Other than BuiltIn groups for Windows Authentication

[Joey Lee]

Hi,

I am using windows authentication on my ASP.Net application. With the
WindowsPrincipal I can authenticate myself against groups such as

BUILTIN\Users

I am assuming that this group is supplied by the active directory when i log
into the domain using my pc.

The problem now is I have added another custom group - Gamers. I tried
authentication using IsInRole("Gamers") but this give me false. How do I do
it with Windows Authentication for this new group?

I have another way of doing this but that is using ldap authentication, but
I am trying to understand and make the Windows Authentication work. Please
help. Thanks

Joey

 

[Dominick Baier [DevelopMentor]]

Hello Joey,

WindowsPrincipal.IsInRole expects fully qualified group names - these are
AUTHORITY\GROUP

e.g. DOMAIN\Gamers for domain accounts

or MyMachine\Gamers for local accounts

 

[Joey Lee]

Hi,

I tried <domain>\Gamers but it does not work

Here is my code

Class File
---------------------------------------------------------------
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)prin.Identity;

----------------------------------------------------------------

Web config
-------------------------------------------------------------
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
-------------------------------------------------------------

When I try to get the role thru this code below which i found on the web

Code--------------------------------------------------------------------------
public static string GetUserRoles(WindowsPrincipal winPrincipal)
{
string userRoles = "";
WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;

if (identity != null)
{
Type t = identity.GetType();
string[] roles = (string[]) t.InvokeMember("GetRoles",
BindingFlags.Instance | BindingFlags.NonPublic |
BindingFlags.InvokeMethod,null,identity,null);

if (roles != null)
{
foreach (string role in roles)
{
if(userRoles != "")
{
userRoles += ",";
}
userRoles += role;
}
}
}
return userRoles;
}
-----------------------------------------------------------------

I got the results as following

<domainname>\Domain Users,Everyone,BUILTIN\Administrators,BUILTIN\Users,NT
AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,

It does not have <domainname\Gamers>

However by using LDAP i am able to get CN=Gamers

Did I configure something wrong?.Thanks

Joey

 

[Dominick Baier [DevelopMentor]]

Hello Joey,

does you worker process run under a domain account, is your web server joined
to a domain ?? (which OS)

it seems you are authenticating with a local user account, could that be??

you don't need PrincipalPolicy - don't use that under ASP.NET - it is only
for desktop apps.

simply calling Context.User will give you the WindowsPrincipal of the client.
(or in class files HttpContext.Current.User)

be aware that this "hack" to get all groups of a user will not work when
updating to 2.0

another test is call whoami /groups from the command line to see which groups
the account is member of...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi,

I tried <domain>\Gamers but it does not work

Here is my code

Class File
---------------------------------------------------------------
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrin
cipal);
WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)prin.Identity;
----------------------------------------------------------------

Web config
-------------------------------------------------------------
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
-------------------------------------------------------------
When I try to get the role thru this code below which i found on the
web

Code------------------------------------------------------------------
--------
public static string GetUserRoles(WindowsPrincipal winPrincipal)
{
string userRoles = "";
WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
if (identity != null)
{
Type t = identity.GetType();
string[] roles = (string[]) t.InvokeMember("GetRoles",
BindingFlags.Instance | BindingFlags.NonPublic |
BindingFlags.InvokeMethod,null,identity,null);

if (roles != null)
{
foreach (string role in roles)
{
if(userRoles != "")
{
userRoles += ",";
}
userRoles += role;
}
}
}
return userRoles;
}
-----------------------------------------------------------------

I got the results as following

<domainname>\Domain
Users,Everyone,BUILTIN\Administrators,BUILTIN\Users,NT
AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,

It does not have <domainname\Gamers>

However by using LDAP i am able to get CN=Gamers

Did I configure something wrong?.Thanks

Joey

Hello Joey,

WindowsPrincipal.IsInRole expects fully qualified group names - these
are AUTHORITY\GROUP

e.g. DOMAIN\Gamers for domain accounts

or MyMachine\Gamers for local accounts

 

[Joey Lee]

Hi,

does you worker process run under a domain account, is your web server
joined to a domain ?? (which OS)

I am running my web server on my local pc(WinXP) which is log into the
domain.
The aspnet wp is running on ASPNET acc on my pc

it seems you are authenticating with a local user account, could that be??

the user that i am using is <domainname>\joey - looking it up at the control
panel user account this user is under the domain and not my pcname like the
default administrator acc.

you don't need PrincipalPolicy - don't use that under ASP.NET - it is only
for desktop apps.

simply calling Context.User will give you the WindowsPrincipal of the
client. (or in class files HttpContext.Current.User)

ic. thanks

be aware that this "hack" to get all groups of a user will not work when
updating to 2.0

another test is call whoami /groups from the command line to see which
groups the account is member of...

ok. but i really need a way to get the groups as my folders have web.config
with <auth> on roles. to restrict user from accessing it. For normal form
authentication, this is the way i do it, but user wants the authentication
base on the windows user and the roles base on the group defined in AD. Is
there other code to do this instead of making a call to command line.

