|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
declarative security and impersonationgetting "System.Security.SecurityException: Request for principal permission failed". Here is the code, havent had any luck finding anything on google so far. Dim currentIdentity As WindowsIdentity = DirectCast(Thread.CurrentPrincipal.Identity, WindowsIdentity) Dim windowsImpersonationContext As WindowsImpersonationContext = currentIdentity.Impersonate Console.WriteLine(String.Format("1 thread {0:S}, user1 {1:S}, user2 {2:S}", _ AppDomain.GetCurrentThreadId.ToString, Thread.CurrentPrincipal.Identity.Name, WindowsIdentity.GetCurrent.Name)) If Thread.CurrentPrincipal.IsInRole("LLOYDATLARGE\GRS") Then TestInternal() End if the WriteLine statement outputs the correct impersonated username for both, but when when it calls TestInternal (obviously indicating that i do have that group), i get the exception. here is TestInternal. <System.Security.Permissions.PrincipalPermission(Permissions.SecurityAction.Demand, Role:="LLOYDLATLARGE\GRS")> _ Public Sub TestInternal() As String Console.WriteLine("testing.") End Sub same if i replace the call to TestInternal() with Dim ppPrincPermis As New System.Security.Permissions.PrincipalPermission(Nothing, "LLOYDATLARGE\grs") ppPrincPermis.Demand any ideas? probably something dumb and i've just been staring at this too long.. thanks Lloyd Christopher SLOW30 Hello lloyd,
What kind of application is that? asp.net / desktop / nt service How are you starting the new thread? Generally, all that [PrincipalPermission] does is calling IsInRole on Thread.CurrentPrincipal - regardless of impersonation or whatever - another point to note is - if you impersonate and AFTER that start a new thread - the impersonation token will not get copied to the new thread and you end up with Process Identity again.... If you give me more info we should be able to troubleshoot that problem HTH --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I'm trying to use declarative security on an impersonated thread but > i'm getting "System.Security.SecurityException: Request for principal > permission failed". Here is the code, havent had any luck finding > anything on google so far. > > Dim currentIdentity As WindowsIdentity = > DirectCast(Thread.CurrentPrincipal.Identity, WindowsIdentity) > Dim windowsImpersonationContext As WindowsImpersonationContext = > currentIdentity.Impersonate > Console.WriteLine(String.Format("1 thread {0:S}, user1 {1:S}, user2 > {2:S}", > _ > AppDomain.GetCurrentThreadId.ToString, > Thread.CurrentPrincipal.Identity.Name, > WindowsIdentity.GetCurrent.Name)) > If Thread.CurrentPrincipal.IsInRole("LLOYDATLARGE\GRS") Then > TestInternal() > End if > the WriteLine statement outputs the correct impersonated username for > both, but when when it calls TestInternal (obviously indicating that i > do have that group), i get the exception. here is TestInternal. > > <System.Security.Permissions.PrincipalPermission(Permissions.SecurityA > ction.Demand, > Role:="LLOYDLATLARGE\GRS")> _ > Public Sub TestInternal() As String > Console.WriteLine("testing.") > End Sub > same if i replace the call to TestInternal() with > > Dim ppPrincPermis As New > System.Security.Permissions.PrincipalPermission(Nothing, > "LLOYDATLARGE\grs") ppPrincPermis.Demand > > any ideas? probably something dumb and i've just been staring at this > too long.. thanks > > Lloyd Christopher > SLOW30 I'm using the Microsoft.Samples.Runtime.Remoting.Security library, this is a
console application hosting remoted objects. The calling application is also a console app where i change its user with LogonUser before remoting (really just so i can test). FWIW i guess the Microsoft.Samples.. etc doesnt have much effect because I also have this same behavior when i set up the remoting with just a simple tcpchannel programmatically. I dont think the thread / impersonation behavior you mention is happening here, the impersonation happens after the thread is created. thanks for the reply btw. Lloyd Christopher SLOW30 Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:315684632502849780322224@news.microsoft.com... > Hello lloyd, > > What kind of application is that? asp.net / desktop / nt service > How are you starting the new thread? > > Generally, all that [PrincipalPermission] does is calling IsInRole on > Thread.CurrentPrincipal - regardless of impersonation or whatever - > another point to note is - if you impersonate and AFTER that start a new > thread - the impersonation token will not get copied to the new thread and > you end up with