|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Windows authenticationfind if the user exists in a Domain Group. I am using C#. The web site is configured to use windows Authentication. web.config: <identity impersonate="true"/> <authentication mode="Windows" /> and <authorization> <deny users="?" /> <allow roles="MYDOMAIN\MYGROUP" /> <deny users="*" /> </authorization> The code works fine when I run it via the studio (2003) on my local machine's web server (Windows XP SP2). But if I try to access it via Internet Explorer directly by typing in the local web site URL using my machines IP, from my machine or another on the network the application throws an "Access is denied" exception. The web site is configured for Windows authentication only. I presume the error is because it runs at an elevated security level when invoking from the studio. I am an administrator on the machine. The exception occurs on "de.Invoke("Members");". The exception details follow the code snipet below: private bool UserIdExistsInNT4Group() { DirectoryEntry de = new DirectoryEntry(); de.Path = @"WinNT://MYDOMAIN/MYGROUP,group"; object oRet = de.Invoke("Members"); IEnumerable users = (IEnumerable) oRet; foreach(object user in users) { DirectoryEntry det = new DirectoryEntry(user); string tuserid = det.Path; tuserid = tuserid.Replace("WinNT://", ""); tuserid = tuserid.Replace("/", "\\"); _log.Debug(tuserid); if (tuserid.ToUpper() == this.UserId.ToUpper()) { return true; } } return false; } Exception Details Source:System.DirectoryServices Message:Access is denied Stack Trace: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_NativeObject() at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args) at CMSBusiness.Staff.UserIdExistsInNT4Group() in C:\CMS\Projects\CMSBusiness\Staff.cs:line 251 at CMSBusiness.Staff.Save(Int32 userStaffId) in C:\CMS\Projects\CMSBusiness\Staff.cs:line 232 at CMSUIPlumbing.Controllers.CStaffController.DoButton(ButtonTypes bt, Int32 iEntityId) in c:\cms\projects\cmsuiplumbing\controllers\cstaffcontroller.cs:line 113 I've found all kinds of coding references on how to do this but nothing on how to configure for it. "filemon" and "regmon" are not giving me any clues either. Does anybody have any ideas of what I'm missing. I am a member of the group and the group has access to the web site folder. I'm thinking it is something on the network that I don't have permission to unless I'm running from the studio, which doesn't make much sense to me. Thanks for your time. -- Thom You are probably running into what's known as a double-hop issue, where your
credentials will not hop to 2 different machines. In the example where it works, the credentials go from the web server to the DC, whereas in the second example, the credentials go from the browser machine to the web server to the DC. The second hop will only work if Kerberos delegation is configured and enabled. There are plenty of references and articles online about Kerberos delegation. The other alternative is to try supply credentials (username and password) to your DirectoryEntry. However, the WinNT provider is notorious for not working well with supplied credentials, so you would probably be better off using LDAP (if it is an AD domain). Joe K. Show quoteHide quote "tbain" <tb***@discussions.microsoft.com> wrote in message news:50973729-F34E-4819-BA0A-4E1E864355D3@microsoft.com... >I am experiencing a permissions error in a .NET web application trying to > find if the user exists in a Domain Group. I am using C#. The web site is > configured to use windows Authentication. > > web.config: > <identity impersonate="true"/> > <authentication mode="Windows" /> > and > <authorization> > <deny users="?" /> > <allow roles="MYDOMAIN\MYGROUP" /> > <deny users="*" /> > </authorization> > > The code works fine when I run it via the studio (2003) on my local > machine's web server (Windows XP SP2). But if I try to access it via > Internet > Explorer directly by typing in the local web site URL using my machines > IP, > from my machine or another on the network the application throws an > "Access > is denied" exception. The web site is configured for Windows > authentication > only. I presume the error is because it runs at an elevated security level > when invoking from the studio. I am an administrator on the machine. The > exception occurs on "de.Invoke("Members");". The exception details follow > the > code snipet below: > > private bool UserIdExistsInNT4Group() > { > DirectoryEntry de = new DirectoryEntry(); > > de.Path = @"WinNT://MYDOMAIN/MYGROUP,group"; > > object oRet = de.Invoke("Members"); > IEnumerable users = (IEnumerable) oRet; > foreach(object user in users) > { > DirectoryEntry det = new DirectoryEntry(user); > string tuserid = det.Path; > tuserid = tuserid.Replace("WinNT://", ""); > tuserid = tuserid.Replace("/", "\\"); > _log.Debug(tuserid); > if (tuserid.ToUpper() == this.UserId.ToUpper()) > { > return true; > } > } > return false; > } > > Exception Details > > Source:System.DirectoryServices > Message:Access is denied > Stack Trace: > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) > at System.DirectoryServices.DirectoryEntry.Bind() > at System.DirectoryServices.DirectoryEntry.get_NativeObject() > at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, > Object[] args) > at