Thanks for the fast reply.

Joey

Hi,

I tried <domain>\Gamers but it does not work

Here is my code

Class File
---------------------------------------------------------------
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrin
cipal);
WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)prin.Identity;
----------------------------------------------------------------

Web config
-------------------------------------------------------------
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
-------------------------------------------------------------
When I try to get the role thru this code below which i found on the
web

Code------------------------------------------------------------------
--------
public static string GetUserRoles(WindowsPrincipal winPrincipal)
{
string userRoles = "";
WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
if (identity != null)
{
Type t = identity.GetType();
string[] roles = (string[]) t.InvokeMember("GetRoles",
BindingFlags.Instance | BindingFlags.NonPublic |
BindingFlags.InvokeMethod,null,identity,null);

if (roles != null)
{
foreach (string role in roles)
{
if(userRoles != "")
{
userRoles += ",";
}
userRoles += role;
}
}
}
return userRoles;
}
-----------------------------------------------------------------

I got the results as following

<domainname>\Domain
Users,Everyone,BUILTIN\Administrators,BUILTIN\Users,NT
AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,

It does not have <domainname\Gamers>

However by using LDAP i am able to get CN=Gamers

Did I configure something wrong?.Thanks

Joey

Hello Joey,

WindowsPrincipal.IsInRole expects fully qualified group names - these
are AUTHORITY\GROUP

e.g. DOMAIN\Gamers for domain accounts

or MyMachine\Gamers for local accounts

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am using windows authentication on my ASP.Net application. With
the WindowsPrincipal I can authenticate myself against groups such
as

BUILTIN\Users

I am assuming that this group is supplied by the active directory
when i log into the domain using my pc.

The problem now is I have added another custom group - Gamers. I
tried authentication using IsInRole("Gamers") but this give me
false. How do I do it with Windows Authentication for this new
group?

I have another way of doing this but that is using ldap
authentication, but I am trying to understand and make the Windows
Authentication work. Please help. Thanks

Joey

 

[Dominick Baier [DevelopMentor]]

Hello Joey,

ok - first - <authorization> elements also work for windows auth. No need
to do that manually.

What do you get when you do a simple

Response.Write(Context.User.Identity.Name) ??

what groups do you see if you run whoami /groups from the commandline??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi,

does you worker process run under a domain account, is your web
server joined to a domain ?? (which OS)

I am running my web server on my local pc(WinXP) which is log into the
domain.
The aspnet wp is running on ASPNET acc on my pc

it seems you are authenticating with a local user account, could that
be??

the user that i am using is <domainname>\joey - looking it up at the
control panel user account this user is under the domain and not my
pcname like the default administrator acc.

you don't need PrincipalPolicy - don't use that under ASP.NET - it is
only for desktop apps.

simply calling Context.User will give you the WindowsPrincipal of the
client. (or in class files HttpContext.Current.User)

ic. thanks

be aware that this "hack" to get all groups of a user will not work
when updating to 2.0

another test is call whoami /groups from the command line to see
which groups the account is member of...

ok. but i really need a way to get the groups as my folders have
web.config with <auth> on roles. to restrict user from accessing it.
For normal form authentication, this is the way i do it, but user
wants the authentication base on the windows user and the roles base
on the group defined in AD. Is there other code to do this instead of
making a call to command line.

Thanks for the fast reply.

Joey

Hi,

I tried <domain>\Gamers but it does not work

Here is my code

Class File
---------------------------------------------------------------
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPr
in
cipal);
WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)prin.Identity;
----------------------------------------------------------------
Web config
-------------------------------------------------------------
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
-------------------------------------------------------------
When I try to get the role thru this code below which i found on the
web
Code----------------------------------------------------------------
--
--------
public static string GetUserRoles(WindowsPrincipal winPrincipal)
{
string userRoles = "";
WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
if (identity != null)
{
Type t = identity.GetType();
string[] roles = (string[]) t.InvokeMember("GetRoles",
BindingFlags.Instance | BindingFlags.NonPublic |
BindingFlags.InvokeMethod,null,identity,null);
if (roles != null)
{
foreach (string role in roles)
{
if(userRoles != "")
{
userRoles += ",";
}
userRoles += role;
}
}
}
return userRoles;
}
-----------------------------------------------------------------
I got the results as following

<domainname>\Domain
Users,Everyone,BUILTIN\Administrators,BUILTIN\Users,NT
AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,

It does not have <domainname\Gamers>

However by using LDAP i am able to get CN=Gamers

Did I configure something wrong?.Thanks

Joey

"Dominick Baier [DevelopMentor]"

Hello Joey,

WindowsPrincipal.IsInRole expects fully qualified group names -
these are AUTHORITY\GROUP

e.g. DOMAIN\Gamers for domain accounts

or MyMachine\Gamers for local accounts

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am using windows authentication on my ASP.Net application. With
the WindowsPrincipal I can authenticate myself against groups such
as

BUILTIN\Users

I am assuming that this group is supplied by the active directory
when i log into the domain using my pc.

