WindowsPrincipal.IsInRole() problem with non-builtin roles

[naijacoder naijacoder]

Can't get WindowsPrincipal.IsInRole() to work for me when using
Windows Authentication. Here's a snippit of code from my C#
codebehind page:

WindowsPrincipal wp = new WindowsPrincipal(
WindowsIdentity.GetCurrent() );
lblUser.Text = wp.Identity.Name;
Label1.Text = wp.IsInRole(@"DOMAIN\group").ToString();


where "DOMAIN\group" is a valid group name. The username shows up
correctly as "DOMAIN\username" but for any non-builtin roles,
IsInRole() returns false. Does anyone have suggestions as to why this
is not working?



*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Joe Kaplan \(MVP - ADSI\)]

When using Windows authentication in ASP.NET, the WindowsPrincipal for the
logged in user is in the HttpContext.User property, not the
WindowsIdentity.GetCurrent(). They are the same IF you are impersonating,
but otherwise they are not.

HTH,

Joe K.

"naijacoder naijacoder" <naijacoder@toughguy.net> wrote in message
news:urYFE4ljEHA.3536@TK2MSFTNGP12.phx.gbl...

> Can't get WindowsPrincipal.IsInRole() to work for me when using
> Windows Authentication. Here's a snippit of code from my C#
> codebehind page:
>
> WindowsPrincipal wp = new WindowsPrincipal(
> WindowsIdentity.GetCurrent() );
> lblUser.Text = wp.Identity.Name;
> Label1.Text = wp.IsInRole(@"DOMAIN\group").ToString();
>
>
> where "DOMAIN\group" is a valid group name. The username shows up
> correctly as "DOMAIN\username" but for any non-builtin roles,
> IsInRole() returns false. Does anyone have suggestions as to why this
> is not working?
>
>
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!

[Hernan de Lahitte]

Agree with Joe's comment (always use the User property to avoid
impersonatuion issues). Nevertheless, if you want to go further and check
out what roles are beeing evaluated inside the IsInRole() method, you may
use this little "hack" snippet to inspect the roles string array that use
WindowsPrincipal for this evaluation.

public static string[] Roles( WindowsIdentity identity )
{
// Parameters check
if( identity == null )
{
throw new ArgumentNullException( "identity" );
}
if( identity.Name.Length < 1 )
{
return new string[0];
}

// Get roles
string[] roles = (string[])CallPrivateMethod( identity, "GetRoles" );
return roles;
}

//Note: This method will require 'ReflectionPermission'
[ReflectionPermission( SecurityAction.Assert, MemberAccess=true,
TypeInformation=true )]
private static object CallPrivateMethod(object o, string methodName)
{
Type t = o.GetType();
MethodInfo mi = t.GetMethod(methodName, BindingFlags.NonPublic |
BindingFlags.Instance);
if (mi == null)
{
throw new System.Reflection.ReflectionTypeLoadException(null ,null,
String.Format("{0}.{1} method wasn't found. The runtime
implementation may have changed!", t.FullName,
methodName ) );
}
return mi.Invoke(o, null);
}


--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:u8kZ12pjEHA.2324@TK2MSFTNGP10.phx.gbl...

> When using Windows authentication in ASP.NET, the WindowsPrincipal for the
> logged in user is in the HttpContext.User property, not the
> WindowsIdentity.GetCurrent(). They are the same IF you are impersonating,
> but otherwise they are not.
>
> HTH,
>
> Joe K.
>
> "naijacoder naijacoder" <naijacoder@toughguy.net> wrote in message
> news:urYFE4ljEHA.3536@TK2MSFTNGP12.phx.gbl...

>> Can't get WindowsPrincipal.IsInRole() to work for me when using
>> Windows Authentication. Here's a snippit of code from my C#
>> codebehind page:
>>
>> WindowsPrincipal wp = new WindowsPrincipal(
>> WindowsIdentity.GetCurrent() );
>> lblUser.Text = wp.Identity.Name;
>> Label1.Text = wp.IsInRole(@"DOMAIN\group").ToString();
>>
>>
>> where "DOMAIN\group" is a valid group name. The username shows up
>> correctly as "DOMAIN\username" but for any non-builtin roles,
>> IsInRole() returns false. Does anyone have suggestions as to why this
>> is not working?
>>
>>
>>
>> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
>> Don't just participate in USENET...get rewarded for it!

>
>

[naijacoder naijacoder]

Hi Hernan de Lahitte,
How are you and thanks for the code!
I tried running the code for getting the actual roles but i keep getting
errors.Can you pls explain how i can get the code working.Pls explain
step by step.
Thanks alot.


*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Joe Kaplan \(MVP - ADSI\)]

Since you are using VB.NET, perhaps this sample (doing the same basic thing)
will work for you:

Function GetRoles(byval identity as WindowsIdentity) as String()

Dim idType As Type
idType = GetType(WindowsIdentity)
Dim result As Object =
idType.InvokeMember("_GetRoles",BindingFlags.Stati c Or
BindingFlags.InvokeMethod Or BindingFlags.NonPublic,Nothing, identity, New
Object() {identity.Token}, Nothing)
Dim roles() As String = DirectCast(result, String())
Return roles

End Function

Joe K.

"naijacoder naijacoder" <naijacoder@toughguy.net> wrote in message
news:OV1fKAIkEHA.3848@tk2msftngp13.phx.gbl...

> Hi Hernan de Lahitte,
> How are you and thanks for the code!
> I tried running the code for getting the actual roles but i keep getting
> errors.Can you pls explain how i can get the code working.Pls explain
> step by step.
> Thanks alot.
>
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!