«

Hi,

I am using windows authentication on my ASP.Net application. With the
WindowsPrincipal I can authenticate myself against groups such as

BUILTIN\Users

I am assuming that this group is supplied by the active directory when i log
into the domain using my pc.

The problem now is I have added another custom group - Gamers. I tried
authentication using IsInRole("Gamers") but this give me false. How do I do
it with Windows Authentication for this new group?

I have another way of doing this but that is using ldap authentication, but
I am trying to understand and make the Windows Authentication work. Please
help. Thanks

Joey

Hello Joey,

WindowsPrincipal.IsInRole expects fully qualified group names - these are
AUTHORITY\GROUP

e.g. DOMAIN\Gamers for domain accounts

or MyMachine\Gamers for local accounts


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I am using windows authentication on my ASP.Net application. With the
> WindowsPrincipal I can authenticate myself against groups such as
>
> BUILTIN\Users
>
> I am assuming that this group is supplied by the active directory when
> i log into the domain using my pc.
>
> The problem now is I have added another custom group - Gamers. I tried
> authentication using IsInRole("Gamers") but this give me false. How do
> I do it with Windows Authentication for this new group?
>
> I have another way of doing this but that is using ldap
> authentication, but I am trying to understand and make the Windows
> Authentication work. Please help. Thanks
>
> Joey
>

Hi,

I tried <domain>\Gamers but it does not work

Here is my code

Class File
---------------------------------------------------------------
AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPrincipal);
WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)prin.Identity;

----------------------------------------------------------------

Web config
-------------------------------------------------------------
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
-------------------------------------------------------------

When I try to get the role thru this code below which i found on the web

Code--------------------------------------------------------------------------
public static string GetUserRoles(WindowsPrincipal winPrincipal)
{
string userRoles = "";
WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;

if (identity != null)
{
Type t = identity.GetType();
string[] roles = (string[]) t.InvokeMember("GetRoles",
BindingFlags.Instance | BindingFlags.NonPublic |
BindingFlags.InvokeMethod,null,identity,null);

if (roles != null)
{
foreach (string role in roles)
{
if(userRoles != "")
{
userRoles += ",";
}
userRoles += role;
}
}
}
return userRoles;
}
-----------------------------------------------------------------

I got the results as following

<domainname>\Domain Users,Everyone,BUILTIN\Administrators,BUILTIN\User s,NT
AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,

It does not have <domainname\Gamers>

However by using LDAP i am able to get CN=Gamers

Did I configure something wrong?.Thanks

Joey


"Dominick Baier [DevelopMentor]" <>
wrote in message news: om...
> Hello Joey,
>
> WindowsPrincipal.IsInRole expects fully qualified group names - these are
> AUTHORITY\GROUP
>
> e.g. DOMAIN\Gamers for domain accounts
>
> or MyMachine\Gamers for local accounts
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Hi,
>>
>> I am using windows authentication on my ASP.Net application. With the
>> WindowsPrincipal I can authenticate myself against groups such as
>>
>> BUILTIN\Users
>>
>> I am assuming that this group is supplied by the active directory when
>> i log into the domain using my pc.
>>
>> The problem now is I have added another custom group - Gamers. I tried
>> authentication using IsInRole("Gamers") but this give me false. How do
>> I do it with Windows Authentication for this new group?
>>
>> I have another way of doing this but that is using ldap
>> authentication, but I am trying to understand and make the Windows
>> Authentication work. Please help. Thanks
>>
>> Joey
>>
>
>

Hello Joey,

does you worker process run under a domain account, is your web server joined
to a domain ?? (which OS)

it seems you are authenticating with a local user account, could that be??

you don't need PrincipalPolicy - don't use that under ASP.NET - it is only
for desktop apps.