CMSBusiness.Staff.UserIdExistsInNT4Group() > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 251 > at CMSBusiness.Staff.Save(Int32 userStaffId) > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 232 > at CMSUIPlumbing.Controllers.CStaffController.DoButton(ButtonTypes bt, > Int32 iEntityId) > in c:\cms\projects\cmsuiplumbing\controllers\cstaffcontroller.cs:line 113 > > I've found all kinds of coding references on how to do this but nothing on > how to configure for it. "filemon" and "regmon" are not giving me any > clues > either. Does anybody have any ideas of what I'm missing. I am a member of > the > group and the group has access to the web site folder. I'm thinking it is > something on the network that I don't have permission to unless I'm > running > from the studio, which doesn't make much sense to me. Thanks for your > time. > > -- > Thom Joe,
Thanks for your response. I did not realize that going through a browser on the same machine as the web server would introduce the double hop. I was hoping it was a permissions thing. Since it's not an AD domain (at least not yet), maybe Basic Authentication with SSL is the answer but I was trying to avoid forcing the user to login again. Thanks again. Show quoteHide quote :) Thom "Joe Kaplan (MVP - ADSI)" wrote: > You are probably running into what's known as a double-hop issue, where your > credentials will not hop to 2 different machines. In the example where it > works, the credentials go from the web server to the DC, whereas in the > second example, the credentials go from the browser machine to the web > server to the DC. The second hop will only work if Kerberos delegation is > configured and enabled. > > There are plenty of references and articles online about Kerberos > delegation. > > The other alternative is to try supply credentials (username and password) > to your DirectoryEntry. However, the WinNT provider is notorious for not > working well with supplied credentials, so you would probably be better off > using LDAP (if it is an AD domain). > > Joe K. > > "tbain" <tb***@discussions.microsoft.com> wrote in message > news:50973729-F34E-4819-BA0A-4E1E864355D3@microsoft.com... > >I am experiencing a permissions error in a .NET web application trying to > > find if the user exists in a Domain Group. I am using C#. The web site is > > configured to use windows Authentication. > > > > web.config: > > <identity impersonate="true"/> > > <authentication mode="Windows" /> > > and > > <authorization> > > <deny users="?" /> > > <allow roles="MYDOMAIN\MYGROUP" /> > > <deny users="*" /> > > </authorization> > > > > The code works fine when I run it via the studio (2003) on my local > > machine's web server (Windows XP SP2). But if I try to access it via > > Internet > > Explorer directly by typing in the local web site URL using my machines > > IP, > > from my machine or another on the network the application throws an > > "Access > > is denied" exception. The web site is configured for Windows > > authentication > > only. I presume the error is because it runs at an elevated security level > > when invoking from the studio. I am an administrator on the machine. The > > exception occurs on "de.Invoke("Members");". The exception details follow > > the > > code snipet below: > > > > private bool UserIdExistsInNT4Group() > > { > > DirectoryEntry de = new DirectoryEntry(); > > > > de.Path = @"WinNT://MYDOMAIN/MYGROUP,group"; > > > > object oRet = de.Invoke("Members"); > > IEnumerable users = (IEnumerable) oRet; > > foreach(object user in users) > > { > > DirectoryEntry det = new DirectoryEntry(user); > > string tuserid = det.Path; > > tuserid = tuserid.Replace("WinNT://", ""); > > tuserid = tuserid.Replace("/", "\\"); > > _log.Debug(tuserid); > > if (tuserid.ToUpper() == this.UserId.ToUpper()) > > { > > return true; > > } > > } > > return false; > > } > > > > Exception Details > > > > Source:System.DirectoryServices > > Message:Access is denied > > Stack Trace: > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) > > at System.DirectoryServices.DirectoryEntry.Bind() > > at System.DirectoryServices.DirectoryEntry.get_NativeObject() > > at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, > > Object[] args) > > at CMSBusiness.Staff.UserIdExistsInNT4Group() > > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 251 > > at CMSBusiness.Staff.Save(Int32 userStaffId) > > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 232 > > at CMSUIPlumbing.Controllers.CStaffController.DoButton(ButtonTypes bt, > > Int32 iEntityId) > > in c:\cms\projects\cmsuiplumbing\controllers\cstaffcontroller.cs:line 113 > > > > I've found all kinds of coding references on how to do this but nothing on > > how to configure for it. "filemon" and "regmon" are not giving me any > > clues > > either. Does anybody have any ideas of what I'm missing. I am a member of > > the > > group and the group has access to the web site folder. I'm thinking it is > > something on the network that I don't have permission to unless I'm > > running > > from the studio, which doesn't make much sense to me. Thanks for your > > time. > > > > -- > > Thom > > > Basic auth/SSL may help here as the plain text credentials are available in
