPrincipal;
WindowsIdentity sys =
System.Security.Principal.WindowsIdentity.GetCurrent();
List<string> groups = new List<string>();
IdentityReferenceCollection irc =
sys.Groups.Translate(typeof(NTAccount));
foreach (NTAccount acc in irc)
groups.Add(acc.Value);
string[] grps = groups.ToArray();
bool[] mem = new bool[grps.Length];
int ind = 0;
foreach (string group in grps)
mem[ind] = user.IsInRole(group);
}
Joe Kaplan (MVP - ADSI) said:
I can only think that there is something weird in the environment
that is preventing IsInRole from working correctly, but I really
don't know.

Just for giggles, can you enable impersonation to see if that fixes
it? <identity impersonate="true" /> I'm curious.

Joe K.

Hi;

Yes on both counts. I've done this in client (not ASP) apps before
and
never
had a problem. Very weird.
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That
makes
no
sense.
Joe K.


groups below - I am in them.

Is there some security permission I must have granted for this to
work? (Although if that's the issue, shouldn't I get a
SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member
of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountI
nNET20.aspx

or even better - use my showcontexts tool - drop it into your web
dir
and
inspect the values
http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.a
spx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
D

Dominick Baier [DevelopMentor]

also be aware that Thread.CurrentPrincipal and Context.User and WindowsIdentity.GetCurrent
don't have to necessarily point to the same identity in ASP.NET

always use Context.User for client id checks - and don't use SetPrincipalPolicy.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Even weirder - this is a plain old console app. It lists all of my
groups correctly but then returns false for each group.

static void Main(string[] args)
{

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrin
cipal);
IPrincipal user = Thread.CurrentPrincipal;
WindowsIdentity sys =
System.Security.Principal.WindowsIdentity.GetCurrent();
List<string> groups = new List<string>();
IdentityReferenceCollection irc =
sys.Groups.Translate(typeof(NTAccount));
foreach (NTAccount acc in irc)
groups.Add(acc.Value);
string[] grps = groups.ToArray();
bool[] mem = new bool[grps.Length];
int ind = 0;
foreach (string group in grps)
mem[ind] = user.IsInRole(group);
}
Joe Kaplan (MVP - ADSI) said:
I can only think that there is something weird in the environment
that is preventing IsInRole from working correctly, but I really
don't know.

Just for giggles, can you enable impersonation to see if that fixes
it? <identity impersonate="true" /> I'm curious.

Joe K.

Hi;

Yes on both counts. I've done this in client (not ASP) apps before
and
never
had a problem. Very weird.
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That
makes
no
sense.
Joe K.


groups below - I am in them.

Is there some security permission I must have granted for this to
work? (Although if that's the issue, shouldn't I get a
SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member
of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountI
nNET20.aspx

or even better - use my showcontexts tool - drop it into your web
dir
and
inspect the values
http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.a
spx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
J

Joe Kaplan \(MVP - ADSI\)

David, I'm pretty sure Dominick has diagnosed this now. Just to sum up, the
rules are:
- For console and forms apps, if you want Thread.CurrentPrincipal to be the
current Windows identity, you have to set the AppDomain principal policy
- For ASP.NET, Context.User contains the authenticated identity. If you
are configured for Windows auth, that will be a WindowsPrincipal. It could
also be something else. This depends on how the user was authenticated.
ASP.NET will also ensure that Thread.CurrentPrincipal returns the same value
as Context.User, so that you can refer to Thread.CurrentPrincipal safely
from lower layer assemblies that may not have a reference to System.Web.
- Context.User returns an IPrincipal that might be a WindowsPrincipal but
could be something else. IPrincipal is a managed code concept and can be
derived from any source.
- WindowsIdentity.GetCurrent() will always return a WindowsIdentity
representing the Windows security context for the current thread. This may
or may not be the same identity as Thread.CurrentPrincipal, depending the
type of app you have, whether you have enabled impersonation, etc.

Joe K.

Dominick Baier said:
also be aware that Thread.CurrentPrincipal and Context.User and
WindowsIdentity.GetCurrent don't have to necessarily point to the same
identity in ASP.NET

always use Context.User for client id checks - and don't use
SetPrincipalPolicy.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Even weirder - this is a plain old console app. It lists all of my
groups correctly but then returns false for each group.

static void Main(string[] args)
{

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrin
cipal);
IPrincipal user = Thread.CurrentPrincipal;
WindowsIdentity sys =
System.Security.Principal.WindowsIdentity.GetCurrent();
List<string> groups = new List<string>();
IdentityReferenceCollection irc =
sys.Groups.Translate(typeof(NTAccount));
foreach (NTAccount acc in irc)
groups.Add(acc.Value);
string[] grps = groups.ToArray();
bool[] mem = new bool[grps.Length];
int ind = 0;
foreach (string group in grps)
mem[ind] = user.IsInRole(group);
}
Joe Kaplan (MVP - ADSI) said:
I can only think that there is something weird in the environment
that is preventing IsInRole from working correctly, but I really
don't know.