simply calling Context.User will give you the WindowsPrincipal of the client.
(or in class files HttpContext.Current.User)

be aware that this "hack" to get all groups of a user will not work when
updating to 2.0

another test is call whoami /groups from the command line to see which groups
the account is member of...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I tried <domain>\Gamers but it does not work
>
> Here is my code
>
> Class File
> ---------------------------------------------------------------
> AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPrin
> cipal);
> WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
> WindowsIdentity identity = (WindowsIdentity)prin.Identity;
> ----------------------------------------------------------------
>
> Web config
> -------------------------------------------------------------
> <authentication mode="Windows">
> </authentication>
> <identity impersonate="true"/>
> -------------------------------------------------------------
> When I try to get the role thru this code below which i found on the
> web
>
> Code------------------------------------------------------------------
> --------
> public static string GetUserRoles(WindowsPrincipal winPrincipal)
> {
> string userRoles = "";
> WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
> if (identity != null)
> {
> Type t = identity.GetType();
> string[] roles = (string[]) t.InvokeMember("GetRoles",
> BindingFlags.Instance | BindingFlags.NonPublic |
> BindingFlags.InvokeMethod,null,identity,null);
>
> if (roles != null)
> {
> foreach (string role in roles)
> {
> if(userRoles != "")
> {
> userRoles += ",";
> }
> userRoles += role;
> }
> }
> }
> return userRoles;
> }
> -----------------------------------------------------------------
>
> I got the results as following
>
> <domainname>\Domain
> Users,Everyone,BUILTIN\Administrators,BUILTIN\User s,NT
> AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,
>
> It does not have <domainname\Gamers>
>
> However by using LDAP i am able to get CN=Gamers
>
> Did I configure something wrong?.Thanks
>
> Joey
>
> "Dominick Baier [DevelopMentor]"
> <> wrote in message
> news: om...
>
>> Hello Joey,
>>
>> WindowsPrincipal.IsInRole expects fully qualified group names - these
>> are AUTHORITY\GROUP
>>
>> e.g. DOMAIN\Gamers for domain accounts
>>
>> or MyMachine\Gamers for local accounts
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi,
>>>
>>> I am using windows authentication on my ASP.Net application. With
>>> the WindowsPrincipal I can authenticate myself against groups such
>>> as
>>>
>>> BUILTIN\Users
>>>
>>> I am assuming that this group is supplied by the active directory
>>> when i log into the domain using my pc.
>>>
>>> The problem now is I have added another custom group - Gamers. I
>>> tried authentication using IsInRole("Gamers") but this give me
>>> false. How do I do it with Windows Authentication for this new
>>> group?
>>>
>>> I have another way of doing this but that is using ldap
>>> authentication, but I am trying to understand and make the Windows
>>> Authentication work. Please help. Thanks
>>>
>>> Joey
>>>

Hi,

> does you worker process run under a domain account, is your web server
> joined to a domain ?? (which OS)

I am running my web server on my local pc(WinXP) which is log into the
domain.
The aspnet wp is running on ASPNET acc on my pc

>
> it seems you are authenticating with a local user account, could that be??

the user that i am using is <domainname>\joey - looking it up at the control
panel user account this user is under the domain and not my pcname like the
default administrator acc.

> you don't need PrincipalPolicy - don't use that under ASP.NET - it is only
> for desktop apps.
>
> simply calling Context.User will give you the WindowsPrincipal of the
> client. (or in class files HttpContext.Current.User)

ic. thanks

> be aware that this "hack" to get all groups of a user will not work when
> updating to 2.0
>
> another test is call whoami /groups from the command line to see which
> groups the account is member of...

ok. but i really need a way to get the groups as my folders have web.config
with <auth> on roles. to restrict user from accessing it. For normal form
authentication, this is the way i do it, but user wants the authentication
base on the windows user and the roles base on the group defined in AD. Is
there other code to do this instead of making a call to command line.

Thanks for the fast reply.