that case. You can test it and see. Hopefully I haven't misunderstood anything here. Your result is pretty typical, but there are a lot of variables here, so I could still be wrong. Another thing to check on is to make sure that impersonation is enabled in web.config the same way in both places. Best of luck. Joe K. Show quoteHide quote "tbain" <tb***@discussions.microsoft.com> wrote in message news:CD25325B-B8F6-437C-B5D0-33A749CB26FC@microsoft.com... > Joe, > > Thanks for your response. I did not realize that going through a browser > on > the same machine as the web server would introduce the double hop. I was > hoping it was a permissions thing. Since it's not an AD domain (at least > not > yet), maybe Basic Authentication with SSL is the answer but I was trying > to > avoid forcing the user to login again. Thanks again. > > :) Thom > > "Joe Kaplan (MVP - ADSI)" wrote: > >> You are probably running into what's known as a double-hop issue, where >> your >> credentials will not hop to 2 different machines. In the example where >> it >> works, the credentials go from the web server to the DC, whereas in the >> second example, the credentials go from the browser machine to the web >> server to the DC. The second hop will only work if Kerberos delegation >> is >> configured and enabled. >> >> There are plenty of references and articles online about Kerberos >> delegation. >> >> The other alternative is to try supply credentials (username and >> password) >> to your DirectoryEntry. However, the WinNT provider is notorious for not >> working well with supplied credentials, so you would probably be better >> off >> using LDAP (if it is an AD domain). >> >> Joe K. >> >> "tbain" <tb***@discussions.microsoft.com> wrote in message >> news:50973729-F34E-4819-BA0A-4E1E864355D3@microsoft.com... >> >I am experiencing a permissions error in a .NET web application trying >> >to >> > find if the user exists in a Domain Group. I am using C#. The web site >> > is >> > configured to use windows Authentication. >> > >> > web.config: >> > <identity impersonate="true"/> >> > <authentication mode="Windows" /> >> > and >> > <authorization> >> > <deny users="?" /> >> > <allow roles="MYDOMAIN\MYGROUP" /> >> > <deny users="*" /> >> > </authorization> >> > >> > The code works fine when I run it via the studio (2003) on my local >> > machine's web server (Windows XP SP2). But if I try to access it via >> > Internet >> > Explorer directly by typing in the local web site URL using my machines >> > IP, >> > from my machine or another on the network the application throws an >> > "Access >> > is denied" exception. The web site is configured for Windows >> > authentication >> > only. I presume the error is because it runs at an elevated security >> > level >> > when invoking from the studio. I am an administrator on the machine. >> > The >> > exception occurs on "de.Invoke("Members");". The exception details >> > follow >> > the >> > code snipet below: >> > >> > private bool UserIdExistsInNT4Group() >> > { >> > DirectoryEntry de = new DirectoryEntry(); >> > >> > de.Path = @"WinNT://MYDOMAIN/MYGROUP,group"; >> > >> > object oRet = de.Invoke("Members"); >> > IEnumerable users = (IEnumerable) oRet; >> > foreach(object user in users) >> > { >> > DirectoryEntry det = new DirectoryEntry(user); >> > string tuserid = det.Path; >> > tuserid = tuserid.Replace("WinNT://", ""); >> > tuserid = tuserid.Replace("/", "\\"); >> > _log.Debug(tuserid); >> > if (tuserid.ToUpper() == this.UserId.ToUpper()) >> > { >> > return true; >> > } >> > } >> > return false; >> > } >> > >> > Exception Details >> > >> > Source:System.DirectoryServices >> > Message:Access is denied >> > Stack Trace: >> > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) >> > at System.DirectoryServices.DirectoryEntry.Bind() >> > at System.DirectoryServices.DirectoryEntry.get_NativeObject() >> > at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, >> > Object[] args) >> > at CMSBusiness.Staff.UserIdExistsInNT4Group() >> > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 251 >> > at CMSBusiness.Staff.Save(Int32 userStaffId) >> > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 232 >> > at CMSUIPlumbing.Controllers.CStaffController.DoButton(ButtonTypes bt, >> > Int32 iEntityId) >> > in c:\cms\projects\cmsuiplumbing\controllers\cstaffcontroller.cs:line >> > 113 >> > >> > I've found all kinds of coding references on how to do this but nothing >> > on >> > how to configure for it. "filemon" and "regmon" are not giving me any >> > clues >> > either. Does anybody have any ideas of what I'm missing. I am a member >> > of >> > the >> > group and the group has access to the web site folder. I'm thinking it >> > is >> > something on the network that I don't have permission to unless I'm >> > running >> > from the studio, which doesn't make much sense to me. Thanks for your >> > time. >> > >> > -- >> > Thom >> >> >> 
Other interesting topics
Basic question about Public Private Key Pairs
ASP.NET Uploading Security Issue? Check for certian privileges How to protect data in executable file? Possible security error loading an Xsl? Restricting Upload File Types Impersonation code Forms authentication fails on Windows XP PRO Access Denied .Net Security Hole Problem - clients read each others files |
|||||||||||||||||||||||
