Windows Authentication - not seeing Groups

S

SpaceMarine

hello,

my ASP.NET apps use Windows Server 2003, and Integrated Windows
authentication in the web.config:

<authentication mode="Windows"/>

....our windows users are assigned to Groups in Active Directory, which
i can usually lock down like so:

<authorization>
<allow roles="Foo"/>
<deny users="*"/>
<deny users="?"/>
</authorization>


however, something has stopped working. the above stopped working, and
doing some tests in code behind i determined the app can see who you
are and retrieve your Windows name like this:

string name = User.Identity.Name; // "DOMAIN\SomeUser"

....but it doesnt seem able to recognize what AD Group youre in, like
this:

bool isInRole = User.IsInRole("Foo"); //false everytime

....yet if i check in Windows, the user *is* in that group.


any idea what could be happening!? this used to work, but im not sure
whats changed since then. any ideas would be appreciated.


thanks,
sm
 
J

Joe Kaplan

It should be "domain\groupname". The plain name of the group should not
work.

For troubleshooting, access the Groups property on the WindowsIdentity
object, convert the IdentityReferenceCollection to the NTAccount type and
dump out the resulting names to see what names can be matched.

Joe K.
 
S

SpaceMarine

It should be "domain\groupname".  The plain name of the group should not
work.

actually, it does work w/o the domain portion. im doing more testing
-- either format works locally on my dev box (finds me in group), but
neither format works on the production box.

will try your recommendation, but im not familar w/ the technique.
lets see here...
 
S

SpaceMarine

For troubleshooting, access the Groups property on the WindowsIdentity
object, convert the IdentityReferenceCollection to the NTAccount type and
dump out the resulting names to see what names can be matched.

ok this is done via this:

//convert user's groups to readable NT thang
IdentityReferenceCollection usersGroups =
WindowsIdentity.GetCurrent().Groups.Translate(System.Type.GetType("System.Security.Principal.NTAccount"));

Trace.Write("group-member count: " + usersGroups.Count);

foreach (IdentityReference group in usersGroups)
Trace.Write("group: " + group.Value);


...sweet! never knew how or had to do that before. good to know.

now..running this on my local box and on the prod box, i see
discrepencies. most apparent is that the prod box doesnt list any of
the user's group-memberships when that group is in our org's domain.
ala, "SOMEDOMAIN\SomeSpecialGroup".

instead, it only lists "NT AUTHORITY\SomeGroup" and "BUILTIN
\SomeGroup" type memberships.

does this mean, then, that our prod box isnt hooked up to the domain
properly? maybe in IIS or something??


thanks!
sm
 
J

Joe Kaplan

Yes, it sounds like something very weird is going on here, especially if
those groups are the same group names as the domain groups the user is a
member of.

It would be interesting to see what the security event log says for the
logon event for the user. Also, make sure you aren't accidentally logging
in with a local machine account or something.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
For troubleshooting, access the Groups property on the WindowsIdentity
object, convert the IdentityReferenceCollection to the NTAccount type and
dump out the resulting names to see what names can be matched.

ok this is done via this:

//convert user's groups to readable NT thang
IdentityReferenceCollection usersGroups =
WindowsIdentity.GetCurrent().Groups.Translate(System.Type.GetType("System.Security.Principal.NTAccount"));

Trace.Write("group-member count: " + usersGroups.Count);

foreach (IdentityReference group in usersGroups)
Trace.Write("group: " + group.Value);


....sweet! never knew how or had to do that before. good to know.

now..running this on my local box and on the prod box, i see
discrepencies. most apparent is that the prod box doesnt list any of
the user's group-memberships when that group is in our org's domain.
ala, "SOMEDOMAIN\SomeSpecialGroup".

instead, it only lists "NT AUTHORITY\SomeGroup" and "BUILTIN
\SomeGroup" type memberships.

does this mean, then, that our prod box isnt hooked up to the domain
properly? maybe in IIS or something??


thanks!
sm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top