Joey




>> Hi,
>>
>> I tried <domain>\Gamers but it does not work
>>
>> Here is my code
>>
>> Class File
>> ---------------------------------------------------------------
>> AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPrin
>> cipal);
>> WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
>> WindowsIdentity identity = (WindowsIdentity)prin.Identity;
>> ----------------------------------------------------------------
>>
>> Web config
>> -------------------------------------------------------------
>> <authentication mode="Windows">
>> </authentication>
>> <identity impersonate="true"/>
>> -------------------------------------------------------------
>> When I try to get the role thru this code below which i found on the
>> web
>>
>> Code------------------------------------------------------------------
>> --------
>> public static string GetUserRoles(WindowsPrincipal winPrincipal)
>> {
>> string userRoles = "";
>> WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
>> if (identity != null)
>> {
>> Type t = identity.GetType();
>> string[] roles = (string[]) t.InvokeMember("GetRoles",
>> BindingFlags.Instance | BindingFlags.NonPublic |
>> BindingFlags.InvokeMethod,null,identity,null);
>>
>> if (roles != null)
>> {
>> foreach (string role in roles)
>> {
>> if(userRoles != "")
>> {
>> userRoles += ",";
>> }
>> userRoles += role;
>> }
>> }
>> }
>> return userRoles;
>> }
>> -----------------------------------------------------------------
>>
>> I got the results as following
>>
>> <domainname>\Domain
>> Users,Everyone,BUILTIN\Administrators,BUILTIN\User s,NT
>> AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,
>>
>> It does not have <domainname\Gamers>
>>
>> However by using LDAP i am able to get CN=Gamers
>>
>> Did I configure something wrong?.Thanks
>>
>> Joey
>>
>> "Dominick Baier [DevelopMentor]"
>> <> wrote in message
>> news: om...
>>
>>> Hello Joey,
>>>
>>> WindowsPrincipal.IsInRole expects fully qualified group names - these
>>> are AUTHORITY\GROUP
>>>
>>> e.g. DOMAIN\Gamers for domain accounts
>>>
>>> or MyMachine\Gamers for local accounts
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Hi,
>>>>
>>>> I am using windows authentication on my ASP.Net application. With
>>>> the WindowsPrincipal I can authenticate myself against groups such
>>>> as
>>>>
>>>> BUILTIN\Users
>>>>
>>>> I am assuming that this group is supplied by the active directory
>>>> when i log into the domain using my pc.
>>>>
>>>> The problem now is I have added another custom group - Gamers. I
>>>> tried authentication using IsInRole("Gamers") but this give me
>>>> false. How do I do it with Windows Authentication for this new
>>>> group?
>>>>
>>>> I have another way of doing this but that is using ldap
>>>> authentication, but I am trying to understand and make the Windows
>>>> Authentication work. Please help. Thanks
>>>>
>>>> Joey
>>>>
>
>

Hello Joey,

ok - first - <authorization> elements also work for windows auth. No need
to do that manually.

What do you get when you do a simple

Response.Write(Context.User.Identity.Name) ??

