T
TygerKrash
I've seen other posts that seem to have a similar problem but none
with a posted solution, so here goes again..
My application does not allow anonymous access, and integrated windows
authentication is enabled.
In my web config I have the following:
<authentication mode="Windows"/>
<authorization>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
</authorization>
<identity impersonate="true"/>
As far as I can tell this should be all I need.
However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).
I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..
twice!).
Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:
WindowsPrincipal principal = new
WindowsPrincipal(WindowsIdentity.GetCurrent());
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");
If I try to use :
IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");
memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).
This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.
My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.
Any Ideas, suggestions?
with a posted solution, so here goes again..
My application does not allow anonymous access, and integrated windows
authentication is enabled.
In my web config I have the following:
<authentication mode="Windows"/>
<authorization>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
</authorization>
<identity impersonate="true"/>
As far as I can tell this should be all I need.
However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).
I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..
twice!).
Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:
WindowsPrincipal principal = new
WindowsPrincipal(WindowsIdentity.GetCurrent());
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");
If I try to use :
IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");
memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).
This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.
My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.
Any Ideas, suggestions?