«

does this uses have read access to the application partition - also in the
AzMan GUI - is the user in the "reader" role (somewhere in the properties)?

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Hello All,
>
> I have a problem with AzMan under Windows XP.
> On my web site I use AzMan/AD role management. Store installed on Win
> 2003 SP1 server, but site works under WinXP SP2.
> For IIS identity domain account with non-admin’s privileges is used.
>
> In this case the error occurs: "The parameter is incorrect. (Exception
> from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after
> role checking (Roles.IsUserInRole(User.Identity.Name,
> "Administrator")). But if I add domain account to local Administrators
> group - everything works correctly.
>
> We face this problem only if site runs under Win XP. If site runs
> under Win 2003 – it is ok.
>
> It is forbidden to run the site under administrator. How could this
> problem be resolved? Do you have an insight on this?
>
> I used microsoft sample from :
> http://msdn.microsoft.com/library/de...ary/en-us/dnpa
> g2/html/PAGHT000018.asp?_r=1
> with following web.config:
>
> add name="AzManADAMServer"
> connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPar
> tition,O=SecNet,C=US" />
> /connectionStrings>
> identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
> authentication mode="Windows"/>
> deny users="?"/>
> /authorization>
> roleManager
> enabled="true"
> cacheRolesInCookie="false"
> defaultProvider="RoleManagerAzManADAMProvider"
> cookieName=".ASPXROLES"
> cookiePath="/"
> cookieTimeout="1"
> cookieRequireSSL="false"
> cookieSlidingExpiration="false"
> createPersistentCookie="false"
> cookieProtection="None">
> add name="RoleManagerAzManADAMProvider"
> type="System.Web.Security.AuthorizationStoreRolePr ovider,
> System.Web, Version=2.0.0.0, Culture=neutral,
> publicKeyToken=b03f5f7f11d50a3a"
> connectionStringName="AzManADAMServer"
> applicationName="iHomeOwner"
> />
> /providers>
> /roleManager

Hello All,

I have a problem with AzMan under Windows XP.
On my web site I use AzMan/AD role management. Store installed on Win 2003 SP1 server, but site works under WinXP SP2.

For IIS identity domain account with non-admin’s privileges is used.

In this case the error occurs: "The parameter is incorrect. (Exception from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after role checking (Roles.IsUserInRole(User.Identity.Name, "Administrator")). But if I add domain account to local Administrators group - everything works correctly.

We face this problem only if site runs under Win XP. If site runs under Win 2003 – it is ok.

It is forbidden to run the site under administrator. How could this problem be resolved? Do you have an insight on this?

I used microsoft sample from :
http://msdn.microsoft.com/library/de...00018.asp?_r=1

with following web.config:

connectionStrings>
add name="AzManADAMServer" connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPartition,O=SecNet,C=US " />
/connectionStrings>

identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
authentication mode="Windows"/>
authorization>
deny users="?"/>
/authorization>

roleManager
enabled="true"
cacheRolesInCookie="false"
defaultProvider="RoleManagerAzManADAMProvider"
cookieName=".ASPXROLES"
cookiePath="/"
cookieTimeout="1"
cookieRequireSSL="false"
cookieSlidingExpiration="false"
createPersistentCookie="false"
cookieProtection="None">
providers>
add name="RoleManagerAzManADAMProvider"
type="System.Web.Security.AuthorizationStoreRolePr ovider, System.Web, Version=2.0.0.0, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a"
connectionStringName="AzManADAMServer"
applicationName="iHomeOwner"
/>
/providers>
/roleManager>

Yes. User is in "Administrator", "Reader", "Delegated User" roles

"Dominick Baier" wrote:

> does this uses have read access to the application partition - also in the
> AzMan GUI - is the user in the "reader" role (somewhere in the properties)?
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
> > Hello All,
> >
> > I have a problem with AzMan under Windows XP.
> > On my web site I use AzMan/AD role management. Store installed on Win
> > 2003 SP1 server, but site works under WinXP SP2.
> > For IIS identity domain account with non-admin’s privileges is used.
> >
> > In this case the error occurs: "The parameter is incorrect. (Exception
> > from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after
> > role checking (Roles.IsUserInRole(User.Identity.Name,
> > "Administrator")). But if I add domain account to local Administrators
> > group - everything works correctly.
> >
> > We face this problem only if site runs under Win XP. If site runs
> > under Win 2003 – it is ok.
> >
> > It is forbidden to run the site under administrator. How could this
> > problem be resolved? Do you have an insight on this?
> >
> > I used microsoft sample from :
> > http://msdn.microsoft.com/library/de...ary/en-us/dnpa
> > g2/html/PAGHT000018.asp?_r=1
> > with following web.config:
> >
> > add name="AzManADAMServer"
> > connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPar
> > tition,O=SecNet,C=US" />
> > /connectionStrings>
> > identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
> > authentication mode="Windows"/>
> > deny users="?"/>
> > /authorization>
> > roleManager
> > enabled="true"
> > cacheRolesInCookie="false"
> > defaultProvider="RoleManagerAzManADAMProvider"
> > cookieName=".ASPXROLES"
> > cookiePath="/"
> > cookieTimeout="1"
> > cookieRequireSSL="false"
> > cookieSlidingExpiration="false"
> > createPersistentCookie="false"
> > cookieProtection="None">
> > add name="RoleManagerAzManADAMProvider"
> > type="System.Web.Security.AuthorizationStoreRolePr ovider,
> > System.Web, Version=2.0.0.0, Culture=neutral,
> > publicKeyToken=b03f5f7f11d50a3a"
> > connectionStringName="AzManADAMServer"
> > applicationName="iHomeOwner"
> > />
> > /providers>
> > /roleManager>
>
>
>

Addition info : following code pass successufully with admins rights, but
with user's rights it causes error "Value does not fall within the expected
range"

String azManConnectionString =
"msldap://server:50000/CN=AzManADAMStore,OU=SecNetPartition,O=SecNet,C=US ";
String azManApplicationName = "test";

AzAuthorizationStore _azStore = new AzAuthorizationStoreClass();
_azStore.Initialize(0, azManConnectionString, null);


"Vladimir" wrote:

> Yes. User is in "Administrator", "Reader", "Delegated User" roles
>
> "Dominick Baier" wrote:
>
> > does this uses have read access to the application partition - also in the
> > AzMan GUI - is the user in the "reader" role (somewhere in the properties)?
> >
> > ---
> > Dominick Baier, DevelopMentor
> > http://www.leastprivilege.com
> >
> > > Hello All,
> > >
> > > I have a problem with AzMan under Windows XP.
> > > On my web site I use AzMan/AD role management. Store installed on Win
> > > 2003 SP1 server, but site works under WinXP SP2.
> > > For IIS identity domain account with non-admin’s privileges is used.
> > >
> > > In this case the error occurs: "The parameter is incorrect. (Exception
> > > from HRESULT: 0x80070057 (E_INVALIDARG))" when page is loaded or after
> > > role checking (Roles.IsUserInRole(User.Identity.Name,
> > > "Administrator")). But if I add domain account to local Administrators
> > > group - everything works correctly.
> > >
> > > We face this problem only if site runs under Win XP. If site runs
> > > under Win 2003 – it is ok.
> > >
> > > It is forbidden to run the site under administrator. How could this
> > > problem be resolved? Do you have an insight on this?
> > >
> > > I used microsoft sample from :
> > > http://msdn.microsoft.com/library/de...ary/en-us/dnpa
> > > g2/html/PAGHT000018.asp?_r=1
> > > with following web.config:
> > >
> > > add name="AzManADAMServer"
> > > connectionString="msldap://server:50000/CN=AzManADAMStore,OU=SecNetPar
> > > tition,O=SecNet,C=US" />
> > > /connectionStrings>
> > > identity impersonate="true" userName="corp\test" password="xxxxxxx"/>
> > > authentication mode="Windows"/>
> > > deny users="?"/>
> > > /authorization>
> > > roleManager
> > > enabled="true"
> > > cacheRolesInCookie="false"
> > > defaultProvider="RoleManagerAzManADAMProvider"
> > > cookieName=".ASPXROLES"
> > > cookiePath="/"
> > > cookieTimeout="1"
> > > cookieRequireSSL="false"
> > > cookieSlidingExpiration="false"
> > > createPersistentCookie="false"
> > > cookieProtection="None">
> > > add name="RoleManagerAzManADAMProvider"
> > > type="System.Web.Security.AuthorizationStoreRolePr ovider,
> > > System.Web, Version=2.0.0.0, Culture=neutral,
> > > publicKeyToken=b03f5f7f11d50a3a"
> > > connectionStringName="AzManADAMServer"
> > > applicationName="iHomeOwner"
> > > />
> > > /providers>
> > > /roleManager>
> >
> >
> >