what groups do you see if you run whoami /groups from the commandline??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
>> does you worker process run under a domain account, is your web
>> server joined to a domain ?? (which OS)
>>
> I am running my web server on my local pc(WinXP) which is log into the
> domain.
> The aspnet wp is running on ASPNET acc on my pc
>> it seems you are authenticating with a local user account, could that
>> be??
>>
> the user that i am using is <domainname>\joey - looking it up at the
> control panel user account this user is under the domain and not my
> pcname like the default administrator acc.
>
>> you don't need PrincipalPolicy - don't use that under ASP.NET - it is
>> only for desktop apps.
>>
>> simply calling Context.User will give you the WindowsPrincipal of the
>> client. (or in class files HttpContext.Current.User)
>>
> ic. thanks
>
>> be aware that this "hack" to get all groups of a user will not work
>> when updating to 2.0
>>
>> another test is call whoami /groups from the command line to see
>> which groups the account is member of...
>>
> ok. but i really need a way to get the groups as my folders have
> web.config with <auth> on roles. to restrict user from accessing it.
> For normal form authentication, this is the way i do it, but user
> wants the authentication base on the windows user and the roles base
> on the group defined in AD. Is there other code to do this instead of
> making a call to command line.
>
> Thanks for the fast reply.
>
> Joey
>
>>> Hi,
>>>
>>> I tried <domain>\Gamers but it does not work
>>>
>>> Here is my code
>>>
>>> Class File
>>> ---------------------------------------------------------------
>>> AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPr
>>> in
>>> cipal);
>>> WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
>>> WindowsIdentity identity = (WindowsIdentity)prin.Identity;
>>> ----------------------------------------------------------------
>>> Web config
>>> -------------------------------------------------------------
>>> <authentication mode="Windows">
>>> </authentication>
>>> <identity impersonate="true"/>
>>> -------------------------------------------------------------
>>> When I try to get the role thru this code below which i found on the
>>> web
>>> Code----------------------------------------------------------------
>>> --
>>> --------
>>> public static string GetUserRoles(WindowsPrincipal winPrincipal)
>>> {
>>> string userRoles = "";
>>> WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
>>> if (identity != null)
>>> {
>>> Type t = identity.GetType();
>>> string[] roles = (string[]) t.InvokeMember("GetRoles",
>>> BindingFlags.Instance | BindingFlags.NonPublic |
>>> BindingFlags.InvokeMethod,null,identity,null);
>>> if (roles != null)
>>> {
>>> foreach (string role in roles)
>>> {
>>> if(userRoles != "")
>>> {
>>> userRoles += ",";
>>> }
>>> userRoles += role;
>>> }
>>> }
>>> }
>>> return userRoles;
>>> }
>>> -----------------------------------------------------------------
>>> I got the results as following
>>>
>>> <domainname>\Domain
>>> Users,Everyone,BUILTIN\Administrators,BUILTIN\User s,NT
>>> AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,
>>>
>>> It does not have <domainname\Gamers>
>>>
>>> However by using LDAP i am able to get CN=Gamers
>>>
>>> Did I configure something wrong?.Thanks
>>>
>>> Joey
>>>
>>> "Dominick Baier [DevelopMentor]"
>>> <> wrote in message
>>> news: om...
>>>
>>>> Hello Joey,
>>>>
>>>> WindowsPrincipal.IsInRole expects fully qualified group names -
>>>> these are AUTHORITY\GROUP
>>>>
>>>> e.g. DOMAIN\Gamers for domain accounts
>>>>
>>>> or MyMachine\Gamers for local accounts
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hi,
>>>>>
>>>>> I am using windows authentication on my ASP.Net application. With
>>>>> the WindowsPrincipal I can authenticate myself against groups such
>>>>> as
>>>>>
>>>>> BUILTIN\Users
>>>>>
>>>>> I am assuming that this group is supplied by the active directory
>>>>> when i log into the domain using my pc.
>>>>>
>>>>> The problem now is I have added another custom group - Gamers. I
>>>>> tried authentication using IsInRole("Gamers") but this give me
>>>>> false. How do I do it with Windows Authentication for this new
>>>>> group?
>>>>>
>>>>> I have another way of doing this but that is using ldap
>>>>> authentication, but I am trying to understand and make the Windows
>>>>> Authentication work. Please help. Thanks
>>>>>
>>>>> Joey
>>>>>

Hi,

I am get <domainname>\joey from the response

From the whoami, the below

[Group 1] = "<domainname>\Domain Users"
[Group 2] = "Everyone"
[Group 3] = "BUILTIN\Administrators"
[Group 4] = "BUILTIN\Users"
[Group 5] = "NT AUTHORITY\INTERACTIVE"
[Group 6] = "NT AUTHORITY\Authenticated Users"
[Group 7] = "LOCAL"

