Problems with IsInRole

Discussion in 'ASP .Net Security' started by John Rusk, Nov 17, 2004.

  1. John Rusk

    John Rusk Guest

    I'm having problems with WindowsPrincipal.IsInRole. It's returning false
    when it should return true.

    I've written some test code that uses reflection to call the private
    _GetRoles method of WindowsIdentity. That gets the same list of roles that
    IsInRole uses. It returns a long list, but most of the strings in the list
    are blank (i.e. zero length or null). That explains why IsInRole fails,
    since it's doing lookups in a list that consists of (mostly) empty strings.

    Does anyone know the cause of this behaviour?

    John
    John Rusk, Nov 17, 2004
    #1
    1. Advertising

  2. Is it possible that the SID->name resolution might be failing due to a
    security context error? I think the underlying API call requires a domain
    security context on the current thread. You might try impersonating the
    WindowsIdentity in the WindowsPrincipal before you call IsInRole to see if
    that changes your results. You can revert back right after you call
    IsInRole for the first time.

    Let us know if that fixes the problem.

    Joe K.

    "John Rusk" <> wrote in message
    news:...
    > I'm having problems with WindowsPrincipal.IsInRole. It's returning false
    > when it should return true.
    >
    > I've written some test code that uses reflection to call the private
    > _GetRoles method of WindowsIdentity. That gets the same list of roles
    > that
    > IsInRole uses. It returns a long list, but most of the strings in the
    > list
    > are blank (i.e. zero length or null). That explains why IsInRole fails,
    > since it's doing lookups in a list that consists of (mostly) empty
    > strings.
    >
    > Does anyone know the cause of this behaviour?
    >
    > John
    >
    >
    Joe Kaplan \(MVP - ADSI\), Nov 17, 2004
    #2
    1. Advertising

  3. John Rusk

    John Rusk Guest

    > security context on the current thread. You might try impersonating the
    > WindowsIdentity in the WindowsPrincipal before you call IsInRole to see if


    Joe,

    I wondered about that. I haven't tried it yet at the client's site. What I
    have tried there is the little test application that calls _GetRoles. It's a
    Winforms app, so runs under the account of the logged in domain user. It
    fails as described in my original post, which leads me to believe that doing
    impersonation in ASP probably wouldn't help either.

    Can you think of any explaination why the _GetRoles call should fail? It is
    run by a user logged in to domain "X", but fails to return groups in domain
    "X" to which the user belongs. The only possible complicating factor, at
    least the only one I've thought of so far, is that the machine itself is not
    a member of domain "X".

    John
    John Rusk, Nov 17, 2004
    #3
  4. John Rusk

    John Rusk Guest

    I think I've found the problem. I think its something like this:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;262958

    While I'm not 100% sure that I'm suffering from _exactly_ the same problem,
    it seems that its possible to configure domain controllers in a way that
    breaks .NET's role based security.

    I ended up dropping .NET's IsInRole, and using equivalent code from Keith
    Brown's security library
    (http://www.theserverside.net/discussions/thread.tss?thread_id=25074). That
    was when I finally got the error 1789, which means "The trust relationship
    between this workstation and the primary domain failed". It's a shame that
    ..NET's IsInRole doesn't log anything to indicate what's going wrong. The
    only sign was blank/missing names for global groups when I called _GetRoles.

    In the code I used, from Keith Brown's library, it was the translation from
    names to SIDs that was failing.

    Thanks for your suggestions Joe.

    John
    John Rusk, Nov 18, 2004
    #4
  5. That's too bad. I've seen these kinds of problems, but they are pretty
    mysterious.

    You could also try using some Directory Services code to do this to overcome
    the issue with the LSA, but that will require more config and potentially be
    more brittle.

    Perhaps there is a way to solve the trust issue though. I'm the wrong guy
    to ask there, but I'm sure someone understands the options.

    Joe K.

    "John Rusk" <> wrote in message
    news:...
    >I think I've found the problem. I think its something like this:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;262958
    >
    > While I'm not 100% sure that I'm suffering from _exactly_ the same
    > problem,
    > it seems that its possible to configure domain controllers in a way that
    > breaks .NET's role based security.
    >
    > I ended up dropping .NET's IsInRole, and using equivalent code from Keith
    > Brown's security library
    > (http://www.theserverside.net/discussions/thread.tss?thread_id=25074).
    > That
    > was when I finally got the error 1789, which means "The trust relationship
    > between this workstation and the primary domain failed". It's a shame
    > that
    > .NET's IsInRole doesn't log anything to indicate what's going wrong. The
    > only sign was blank/missing names for global groups when I called
    > _GetRoles.
    >
    > In the code I used, from Keith Brown's library, it was the translation
    > from
    > names to SIDs that was failing.
    >
    > Thanks for your suggestions Joe.
    >
    > John
    >
    >
    Joe Kaplan \(MVP - ADSI\), Nov 18, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Saunders

    Re: Question: COntext.User.IsInRole

    John Saunders, Aug 6, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    3,408
    John Saunders
    Aug 6, 2003
  2. avnrao
    Replies:
    1
    Views:
    548
    =?Utf-8?B?Qnlyb24=?=
    May 13, 2004
  3. Mong

    IsInRole still returns false!

    Mong, May 21, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    3,466
    Matt Quinn
    Jun 27, 2007
  4. Somyos Jinkow

    user.isinrole in user control

    Somyos Jinkow, Jun 1, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    1,880
    =?Utf-8?B?cmFuZ2FuaA==?=
    Jun 1, 2004
  5. AJT
    Replies:
    3
    Views:
    369
    Gregory A. Beamer
    Jun 16, 2009
Loading...

Share This Page