Hi

I have created a component in .NET to use in a classic ASP application
on an intranet. It should use the Windows authentication and
WindowsPrincipal.IsInRole() method to check which groups the user
belongs to:
....
AppDomain ad = Thread.GetDomain();

ad.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

WindowsPrincipal wp = (WindowsPrincipal)Thread.CurrentPrincipal;
.....

The problem is that this always returns the same user (the user who
created the component and installed it), regardless of which user runs
the ASP application.

I am using the same code in ASP.NET pages, and it works fine. The ASP
application obviously does not automatically pass the user details to
the component, but I don't know how it can be done. (BTW, the
AppDomain.FriendlyName() returns "DefaultDomain")

What am I doing wrong here?

Any help would be greatly appreciated.

Thanks in advance
Radomil

Hello radomil,

using SetPrincipalPolicy is not recommended. Because it can cause errors
when called more than once in the sam appdomain - and btw - just does nothing
under ASP.NET.

what ad.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); does:

// look at the process token
WindowsIdentity id = WindowsIdentity.GetCurrent();

// wrap it with a principal
WindowsPrincipal p = new WindowsPrincipal(id);

Thread.CurrentPrincipal = p;

ASP.NET does that automatically for you and the recommended way of accessing
that informatin is via Page.User or Context.User.
Your code works because ASP.NET takes care the Thread.CurrentPrincipal and
Context.User are synchronized

That said - ASP.NET is more clever than classic ASP - so Page.User represents
the identity of the client.

But calling WindowsIdentity.GetCurrent() looks at the process and under which
account the process runs, thats the reason why you component always shows
the same identity (i guess LOCAL SYSTEM or IWAM??). what do you mean by :
"the user who created the component and installed it"

try this:

WindowsIdentity id1 = WindowsIdentity.GetCurrent();
// print out id1.Name

WindowsIdentity.Impersonate(IntPtr.Zero) and print out

WindowsIdentity id2 = WindowsIdentity.GetCurrent();
// print out id2.Name

do they differ??


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

Hi Dominick,

Thank you very much for your reply.

I have tried what you suggested, and the result was this:

WindowsIdentity id1 = WindowsIdentity.GetCurrent();
//This returns the id.Name as the name of the current user

WindowsIdentity.Impersonate(IntPtr.Zero)
WindowsIdentity id2 = WindowsIdentity.GetCurrent();
//Now this returns id2.Name as "NT AUTHORITY\NETWORK SERVICE"

Now I can get the current user if I do:

WindowsIdentity wi = WindowsIdentity.GetCurrent();
WindowsPrincipal wp = new WindowsPrincipal(wi);

(instead of: WindowsPrincipal wp
=(WindowsPrincipal)Thread.CurrentPrincipal;
which (apparently) returns the user who runs the component for the
first time after installing(?))

This really solves my problem, but I do need to do some studying to
figure out why this is happening.

Thanks again, your help is much appreciated.

Radomil

Possibtl to Create a Code Group Programmatically?
IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?
File Permission System.UnauthorizedAccessException
HttpWebRequest & https
Refresh .Net Framework policy
Encrypting Logon Passwords
Patterns for security
Failure Audit errors on device name
How to protect *.mdb file from direct access by client
CredentialCache.DefaultCredentials is empty