Process Identity again.... > > If you give me more info we should be able to troubleshoot that problem > > HTH > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> I'm trying to use declarative security on an impersonated thread but >> i'm getting "System.Security.SecurityException: Request for principal >> permission failed". Here is the code, havent had any luck finding >> anything on google so far. >> >> Dim currentIdentity As WindowsIdentity = >> DirectCast(Thread.CurrentPrincipal.Identity, WindowsIdentity) >> Dim windowsImpersonationContext As WindowsImpersonationContext = >> currentIdentity.Impersonate >> Console.WriteLine(String.Format("1 thread {0:S}, user1 {1:S}, user2 >> {2:S}", >> _ >> AppDomain.GetCurrentThreadId.ToString, >> Thread.CurrentPrincipal.Identity.Name, >> WindowsIdentity.GetCurrent.Name)) >> If Thread.CurrentPrincipal.IsInRole("LLOYDATLARGE\GRS") Then >> TestInternal() >> End if >> the WriteLine statement outputs the correct impersonated username for >> both, but when when it calls TestInternal (obviously indicating that i >> do have that group), i get the exception. here is TestInternal. >> >> <System.Security.Permissions.PrincipalPermission(Permissions.SecurityA >> ction.Demand, >> Role:="LLOYDLATLARGE\GRS")> _ >> Public Sub TestInternal() As String >> Console.WriteLine("testing.") >> End Sub >> same if i replace the call to TestInternal() with >> >> Dim ppPrincPermis As New >> System.Security.Permissions.PrincipalPermission(Nothing, >> "LLOYDATLARGE\grs") ppPrincPermis.Demand >> >> any ideas? probably something dumb and i've just been staring at this >> too long.. thanks >> >> Lloyd Christopher >> SLOW30 > > > Hello lloyd,
aah - the unsupported ones :) well - it's been quite a while i looked at this - can't you retrieve the client principal through some property - you have to set it on CurrentPrincipal on the current thread - as i said - get the client principal somehow on that property - all PrincipalPermission is doing is calling - Thread.CurrentPrincipal.IsInRole()... HTH --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I'm using the Microsoft.Samples.Runtime.Remoting.Security library, > this is a console application hosting remoted objects. The calling > application is also a console app where i change its user with > LogonUser before remoting (really just so i can test). FWIW i guess > the Microsoft.Samples.. etc doesnt have much effect because I also > have this same behavior when i set up the remoting with just a simple > tcpchannel programmatically. I dont think the thread / impersonation > behavior you mention is happening here, the impersonation happens > after the thread is created. thanks for the reply btw. > > Lloyd Christopher > SLOW30 > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:315684632502849780322224@news.microsoft.com... > >> Hello lloyd, >> >> What kind of application is that? asp.net / desktop / nt service How >> are you starting the new thread? >> >> Generally, all that [PrincipalPermission] does is calling IsInRole on >> Thread.CurrentPrincipal - regardless of impersonation or whatever - >> another point to note is - if you impersonate and AFTER that start a >> new thread - the impersonation token will not get copied to the new >> thread and you end up with Process Identity again.... >> >> If you give me more info we should be able to troubleshoot that >> problem >> >> HTH >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> I'm trying to use declarative security on an impersonated thread but >>> i'm getting "System.Security.SecurityException: Request for >>> principal permission failed". Here is the code, havent had any luck >>> finding anything on google so far. >>> >>> Dim currentIdentity As WindowsIdentity = >>> DirectCast(Thread.CurrentPrincipal.Identity, WindowsIdentity) >>> Dim windowsImpersonationContext As WindowsImpersonationContext = >>> currentIdentity.Impersonate >>> Console.WriteLine(String.Format("1 thread {0:S}, user1 {1:S}, user2 >>> {2:S}", >>> _ >>> AppDomain.GetCurrentThreadId.ToString, >>> Thread.CurrentPrincipal.Identity.Name, >>> WindowsIdentity.GetCurrent.Name)) >>> If Thread.CurrentPrincipal.IsInRole("LLOYDATLARGE\GRS") Then >>> TestInternal() >>> End if >>> the WriteLine statement outputs the correct impersonated username >>> for >>> both, but when when it calls TestInternal (obviously indicating that >>> i >>> do have that group), i get the exception. here is TestInternal. >>> <System.Security.Permissions.PrincipalPermission(Permissions.Securit >>> yA >>> ction.Demand, >>> Role:="LLOYDLATLARGE\GRS")> _ >>> Public Sub TestInternal() As String >>> Console.WriteLine("testing.") >>> End Sub >>> same if i replace the call to TestInternal() with >>> Dim ppPrincPermis As New >>> System.Security.Permissions.PrincipalPermission(Nothing, >>> "LLOYDATLARGE\grs") ppPrincPermis.Demand >>> >>> any ideas? probably something dumb and i've just been staring at >>> this too long.. thanks >>> >>> Lloyd Christopher >>> SLOW30 Thats the problem though, Thread.CurrentPrincipal.IsInRole is working