Just for giggles, can you enable impersonation to see if that fixes
it? <identity impersonate="true" /> I'm curious.

Joe K.


Hi;

Yes on both counts. I've done this in client (not ASP) apps before
and
never
had a problem. Very weird.
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That
makes
no
sense.
Joe K.


groups below - I am in them.

Is there some security permission I must have granted for this to
work? (Although if that's the issue, shouldn't I get a
SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member
of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountI
nNET20.aspx

or even better - use my showcontexts tool - drop it into your web
dir
and
inspect the values
http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.a
spx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
D

David Thielen

Hi;

I agree with everything you said here - but the point remains that
IsInRole() is still failing inside my ASP.NET app. Any idea why? This is
driving me nuts.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



Joe Kaplan (MVP - ADSI) said:
David, I'm pretty sure Dominick has diagnosed this now. Just to sum up, the
rules are:
- For console and forms apps, if you want Thread.CurrentPrincipal to be the
current Windows identity, you have to set the AppDomain principal policy
- For ASP.NET, Context.User contains the authenticated identity. If you
are configured for Windows auth, that will be a WindowsPrincipal. It could
also be something else. This depends on how the user was authenticated.
ASP.NET will also ensure that Thread.CurrentPrincipal returns the same value
as Context.User, so that you can refer to Thread.CurrentPrincipal safely
from lower layer assemblies that may not have a reference to System.Web.
- Context.User returns an IPrincipal that might be a WindowsPrincipal but
could be something else. IPrincipal is a managed code concept and can be
derived from any source.
- WindowsIdentity.GetCurrent() will always return a WindowsIdentity
representing the Windows security context for the current thread. This may
or may not be the same identity as Thread.CurrentPrincipal, depending the
type of app you have, whether you have enabled impersonation, etc.

Joe K.

Dominick Baier said:
also be aware that Thread.CurrentPrincipal and Context.User and
WindowsIdentity.GetCurrent don't have to necessarily point to the same
identity in ASP.NET

always use Context.User for client id checks - and don't use
SetPrincipalPolicy.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Even weirder - this is a plain old console app. It lists all of my
groups correctly but then returns false for each group.

static void Main(string[] args)
{

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrin
cipal);
IPrincipal user = Thread.CurrentPrincipal;
WindowsIdentity sys =
System.Security.Principal.WindowsIdentity.GetCurrent();
List<string> groups = new List<string>();
IdentityReferenceCollection irc =
sys.Groups.Translate(typeof(NTAccount));
foreach (NTAccount acc in irc)
groups.Add(acc.Value);
string[] grps = groups.ToArray();
bool[] mem = new bool[grps.Length];
int ind = 0;
foreach (string group in grps)
mem[ind] = user.IsInRole(group);
}
:

I can only think that there is something weird in the environment
that is preventing IsInRole from working correctly, but I really
don't know.

Just for giggles, can you enable impersonation to see if that fixes
it? <identity impersonate="true" /> I'm curious.

Joe K.


Hi;

Yes on both counts. I've done this in client (not ASP) apps before
and
never
had a problem. Very weird.
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

So, you are in WINWARD\Domain Users, but
Context.User.IsInRole("WINWARD\\Domain Users") returns false? That
makes
no
sense.
Joe K.


groups below - I am in them.

Is there some security permission I must have granted for this to
work? (Although if that's the issue, shouldn't I get a
SecurityException?)

- grps {Dimensions:[14]} string[]
[0] "WINDWARD\\Domain Users" string
[1] "Everyone" string
[2] "BELLE\\Debugger Users" string
[3] "BUILTIN\\Administrators" string
[4] "BUILTIN\\Users" string
[5] "NT AUTHORITY\\INTERACTIVE" string
[6] "NT AUTHORITY\\Authenticated Users" string
[7] "LOCAL" string
[8] "WINDWARD\\Programming Users" string
[9] "WINDWARD\\VSS Admin" string
[10] "WINDWARD\\Marketing" string
[11] "WINDWARD\\Marketing Users" string
[12] "WINDWARD\\VSS Users" string
[13] "WINDWARD\\CERTSVC_DCOM_ACCESS" string
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
:

hi.

a) remove the allow=* - thats redundant

b) look at this code - this returns all groups the user is member
of:

