Have <authentication mode="Windows"> half working

[Joe Kaplan \(MVP - ADSI\)]

Yep, this is weird alright. It looks like there is some kind of a
difference in how IsInRole is implemented such that it is not working to
resolve the SIDs in your token into friendly names, but the Translate method
does. I have no idea what the problem is or what the API difference is
either.

I'm guessing there is something environmental that is the cause of this
since it works for me, but I'm not sure where to start looking. Maybe D.
will have an idea. This might be something where you need to open an
official support inquiry with MS.

Do you have an option to try this on a different machine that is a member of
this domain?

Joe K.

 

[David Thielen]

Good idea - tried from another machine, not a domain system (my test box) and
it first prompted me for user/pw as it should (not a domain system) and I got
the same problem - list of groups but false for each.

 

[Joe Kaplan \(MVP - ADSI\)]

That's even stranger. Maybe some other people can try that test page and
see what results they get. I've tried it on 2 and it worked fine on each.
I've also never seen IsInRole fail to work like that in any version of the
framework.

Joe K.

 

[Dominick Baier [DevelopMentor]]

works for me.

 

[Dominick Baier [DevelopMentor]]

the only thing that comes to my mind is that for some reason the machine
is running on cached logon credentials...

are you really sure you are properly connected to the domain? Try installing
"kerbtray" (google for it) - do you see a green ticket in the tray after
running it?

besides that, no clue (atm at least).

 

[David Thielen]

Hello;

The console app works fine - I was missing an ind++ in my first post but
fixed that and the console app works fine. But the ASP.NET app while it finds
all of my groups, returns false for IsInRole for each group.

What kind of security issue would return false for the IsInRole call?

 

[Luke Zhang [MSFT]]

Also works for me.

It is more like environment settings (like AD problem), than a programming
issue.

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

What environment setting? I don't see how an environment setting can allow me
to be authenticated, will return the groups I am in, but will fail IsInRole -
that makes no sense.

Please ask the dev team how IsInRole could fail in this situation.

 

[David Thielen]

Hi again;

Also, when I call IsInRole from a .NET console app - it works. So it's only
ASP.NET that has the problem. Therefore it has to be something in .NET and
specifically in ASP.NET.

 

[Dominick Baier [DevelopMentor]]

try to setup a new machine (VMWare e.g.) - join it to the domain - and try
the code again - i think you are doing something wrong (not sure what, though)
- if you can repro that behaviour on a clean install - then MS would be surely
interested in that...

have you tried kerbtray - as i told you ??

 

[Joe Kaplan \(MVP - ADSI\)]

One other thing to try: WindowsPrincipal also has an IsInRole overload that
takes a SecurityIdentifier. Can you try testing with that using my previous
sample? You can just cast the IdentityReference objects in the Groups
property to SecurityIdentifier objects.

If that doesn't work, then there is something even more bizarre wrong than
with the name translation routine.

Another thing to try would be to take the converted NTAccount objects in the
second collection and try using the Translate method to see if you can
convert back into SecurityIdentifier objects. Maybe that part is broken?

Thanks,

Joe K.

 

[David Thielen]

Hi;

How do I get a WindowsPrincipal? Context.User gives me a RolePrincipal, not
a WindowsPrincipal. It's Identity property is a WindowsIdentity object but I
need a WindowsPrincipal to make those IsInRole() calls.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

 

[Joe Kaplan \(MVP - ADSI\)]

In the code I provided, if your authentication mode in web.config is Windows
and IIS is configured for Windows auth (anon disabled; basic/digest/IWA
enabled), then you will get a WindowsPrincipal. The RolePrincipal must have
been generated as a result of something you have configured for membership
or something.

That might be part of the problem here. We aren't getting an apples to
apples comparison.

Joe K.

 

[Dominick Baier [DevelopMentor]]

ah i see - there must be Windows auth - but some role provider is also activated
..

thats the only way of getting a RolePrincipal - download showcontexts.aspx
from my blog - and post the results here (i think i know whats happening...)

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx

 

[David Thielen]

Here you go:

ShowContexts (www.leastprivilege.com)


Configuration Settings:
Authentication Mode: Windows
Impersonation Settings: client impersonation
Membership Provider: System.Web.Security.SqlMembershipProvider
Role Provider: System.Web.Security.SqlRoleProvider
Trust Level: Full



Identity Information:
Process Identity: WINDWARD\dave
Thread Identity: WINDWARD\dave
Context.User WINDWARD\dave
Thread.CurrentPrincipal WINDWARD\dave
IIS Authentication Identity WINDWARD\dave
Client Certificate Subject None
Client Certificate UPN


Type Information:
Context IPrincipal / IIdentity: System.Web.Security.RolePrincipal /
System.Security.Principal.WindowsIdentity
Context Authentication Type: NTLM
Thread.CurrentPrincipal
IPrincipal / IIdentity type: System.Web.Security.RolePrincipal /
System.Security.Principal.WindowsIdentity
Thread.CurrentPrincipal
Authentication Type: NTLM


Roles:
not available

 

[David Thielen]

And here is the entire Web.Config:

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">

<configSections>
<section name="WindwardReports"
type="System.Configuration.NameValueSectionHandler"/>
<section name="log4net"
type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
</configSections>

<WindwardReports>
<add key="_debug" value="true"/>
</WindwardReports>

<log4net>
<appender name="ConsoleAppender" type="log4net.Appender.ConsoleAppender" >
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%ndc] -
%message%newline" />
</layout>
</appender>
<root>
<level value="INFO" />
<appender-ref ref="ConsoleAppender" />
</root>
</log4net>

<appSettings/>
<connectionStrings>
<add name="ADService" connectionString="LDAP://picard.windward.local"/>
<add name="WindwardPortal" connectionString="Data Source=BELLE;Initial
Catalog=WindwardPortal;Integrated Security=True"
providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<roleManager enabled="true"/>
<compilation debug="true">
<assemblies>
<add assembly="System.Security, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="vjscor, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="vjslib, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=B03F5F7F11D50A3A"/>
</assemblies>
</compilation>

<!--
<pages theme="MSN_Blue"/>
-->

<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>

<!--
<authentication mode="Forms">
<forms loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetSqlMembershipProvider"/>

<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="MyProvider">
<providers>
<clear/>
<add name="MyProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADService"
attributeMapUsername="SAMAccountName"
/>
</providers>
</membership>
-->

</system.web>
</configuration>

 

[Joe Kaplan \(MVP - ADSI\)]

Remember, my demo page was completely predicated on using straight Windows
authentication, not any of the ASP.NET membership features. That would
explain why you were getting different results.

Joe K.

 

[Dominick Baier [DevelopMentor]]

as i suspected - you have the SqlRoleProvider enabled - but you are doing
windows authentication - that means

Context.User is a RolePrincipal

and IsInRole asks the SQL Database for roles.

this cannot work.

do a <roleManager enabled="false" /> in web.config

why are you impersonating?