exactly as it should, but PrincipalPermission in the same block does not... Lloyd Christopher SLOW30 Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:319054632503093289270896@news.microsoft.com... > Hello lloyd, > > aah - the unsupported ones :) > > well - it's been quite a while i looked at this - > can't you retrieve the client principal through some property - you have > to set it on CurrentPrincipal on the current thread - > as i said - get the client principal somehow on that property - all > PrincipalPermission is doing is calling - > Thread.CurrentPrincipal.IsInRole()... > > HTH > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> I'm using the Microsoft.Samples.Runtime.Remoting.Security library, >> this is a console application hosting remoted objects. The calling >> application is also a console app where i change its user with >> LogonUser before remoting (really just so i can test). FWIW i guess >> the Microsoft.Samples.. etc doesnt have much effect because I also >> have this same behavior when i set up the remoting with just a simple >> tcpchannel programmatically. I dont think the thread / impersonation >> behavior you mention is happening here, the impersonation happens >> after the thread is created. thanks for the reply btw. >> >> Lloyd Christopher >> SLOW30 >> "Dominick Baier [DevelopMentor]" >> <dbaier@pleasepleasenospamdevelop.com> wrote in message >> news:315684632502849780322224@news.microsoft.com... >> >>> Hello lloyd, >>> >>> What kind of application is that? asp.net / desktop / nt service How >>> are you starting the new thread? >>> >>> Generally, all that [PrincipalPermission] does is calling IsInRole on >>> Thread.CurrentPrincipal - regardless of impersonation or whatever - >>> another point to note is - if you impersonate and AFTER that start a >>> new thread - the impersonation token will not get copied to the new >>> thread and you end up with Process Identity again.... >>> >>> If you give me more info we should be able to troubleshoot that >>> problem >>> >>> HTH >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> I'm trying to use declarative security on an impersonated thread but >>>> i'm getting "System.Security.SecurityException: Request for >>>> principal permission failed". Here is the code, havent had any luck >>>> finding anything on google so far. >>>> >>>> Dim currentIdentity As WindowsIdentity = >>>> DirectCast(Thread.CurrentPrincipal.Identity, WindowsIdentity) >>>> Dim windowsImpersonationContext As WindowsImpersonationContext = >>>> currentIdentity.Impersonate >>>> Console.WriteLine(String.Format("1 thread {0:S}, user1 {1:S}, user2 >>>> {2:S}", >>>> _ >>>> AppDomain.GetCurrentThreadId.ToString, >>>> Thread.CurrentPrincipal.Identity.Name, >>>> WindowsIdentity.GetCurrent.Name)) >>>> If Thread.CurrentPrincipal.IsInRole("LLOYDATLARGE\GRS") Then >>>> TestInternal() >>>> End if >>>> the WriteLine statement outputs the correct impersonated username >>>> for >>>> both, but when when it calls TestInternal (obviously indicating that >>>> i >>>> do have that group), i get the exception. here is TestInternal. >>>> <System.Security.Permissions.PrincipalPermission(Permissions.Securit >>>> yA >>>> ction.Demand, >>>> Role:="LLOYDLATLARGE\GRS")> _ >>>> Public Sub TestInternal() As String >>>> Console.WriteLine("testing.") >>>> End Sub >>>> same if i replace the call to TestInternal() with >>>> Dim ppPrincPermis As New >>>> System.Security.Permissions.PrincipalPermission(Nothing, >>>> "LLOYDATLARGE\grs") ppPrincPermis.Demand >>>> >>>> any ideas? probably something dumb and i've just been staring at >>>> this too long.. thanks >>>> >>>> Lloyd Christopher >>>> SLOW30 > > > 
Other interesting topics
EventLogPermission via caspol.exe
Creating User Accounts with or without Active Directory Code Source Security How to share a Principal within a ThreadPool ? Upgrading Encryption to .Net not Working!!!!!!! Very slow Principal.IsInRole call... Authenticate domain and local users CredUIConfirmCredentials behaves unexpectedly Strong-Name Assembly calling WebService RSA to PKCS#8 |
|||||||||||||||||||||||
