Windows Authentication - not seeing Groups

Discussion in 'ASP .Net Security' started by SpaceMarine, Aug 14, 2008.

  1. SpaceMarine

    SpaceMarine Guest

    hello,

    my ASP.NET apps use Windows Server 2003, and Integrated Windows
    authentication in the web.config:

    <authentication mode="Windows"/>

    ....our windows users are assigned to Groups in Active Directory, which
    i can usually lock down like so:

    <authorization>
    <allow roles="Foo"/>
    <deny users="*"/>
    <deny users="?"/>
    </authorization>


    however, something has stopped working. the above stopped working, and
    doing some tests in code behind i determined the app can see who you
    are and retrieve your Windows name like this:

    string name = User.Identity.Name; // "DOMAIN\SomeUser"

    ....but it doesnt seem able to recognize what AD Group youre in, like
    this:

    bool isInRole = User.IsInRole("Foo"); //false everytime

    ....yet if i check in Windows, the user *is* in that group.


    any idea what could be happening!? this used to work, but im not sure
    whats changed since then. any ideas would be appreciated.


    thanks,
    sm
    SpaceMarine, Aug 14, 2008
    #1
    1. Advertising

  2. SpaceMarine

    Joe Kaplan Guest

    It should be "domain\groupname". The plain name of the group should not
    work.

    For troubleshooting, access the Groups property on the WindowsIdentity
    object, convert the IdentityReferenceCollection to the NTAccount type and
    dump out the resulting names to see what names can be matched.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "SpaceMarine" <> wrote in message
    news:...
    > hello,
    >
    > my ASP.NET apps use Windows Server 2003, and Integrated Windows
    > authentication in the web.config:
    >
    > <authentication mode="Windows"/>
    >
    > ...our windows users are assigned to Groups in Active Directory, which
    > i can usually lock down like so:
    >
    > <authorization>
    > <allow roles="Foo"/>
    > <deny users="*"/>
    > <deny users="?"/>
    > </authorization>
    >
    >
    > however, something has stopped working. the above stopped working, and
    > doing some tests in code behind i determined the app can see who you
    > are and retrieve your Windows name like this:
    >
    > string name = User.Identity.Name; // "DOMAIN\SomeUser"
    >
    > ...but it doesnt seem able to recognize what AD Group youre in, like
    > this:
    >
    > bool isInRole = User.IsInRole("Foo"); //false everytime
    >
    > ...yet if i check in Windows, the user *is* in that group.
    >
    >
    > any idea what could be happening!? this used to work, but im not sure
    > whats changed since then. any ideas would be appreciated.
    >
    >
    > thanks,
    > sm
    >
    Joe Kaplan, Aug 14, 2008
    #2
    1. Advertising

  3. SpaceMarine

    SpaceMarine Guest

    On Aug 14, 4:16 pm, "Joe Kaplan"
    <> wrote:
    > It should be "domain\groupname".  The plain name of the group should not
    > work.


    actually, it does work w/o the domain portion. im doing more testing
    -- either format works locally on my dev box (finds me in group), but
    neither format works on the production box.

    will try your recommendation, but im not familar w/ the technique.
    lets see here...
    SpaceMarine, Aug 14, 2008
    #3
  4. SpaceMarine

    SpaceMarine Guest

    On Aug 14, 4:16 pm, "Joe Kaplan"
    <> wrote:

    > For troubleshooting, access the Groups property on the WindowsIdentity
    > object, convert the IdentityReferenceCollection to the NTAccount type and
    > dump out the resulting names to see what names can be matched.


    ok this is done via this:

    //convert user's groups to readable NT thang
    IdentityReferenceCollection usersGroups =
    WindowsIdentity.GetCurrent().Groups.Translate(System.Type.GetType("System.Security.Principal.NTAccount"));

    Trace.Write("group-member count: " + usersGroups.Count);

    foreach (IdentityReference group in usersGroups)
    Trace.Write("group: " + group.Value);


    ...sweet! never knew how or had to do that before. good to know.

    now..running this on my local box and on the prod box, i see
    discrepencies. most apparent is that the prod box doesnt list any of
    the user's group-memberships when that group is in our org's domain.
    ala, "SOMEDOMAIN\SomeSpecialGroup".

    instead, it only lists "NT AUTHORITY\SomeGroup" and "BUILTIN
    \SomeGroup" type memberships.

    does this mean, then, that our prod box isnt hooked up to the domain
    properly? maybe in IIS or something??


    thanks!
    sm
    SpaceMarine, Aug 14, 2008
    #4
  5. SpaceMarine

    Joe Kaplan Guest

    Yes, it sounds like something very weird is going on here, especially if
    those groups are the same group names as the domain groups the user is a
    member of.

    It would be interesting to see what the security event log says for the
    logon event for the user. Also, make sure you aren't accidentally logging
    in with a local machine account or something.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "SpaceMarine" <> wrote in message
    news:...
    On Aug 14, 4:16 pm, "Joe Kaplan"
    <> wrote:

    > For troubleshooting, access the Groups property on the WindowsIdentity
    > object, convert the IdentityReferenceCollection to the NTAccount type and
    > dump out the resulting names to see what names can be matched.


    ok this is done via this:

    //convert user's groups to readable NT thang
    IdentityReferenceCollection usersGroups =
    WindowsIdentity.GetCurrent().Groups.Translate(System.Type.GetType("System.Security.Principal.NTAccount"));

    Trace.Write("group-member count: " + usersGroups.Count);

    foreach (IdentityReference group in usersGroups)
    Trace.Write("group: " + group.Value);


    ....sweet! never knew how or had to do that before. good to know.

    now..running this on my local box and on the prod box, i see
    discrepencies. most apparent is that the prod box doesnt list any of
    the user's group-memberships when that group is in our org's domain.
    ala, "SOMEDOMAIN\SomeSpecialGroup".

    instead, it only lists "NT AUTHORITY\SomeGroup" and "BUILTIN
    \SomeGroup" type memberships.

    does this mean, then, that our prod box isnt hooked up to the domain
    properly? maybe in IIS or something??


    thanks!
    sm
    Joe Kaplan, Aug 15, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Petra Hübner
    Replies:
    0
    Views:
    425
    Petra Hübner
    Feb 16, 2004
  2. anonymous
    Replies:
    1
    Views:
    4,512
    Francisco Padron
    May 8, 2005
  3. Replies:
    3
    Views:
    344
    Peter Hansen
    Jun 10, 2005
  4. Norman Yuan
    Replies:
    0
    Views:
    462
    Norman Yuan
    Jan 17, 2007
  5. Joey Lee
    Replies:
    6
    Views:
    177
    Joey Lee
    Sep 15, 2005
Loading...

Share This Page