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountI
nNET20.aspx

or even better - use my showcontexts tool - drop it into your web
dir
and
inspect the values
http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.a
spx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi;

For authentication of:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get the user and the user is authenticated. But IsInRole is
failing:
// these 4 calls are correct
IPrincipal user = Context.User;
WindowsIdentity wi = user.Identity as WindowsIdentity;
bool b = wi.IsAuthenticated;
// these all fail (computer name belle, domain name windward
bool admin = user.IsInRole("administrators");
bool admin2 = user.IsInRole("belle\\administrators");
bool du = user.IsInRole("Domain Users");
bool du2 = user.IsInRole("windward/Domain Users");
bool du3 = user.IsInRole("windward\\Domain Users");
bool du4 = user.IsInRole("\\windward\\Domain Users");
bool du5 = user.IsInRole("\\windward.local\\Domain Users");
bool du6 = user.IsInRole("\\windward\\Users");
bool du7 = user.IsInRole("\\windward.local\\Users");
Any ideas?
 
J

Joe Kaplan \(MVP - ADSI\)

I set up a simple test page in a vdir that only allows IWA auth and have the
default setting in web.config of Windows auth. With this test page, I get
"true" for all of the IsInRole calls. What happens for you?

<%@ Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page"
trace="true"%>
<%@ Import namespace="System.Security.Principal" %>
<%@ Import namespace="System.Text" %>
<script runat="server" language="C#" >
void Page_Load(object sender, EventArgs e)
{
Context.Trace.Write("In Page.Load...");
StringBuilder sb = new StringBuilder();
WindowsIdentity wi = (WindowsIdentity) Context.User.Identity;
IdentityReferenceCollection sids = wi.Groups;
IdentityReferenceCollection names =
sids.Translate(typeof(NTAccount));
foreach (IdentityReference name in names)
{
sb.AppendFormat("<div>Group name={0}; IsInRole={1}</div>",
name.ToString(),
Context.User.IsInRole(name.ToString())
);
}
groups.Text = sb.ToString();
Context.Trace.Write("Leaving Page.Load...");

}
</script>
<html>
<head>
<title>Group Test Page</title>
</head>
<body>
<p>Groups for authenticated user</p>
<asp:label id="groups" runat=server/>
</body>
</html>

Joe K.
 
D

David Thielen

Here you go (this is weird):

Group name=WINDWARD\Domain Users; IsInRole=False
Group name=Everyone; IsInRole=False
Group name=BELLE\Debugger Users; IsInRole=False
Group name=BUILTIN\Administrators; IsInRole=False
Group name=BUILTIN\Users; IsInRole=False
Group name=NT AUTHORITY\INTERACTIVE; IsInRole=False
Group name=NT AUTHORITY\Authenticated Users; IsInRole=False
Group name=LOCAL; IsInRole=False
Group name=WINDWARD\Programming Users; IsInRole=False
Group name=WINDWARD\VSS Admin; IsInRole=False
Group name=WINDWARD\Marketing; IsInRole=False
Group name=WINDWARD\Marketing Users; IsInRole=False
Group name=WINDWARD\VSS Users; IsInRole=False
Group name=WINDWARD\CERTSVC_DCOM_ACCESS; IsInRole=False

bunch of other stuff too but none of it looked interesting - will post all
in a second post.
 
D

David Thielen

Everything:

Groups for authenticated user

Group name=WINDWARD\Domain Users; IsInRole=False
Group name=Everyone; IsInRole=False
Group name=BELLE\Debugger Users; IsInRole=False
Group name=BUILTIN\Administrators; IsInRole=False
Group name=BUILTIN\Users; IsInRole=False
Group name=NT AUTHORITY\INTERACTIVE; IsInRole=False
Group name=NT AUTHORITY\Authenticated Users; IsInRole=False
Group name=LOCAL; IsInRole=False
Group name=WINDWARD\Programming Users; IsInRole=False
Group name=WINDWARD\VSS Admin; IsInRole=False
Group name=WINDWARD\Marketing; IsInRole=False
Group name=WINDWARD\Marketing Users; IsInRole=False
Group name=WINDWARD\VSS Users; IsInRole=False
Group name=WINDWARD\CERTSVC_DCOM_ACCESS; IsInRole=False
Request Details
Session Id: 23tccvism3jzjm5515p2vznb Request Type: GET
Time of Request: 3/19/2006 3:43:02 PM Status Code: 200
Request Encoding: Unicode (UTF-8) Response Encoding: Unicode (UTF-8)
Trace Information
Category Message From First(s) From Last(s)
aspx.page Begin PreInit
aspx.page End PreInit 7.04135269251976E-05 0.000070
aspx.page Begin Init 0.000117334046214767 0.000047
aspx.page End Init 0.000164897495447027 0.000048
aspx.page Begin InitComplete 0.000201841239077041 0.000037
aspx.page End InitComplete 0.000247409065846853 0.000046
aspx.page Begin PreLoad 0.000284741775408932 0.000037
aspx.page End PreLoad 0.000330178610215368 0.000045
aspx.page Begin Load 0.000384109872850913 0.000054
In Page.Load... 0.000425236002740138 0.000041
Leaving Page.Load... 0.200732857262201 0.200308
aspx.page End Load 0.200822233880804 0.000089
aspx.page Begin LoadComplete 0.20084533925916 0.000023
aspx.page End LoadComplete 0.20086734724566 0.000022
aspx.page Begin PreRender 0.200888470368081 0.000021
aspx.page End PreRender 0.200912868289586 0.000024
aspx.page Begin PreRenderComplete 0.200934999248133 0.000022
aspx.page End PreRenderComplete 0.200957545905666 0.000023
aspx.page Begin SaveState 0.2012389928322 0.000281
aspx.page End SaveState 0.201263486992699 0.000024
aspx.page Begin SaveStateComplete 0.201284945614944 0.000021
aspx.page End SaveStateComplete 0.201305889625904 0.000021
aspx.page Begin Render 0.201326965965481 0.000021
aspx.page End Render 0.201548496098645 0.000222
Control Tree
Control UniqueID Type Render Size Bytes (including children) ViewState Size
Bytes (excluding children) ControlState Size Bytes (excluding children)
__Page ASP.testsec_aspx 957 0 0
ctl00 System.Web.UI.HtmlControls.HtmlGenericControl 955 0 0
ctl01 System.Web.UI.LiteralControl 97 0 0
groups System.Web.UI.WebControls.Label 834 1100 0
ctl02 System.Web.UI.LiteralControl 11 0 0
ctl03 System.Web.UI.LiteralControl 2 0 0
Session State
Session Key Type Value
Application State
Application Key Type Value
Request Cookies Collection
Name Value Size
Response Cookies Collection
Name Value Size
Headers Collection
Name Value
Connection Keep-Alive
Accept */*
Accept-Encoding gzip, deflate
Accept-Language en-us,it;q=0.5
Host localhost:3179
User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Response Headers Collection
Name Value
X-AspNet-Version 2.0.50727
Cache-Control private
Content-Type text/html
Form Collection
Name Value
Querystring Collection
Name Value
Server Variables
Name Value
ALL_HTTP HTTP_CONNECTION:Keep-Alive HTTP_ACCEPT:*/*
HTTP_ACCEPT_ENCODING:gzip, deflate HTTP_ACCEPT_LANGUAGE:en-us,it;q=0.5
HTTP_HOST:localhost:3179 HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
ALL_RAW Connection: Keep-Alive Accept: */* Accept-Encoding: gzip, deflate
Accept-Language: en-us,it;q=0.5 Host: localhost:3179 User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727)
APPL_MD_PATH
APPL_PHYSICAL_PATH C:\src\portal\
AUTH_TYPE NTLM
AUTH_USER WINDWARD\dave
AUTH_PASSWORD
LOGON_USER WINDWARD\dave
REMOTE_USER WINDWARD\dave
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 0
CONTENT_TYPE
GATEWAY_INTERFACE
HTTPS
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID
INSTANCE_META_PATH
LOCAL_ADDR 127.0.0.1
PATH_INFO /portal/TestSec.aspx
PATH_TRANSLATED C:\src\portal\TestSec.aspx
QUERY_STRING
REMOTE_ADDR 127.0.0.1
REMOTE_HOST 127.0.0.1
REMOTE_PORT
REQUEST_METHOD GET
SCRIPT_NAME /portal/TestSec.aspx
SERVER_NAME localhost
SERVER_PORT 3179
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE
URL /portal/TestSec.aspx
HTTP_CONNECTION Keep-Alive
HTTP_ACCEPT */*
HTTP_ACCEPT_ENCODING gzip, deflate
HTTP_ACCEPT_LANGUAGE en-us,it;q=0.5
HTTP_HOST localhost:3179
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
 
L

Luke Zhang [MSFT]

I not sure I understand this clearly, in previous message, you said: " this
is a plain old console app. It lists all of my groups correctly but then
returns false for each group." But in this message, you told "Everything
works fine in the console app.". Will the IsInRole work or not in console
APP? If it worked in a console app, it may be a security issue, since your
ASP.NET may run in a different security context than console app.

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top