"Howard Hoffman" <HowardH@community.nospam> wrote in message
news:O2IPx14CIHA.4752@TK2MSFTNGP04.phx.gbl...
> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
>
> I've configured the web-site (following directions at
> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
> Negotiate access, and the site itself is using Integrated Windows
> Authentication and allow-anonymous.
>
> I've added an entry to my local HOSTS file, since there is no real
> domain-name (yet) for the web-site DNS. So, my urls look like
> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
> (127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
> put it there) as http://*.mysite.com.
>
> I have a local group on the server computer (W2K3) named "Local PAIS
> Admins". I have added myself to that group, and logged out of Windows and
> logged back in (to the local machine -- the same computer that is hosting
> the web site).
>
> In web.config, I have a <location> element for the Admin.aspx page:
>
> <location path="Admin.aspx">
> <system.web>
> <authorization>
> <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
> obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
>
> If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
> defaultProvider="AspNetWindowsTokenRoleProvider"
> cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
> though I am in that group. I am prompted 3 times for the my credentials,
> and I enter them correctly. Finally, I get the Access is Denied default
> error page, with a 401.2 error.
>
> If I run with the RoleManager element commented out, it works, and I can
> see the page.
>
> If I add myself to a BUILTIN group (say, Power Users), and change the
> above <location> element to allow only that BUILTIN group, with
> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
> BUILTIN groups work though.
>
> I've not ever edited any of the
> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
>
> Can someone explain what is happening? Is this a known ASP.NET
> WindowsTokenRoleProvider limitation? Am I doing something wrong?
>
> I've a production deployment going on a similarly configured site, and we
> need to use local-machine groups.
>
> Thanks in advance,
>
> Howard Hoffman
>

"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:ufRXXK6CIHA.4308@TK2MSFTNGP06.phx.gbl...
> I'm not sure what the problem is, but I would suggest writing some quick
> code that takes the WindowsIdentity object for the authenticated user
> (cast Context.User.Identity to WindowIdentity), take the objects in the
> Group property (IdentityReferenceCollection) and convert them to NTAccount
> objects via the Translate method. Then you can look at the names of the
> groups. That will help identify whether the group really isn't in the
> token or there is some weird string mismatch problem.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Howard Hoffman" <HowardH@community.nospam> wrote in message
> news:O2IPx14CIHA.4752@TK2MSFTNGP04.phx.gbl...
>> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
>>
>> I've configured the web-site (following directions at
>> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
>> Negotiate access, and the site itself is using Integrated Windows
>> Authentication and allow-anonymous.
>>
>> I've added an entry to my local HOSTS file, since there is no real
>> domain-name (yet) for the web-site DNS. So, my urls look like
>> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
>> (127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
>> put it there) as http://*.mysite.com.
>>
>> I have a local group on the server computer (W2K3) named "Local PAIS
>> Admins". I have added myself to that group, and logged out of Windows
>> and logged back in (to the local machine -- the same computer that is
>> hosting the web site).
>>
>> In web.config, I have a <location> element for the Admin.aspx page:
>>
>> <location path="Admin.aspx">
>> <system.web>
>> <authorization>
>> <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
>> <deny users="*" />
>> </authorization>
>> </system.web>
>> </location>
>>
>> obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
>>
>> If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
>> defaultProvider="AspNetWindowsTokenRoleProvider"
>> cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
>> though I am in that group. I am prompted 3 times for the my credentials,
>> and I enter them correctly. Finally, I get the Access is Denied default
>> error page, with a 401.2 error.
>>
>> If I run with the RoleManager element commented out, it works, and I can
>> see the page.
>>
>> If I add myself to a BUILTIN group (say, Power Users), and change the
>> above <location> element to allow only that BUILTIN group, with
>> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
>> BUILTIN groups work though.
>>
>> I've not ever edited any of the
>> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
>>
>> Can someone explain what is happening? Is this a known ASP.NET
>> WindowsTokenRoleProvider limitation? Am I doing something wrong?
>>
>> I've a production deployment going on a similarly configured site, and we
>> need to use local-machine groups.
>>
>> Thanks in advance,
>>
>> Howard Hoffman
>>
>
>