Thanks

Joey

"Dominick Baier [DevelopMentor]" <>
wrote in message news: om...
> Hello Joey,
>
> ok - first - <authorization> elements also work for windows auth. No need
> to do that manually.
>
> What do you get when you do a simple
> Response.Write(Context.User.Identity.Name) ??
>
> what groups do you see if you run whoami /groups from the commandline??
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Hi,
>>
>>> does you worker process run under a domain account, is your web
>>> server joined to a domain ?? (which OS)
>>>
>> I am running my web server on my local pc(WinXP) which is log into the
>> domain.
>> The aspnet wp is running on ASPNET acc on my pc
>>> it seems you are authenticating with a local user account, could that
>>> be??
>>>
>> the user that i am using is <domainname>\joey - looking it up at the
>> control panel user account this user is under the domain and not my
>> pcname like the default administrator acc.
>>
>>> you don't need PrincipalPolicy - don't use that under ASP.NET - it is
>>> only for desktop apps.
>>>
>>> simply calling Context.User will give you the WindowsPrincipal of the
>>> client. (or in class files HttpContext.Current.User)
>>>
>> ic. thanks
>>
>>> be aware that this "hack" to get all groups of a user will not work
>>> when updating to 2.0
>>>
>>> another test is call whoami /groups from the command line to see
>>> which groups the account is member of...
>>>
>> ok. but i really need a way to get the groups as my folders have
>> web.config with <auth> on roles. to restrict user from accessing it.
>> For normal form authentication, this is the way i do it, but user
>> wants the authentication base on the windows user and the roles base
>> on the group defined in AD. Is there other code to do this instead of
>> making a call to command line.
>>
>> Thanks for the fast reply.
>>
>> Joey
>>
>>>> Hi,
>>>>
>>>> I tried <domain>\Gamers but it does not work
>>>>
>>>> Here is my code
>>>>
>>>> Class File
>>>> ---------------------------------------------------------------
>>>> AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPr
>>>> in
>>>> cipal);
>>>> WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
>>>> WindowsIdentity identity = (WindowsIdentity)prin.Identity;
>>>> ----------------------------------------------------------------
>>>> Web config
>>>> -------------------------------------------------------------
>>>> <authentication mode="Windows">
>>>> </authentication>
>>>> <identity impersonate="true"/>
>>>> -------------------------------------------------------------
>>>> When I try to get the role thru this code below which i found on the
>>>> web
>>>> Code----------------------------------------------------------------
>>>> --
>>>> --------
>>>> public static string GetUserRoles(WindowsPrincipal winPrincipal)
>>>> {
>>>> string userRoles = "";
>>>> WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
>>>> if (identity != null)
>>>> {
>>>> Type t = identity.GetType();
>>>> string[] roles = (string[]) t.InvokeMember("GetRoles",
>>>> BindingFlags.Instance | BindingFlags.NonPublic |
>>>> BindingFlags.InvokeMethod,null,identity,null);
>>>> if (roles != null)
>>>> {
>>>> foreach (string role in roles)
>>>> {
>>>> if(userRoles != "")
>>>> {
>>>> userRoles += ",";
>>>> }
>>>> userRoles += role;
>>>> }
>>>> }
>>>> }
>>>> return userRoles;
>>>> }
>>>> -----------------------------------------------------------------
>>>> I got the results as following
>>>>
>>>> <domainname>\Domain
>>>> Users,Everyone,BUILTIN\Administrators,BUILTIN\User s,NT
>>>> AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,
>>>>
>>>> It does not have <domainname\Gamers>
>>>>
>>>> However by using LDAP i am able to get CN=Gamers
>>>>
>>>> Did I configure something wrong?.Thanks
>>>>
>>>> Joey
>>>>
>>>> "Dominick Baier [DevelopMentor]"
>>>> <> wrote in message
>>>> news: om...
>>>>
>>>>> Hello Joey,
>>>>>
>>>>> WindowsPrincipal.IsInRole expects fully qualified group names -
>>>>> these are AUTHORITY\GROUP
>>>>>
>>>>> e.g. DOMAIN\Gamers for domain accounts
>>>>>
>>>>> or MyMachine\Gamers for local accounts
>>>>>
>>>>> ---------------------------------------
>>>>> Dominick Baier - DevelopMentor
>>>>> http://www.leastprivilege.com
>>>>>> Hi,
>>>>>>
>>>>>> I am using windows authentication on my ASP.Net application. With
>>>>>> the WindowsPrincipal I can authenticate myself against groups such
>>>>>> as
>>>>>>
>>>>>> BUILTIN\Users
>>>>>>
>>>>>> I am assuming that this group is supplied by the active directory
>>>>>> when i log into the domain using my pc.
>>>>>>
>>>>>> The problem now is I have added another custom group - Gamers. I
>>>>>> tried authentication using IsInRole("Gamers") but this give me
>>>>>> false. How do I do it with Windows Authentication for this new
>>>>>> group?
>>>>>>
>>>>>> I have another way of doing this but that is using ldap
>>>>>> authentication, but I am trying to understand and make the Windows
>>>>>> Authentication work. Please help. Thanks
>>>>>>
>>>>>> Joey
>>>>>>
>
>