The problem now is I have added another custom group - Gamers. I
tried authentication using IsInRole("Gamers") but this give me
false. How do I do it with Windows Authentication for this new
group?

I have another way of doing this but that is using ldap
authentication, but I am trying to understand and make the Windows
Authentication work. Please help. Thanks

Joey

 

[Joey Lee]

Hi,

I am get <domainname>\joey from the response

From the whoami, the below

[Group 1] = "<domainname>\Domain Users"
[Group 2] = "Everyone"
[Group 3] = "BUILTIN\Administrators"
[Group 4] = "BUILTIN\Users"
[Group 5] = "NT AUTHORITY\INTERACTIVE"
[Group 6] = "NT AUTHORITY\Authenticated Users"
[Group 7] = "LOCAL"

Thanks

Joey

Hello Joey,

ok - first - <authorization> elements also work for windows auth. No need
to do that manually.

What do you get when you do a simple
Response.Write(Context.User.Identity.Name) ??

what groups do you see if you run whoami /groups from the commandline??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi,

does you worker process run under a domain account, is your web
server joined to a domain ?? (which OS)

I am running my web server on my local pc(WinXP) which is log into the
domain.
The aspnet wp is running on ASPNET acc on my pc

it seems you are authenticating with a local user account, could that
be??

the user that i am using is <domainname>\joey - looking it up at the
control panel user account this user is under the domain and not my
pcname like the default administrator acc.

you don't need PrincipalPolicy - don't use that under ASP.NET - it is
only for desktop apps.

simply calling Context.User will give you the WindowsPrincipal of the
client. (or in class files HttpContext.Current.User)

ic. thanks

be aware that this "hack" to get all groups of a user will not work
when updating to 2.0

another test is call whoami /groups from the command line to see
which groups the account is member of...

ok. but i really need a way to get the groups as my folders have
web.config with <auth> on roles. to restrict user from accessing it.
For normal form authentication, this is the way i do it, but user
wants the authentication base on the windows user and the roles base
on the group defined in AD. Is there other code to do this instead of
making a call to command line.

Thanks for the fast reply.

Joey

Hi,

I tried <domain>\Gamers but it does not work

Here is my code

Class File
---------------------------------------------------------------
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPr
in
cipal);
WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)prin.Identity;
----------------------------------------------------------------
Web config
-------------------------------------------------------------
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
-------------------------------------------------------------
When I try to get the role thru this code below which i found on the
web
Code----------------------------------------------------------------
--
--------
public static string GetUserRoles(WindowsPrincipal winPrincipal)
{
string userRoles = "";
WindowsIdentity identity = winPrincipal.Identity as WindowsIdentity;
if (identity != null)
{
Type t = identity.GetType();
string[] roles = (string[]) t.InvokeMember("GetRoles",
BindingFlags.Instance | BindingFlags.NonPublic |
BindingFlags.InvokeMethod,null,identity,null);
if (roles != null)
{
foreach (string role in roles)
{
if(userRoles != "")
{
userRoles += ",";
}
userRoles += role;
}
}
}
return userRoles;
}
-----------------------------------------------------------------
I got the results as following

<domainname>\Domain
Users,Everyone,BUILTIN\Administrators,BUILTIN\Users,NT
AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,,LOCAL,

It does not have <domainname\Gamers>

However by using LDAP i am able to get CN=Gamers

Did I configure something wrong?.Thanks

Joey

"Dominick Baier [DevelopMentor]"

Hello Joey,

WindowsPrincipal.IsInRole expects fully qualified group names -
these are AUTHORITY\GROUP

e.g. DOMAIN\Gamers for domain accounts

or MyMachine\Gamers for local accounts

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I am using windows authentication on my ASP.Net application. With
the WindowsPrincipal I can authenticate myself against groups such
as

BUILTIN\Users

I am assuming that this group is supplied by the active directory
when i log into the domain using my pc.

The problem now is I have added another custom group - Gamers. I
tried authentication using IsInRole("Gamers") but this give me
false. How do I do it with Windows Authentication for this new
group?

I have another way of doing this but that is using ldap
authentication, but I am trying to understand and make the Windows
Authentication work. Please help. Thanks

Joey