WindowsPrincipal.IsInRole not working - microsoft.public.dotnet.security

The old Google Groups will be going away soon.

« Groups Home

microsoft.public.dotnet.security

Discussions

+ new post

About this group

Subscribe to this group

This is a Usenet group - learn more

Message from discussion WindowsPrincipal.IsInRole not working

Joe Kaplan \(MVP - ADSI\)

View profile

More options Sep 24 2003, 10:38 pm

Newsgroups: microsoft.public.dotnet.security

From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kap...@removethis.accenture.com>

Date: Wed, 24 Sep 2003 21:37:22 -0500

Local: Wed, Sep 24 2003 10:37 pm

Subject: Re: WindowsPrincipal.IsInRole not working

Print | View thread | Show original | Report this message | Find messages by this author

A couple of things:

WindowsPrincipal definitely matches group names with "domain\group name"
where domain is either the domain or local machine name and group name is
the samAccountName of the group. A bug in Framework 1.0 exists where role
name checks are case sensitive for WindowsPrincipal.IsInRole. This is fixed
in 1.1, but it may be screwing you up.

When I've been in a jam with these things, I've used reflection to call the
private _GetRoles method of WindowsIdentity so that I can see the actual
array of role names. You shouldn't use this in production, but it is really
helpful for debugging.

(VB.NET code snippet)

Dim id As WindowsIdentity = WindowsIdentity.GetCurrent()

Dim idType As Type
idType = GetType(WindowsIdentity)
Dim result As Object = idType.InvokeMember("_GetRoles",
BindingFlags.Static Or BindingFlags.InvokeMethod Or BindingFlags.NonPublic,
Nothing, id, New Object() {id.Token}, Nothing)
Dim roles() As String = DirectCast(result, String())

HTH,

Joe K.

"K. Shier" <ks4h...@spamAtYourOwnRisk.yahoo.com> wrote in message

news:uRTm7AugDHA.1648@TK2MSFTNGP09.phx.gbl...

> VB.Net 2002, developing under Win2k pro, server is running Win2k server

> i am trying to put some role-based security into my application. the
roles
> are based on permission Groups which i've already created on the domain
> controller. according to what i've read on the subject, a
WindowsPrincipal
> should provide a direct mechanism to determine if the user is a member of
> one of these Groups or not, but i can't get it to work.

> here's a simplified excerpt from my prog:

> Public Sub SomeSecuredFeature()
> Dim MyIdentity As System.Security.Principal.WindowsIdentity =
> System.Security.Principal.WindowsIdentity.GetCurrent
> Dim MyPrincipal As New
> System.Security.Principal.WindowsPrincipal(MyIdentity)

> If MyPrincipal.IsInRole("DRS\DRS Administrators") Then
> 'allow the user do something
> Else
> 'disallow
> End If
> End Sub

> problem is, i can never get a True result for .IsInRole.

> the Group name is 'DRS Administrators' and according to AD Users And
> Computers, i am a member of it!. the domain name is 'DRS', & the DC's
> machine name is 'DRSSERVER'

> i have tried a ludicrous number of permutations of what i *THINK* the name
> of the group might be: e.g. "DRS Administrators" (no machine/domain
> qualifier) "DRSSERVER\DRS Administrators" (machine name instead of domain
> name), "\\DRS\DRS Administrators" (leading backslashes?!), and even
> "drsserver.local/Users/DRS Administrators" (full AD object name). i have
> even tried matching the System groups like Administrators (which i am also
a
> member of) and never get a match!

> seriously - i've tried every combination of these various formats for
> writing the group/role string, but no success...

> what am i missing here?

> is there NOT a direct correlation between a DC's Groups and a .Net
> WindowsPrincipal's 'Roles'? if not, how do i define the relationship
> between them?

> also, is there some method in .Net to simply query the DC and get a list
of
> all the Groups?

> any insight would be much appreciated! THANKS! =)

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options