role/group authorization not recognizing user groups.



I've seen other posts that seem to have a similar problem but none
with a posted solution, so here goes again..

My application does not allow anonymous access, and integrated windows
authentication is enabled.

In my web config I have the following:

<authentication mode="Windows"/>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
<identity impersonate="true"/>

As far as I can tell this should be all I need.

However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).

I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..

Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:

WindowsPrincipal principal = new
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

If I try to use :

IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).

This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.

My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.

Any Ideas, suggestions?

Joe Kaplan

It is strange that your Thread.CurrentPrincipal isn't a WindowsPrincipal.
What is the Context.User property in this case? Thread.CurrentPrincipal and
Context.User should be the same in an ASP.NET app in most circumstances.

Joe K.


Hi Joe,
Thanks for the reply.

I've just checked and Context.User is also appearing as a
GenericPrincipal (representing the same user).

I can ,and given time constraints I probably will, just identify the
users role programatically and enforce my authorization that way,
so this isn't that serious a problem, but I am curious to get to the
bottom of this.


Joe Kaplan

If your app is using Windows security in IIS and web.config, the
authenticated user (Context.User) should be a WindowsPrincipal. Is it
possible something else has been added to the stack like membership or
something? I honestly don't know.

Joe K.


Theres no Membership entry in our application web config, maybe it's
something set in the machine.config but looking at that makes me kind
of dizzy! Guess I'll mark this one up as 'weird' for the time being.
I'll work around it and move on.

thanks for your help.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Latest member

Latest Threads