Role-based security problems

[Jason]

I'm trying to implement role-based security in my ASP.NET application,
however, everytime I perform an IsInRole check, it ALWAYS returns
false! My Web.Config file has the following entry:

<authentication mode="Windows" />

Here is sample code that returns false:

private void Page_Load(object sender, System.EventArgs e)
{
lblOutput.Text = RoleTest();
}

private string RoleTest()
{
//return Context.User.Identity.Name.ToString();
return Context.User.IsInRole("MYDOMAIN\\Administrators").ToString();
}

The first line in RoleTest(), where it returns
Context.User.Identity.Name works and returns the name of the logged on
user. But the second line, always returns false no matter what I check
for!

This is all I have done to implement Role-Based security. Is there
more setup that has to be done? Do I have to populate roles, or
initialize WindowsPrincipal objects, or what?

Thanks for the help!

 

[DalePres]

Under the system.web section of your web.config file, add the following:

<identity impersonate="true"/>
That should fix your problem.

DalePres

MCAD, MCDBA, MCSE

 

[Scott Allen]

What users are you allowing into the site in the <authorization>
section? The server doesn't need to authenticate the client if
anonymous access is allowed...

 

[Jason]

Here is my web.config file:

<system.web>
<identity impersonate="true"/>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" />
<authentication mode="Windows" />
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="SQLServer" sqlConnectionString="*******"
cookieless="false" timeout="20" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>

I have anonymous access turned off, and DalePres' suggestion didn't
work.

 

[DalePres]

Is this all on your local machine or on a separate server?

DalePres

 

[Jason]

I am developing on my machine against another server that is running
the application. Both machines are on the same domain, in fact the
machine running the app is a domain controller for the domain.

 

[DalePres]

Well, I am at a loss, Jason. I have several applications using the
User.IsInRole method for authorization and all I have had to do is make sure
that the anonymous access is disabled, that Windows authentication is
enabled, and that impersonate = true in the web.config file.

I have one question though. I don't have Active Directory currently
installed on my home network so I can't check this out for certain, but
isn't the Administrators group in the form of @"DOMAIN\Domain Admins"?

Another issue I have run up against is that in some contexts, and I don't
remember if this applies exactly to IsInRole, you must use all upper case
domain names.

I do know that there are issues with using ASP.Net on domain controllers,
but those I have dealt with had to do with the ASPNET account and file
access. There could be more issues with ASP.Net on domain controllers. In
the one case where I tried to run ASP.Net on a domain controller, the
security issues were more costly than the cost of a separate server and the
client opted for a separate server - a good idea from many perspectives.

DalePres

 

[Scott Allen]

I do know that there are issues with using ASP.Net on domain controllers,
but those I have dealt with had to do with the ASPNET account and file
access. There could be more issues with ASP.Net on domain controllers. In
the one case where I tried to run ASP.Net on a domain controller, the
security issues were more costly than the cost of a separate server and the
client opted for a separate server - a good idea from many perspectives.

Yes, there are documented problems installing asp.net on a DC:
http://support.microsoft.com/kb/315158

 

[Jason]

Thanks, Scott, for the article, but I am not having any trouble with
what is referenced in it. I did, however, FINALLY get this to work! I
had to follow this article:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod18.asp

Thanks again, everyone, for your assistance.

 

[Patrick Olurotimi Ige]

Jason...
Validating against the AD is not quite easy implementing but very
good u got it working..
Also try reading through this at:-
http://www.4guysfromrolla.com/webtech/121901-1.shtml
It will def help you more..
Patrick

 

[Jason]

Very nice article! Thanks Patrick.

 

[hansiman]

Wont the code in then Application_AuthenticateRequest (global.asax)
fire everytime a page is loaded?