"Howard Hoffman" <HowardH@community.nospam> wrote in message
news:uSK3gYADIHA.4712@TK2MSFTNGP04.phx.gbl...
> Joe -
>
> I appreciate your response, but I don't see how it helps me.
>
> There is no Group property on the WindowsIdentity object in .NET 2.0, is
> there?
> I can certainly instantiate a new NTIdentity object from the
> HttpContext.Current.User.Identity.Name (and domain) just fine.
> So, there is a real-SID for the user-name. Where do we go from here?
>
> There is no copy / paste error - I put the group name on the clipboard in
> Computer Management / Local Users and Groups / Groups, and pasted that
> into Web.config.
>
> Thanks in advance,
>
> Howard Hoffman
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:ufRXXK6CIHA.4308@TK2MSFTNGP06.phx.gbl...
>> I'm not sure what the problem is, but I would suggest writing some quick
>> code that takes the WindowsIdentity object for the authenticated user
>> (cast Context.User.Identity to WindowIdentity), take the objects in the
>> Group property (IdentityReferenceCollection) and convert them to
>> NTAccount objects via the Translate method. Then you can look at the
>> names of the groups. That will help identify whether the group really
>> isn't in the token or there is some weird string mismatch problem.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Howard Hoffman" <HowardH@community.nospam> wrote in message
>> news:O2IPx14CIHA.4752@TK2MSFTNGP04.phx.gbl...
>>> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
>>>
>>> I've configured the web-site (following directions at
>>> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM
>>> and Negotiate access, and the site itself is using Integrated Windows
>>> Authentication and allow-anonymous.
>>>
>>> I've added an entry to my local HOSTS file, since there is no real
>>> domain-name (yet) for the web-site DNS. So, my urls look like
>>> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for
>>> mysite.com (127.0.0.1). The mysite.com site is in my Local Intranet
>>> sites in IE (I put it there) as http://*.mysite.com.
>>>
>>> I have a local group on the server computer (W2K3) named "Local PAIS
>>> Admins". I have added myself to that group, and logged out of Windows
>>> and logged back in (to the local machine -- the same computer that is
>>> hosting the web site).
>>>
>>> In web.config, I have a <location> element for the Admin.aspx page:
>>>
>>> <location path="Admin.aspx">
>>> <system.web>
>>> <authorization>
>>> <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
>>> <deny users="*" />
>>> </authorization>
>>> </system.web>
>>> </location>
>>>
>>> obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
>>>
>>> If I run with RoleManager enabled in ASP.NET (<roleManager
>>> enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"
>>> cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
>>> though I am in that group. I am prompted 3 times for the my
>>> credentials, and I enter them correctly. Finally, I get the Access is
>>> Denied default error page, with a 401.2 error.
>>>
>>> If I run with the RoleManager element commented out, it works, and I can
>>> see the page.
>>>
>>> If I add myself to a BUILTIN group (say, Power Users), and change the
>>> above <location> element to allow only that BUILTIN group, with
>>> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
>>> BUILTIN groups work though.
>>>
>>> I've not ever edited any of the
>>> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
>>>
>>> Can someone explain what is happening? Is this a known ASP.NET
>>> WindowsTokenRoleProvider limitation? Am I doing something wrong?
>>>
>>> I've a production deployment going on a similarly configured site, and
>>> we need to use local-machine groups.
>>>
>>> Thanks in advance,
>>>
>>> Howard Hoffman
>>>
>>
>>
>
>

"Howard Hoffman" <HowardH@community.nospam> wrote in message
news:O2IPx14CIHA.4752@TK2MSFTNGP04.phx.gbl...
> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a web-site).
>
> I've configured the web-site (following directions at
> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM and
> Negotiate access, and the site itself is using Integrated Windows
> Authentication and allow-anonymous.
>
> I've added an entry to my local HOSTS file, since there is no real
> domain-name (yet) for the web-site DNS. So, my urls look like
> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for mysite.com
> (127.0.0.1). The mysite.com site is in my Local Intranet sites in IE (I
> put it there) as http://*.mysite.com.
>
> I have a local group on the server computer (W2K3) named "Local PAIS
> Admins". I have added myself to that group, and logged out of Windows and
> logged back in (to the local machine -- the same computer that is hosting
> the web site).
>
> In web.config, I have a <location> element for the Admin.aspx page:
>
> <location path="Admin.aspx">
> <system.web>
> <authorization>
> <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
> obviously, substituting the actual machine name for COMPUTER-NAME-HERE.
>
> If I run with RoleManager enabled in ASP.NET (<roleManager enabled="true"
> defaultProvider="AspNetWindowsTokenRoleProvider"
> cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
> though I am in that group. I am prompted 3 times for the my credentials,
> and I enter them correctly. Finally, I get the Access is Denied default
> error page, with a 401.2 error.
>
> If I run with the RoleManager element commented out, it works, and I can
> see the page.
>
> If I add myself to a BUILTIN group (say, Power Users), and change the
> above <location> element to allow only that BUILTIN group, with
> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
> BUILTIN groups work though.
>
> I've not ever edited any of the
> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
>
> Can someone explain what is happening? Is this a known ASP.NET
> WindowsTokenRoleProvider limitation? Am I doing something wrong?
>
> I've a production deployment going on a similarly configured site, and we
> need to use local-machine groups.
>
> Thanks in advance,
>
> Howard Hoffman
>

> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a
> web-site).
>
> I've configured the web-site (following directions at
> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM
> and Negotiate access, and the site itself is using Integrated Windows
> Authentication and allow-anonymous.
>
> I've added an entry to my local HOSTS file, since there is no real
> domain-name (yet) for the web-site DNS. So, my urls look like
> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for
> mysite.com (127.0.0.1). The mysite.com site is in my Local Intranet
> sites in IE (I put it there) as http://*.mysite.com.
>
> I have a local group on the server computer (W2K3) named "Local PAIS
> Admins". I have added myself to that group, and logged out of Windows
> and logged back in (to the local machine -- the same computer that is
> hosting the web site).
>
> In web.config, I have a <location> element for the Admin.aspx page:
>
> <location path="Admin.aspx">
> <system.web>
> <authorization>
> <allow roles="COMPUTER-NAME-HERE\Local PAIS Admins" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
> obviously, substituting the actual machine name for
> COMPUTER-NAME-HERE.
>
> If I run with RoleManager enabled in ASP.NET (<roleManager
> enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"
> cacheRolesInCookie="false">), I cannot get access to Admin.aspx, even
> though I am in that group. I am prompted 3 times for the my
> credentials, and I enter them correctly. Finally, I get the Access is
> Denied default error page, with a 401.2 error.
>
> If I run with the RoleManager element commented out, it works, and I
> can see the page.
>
> If I add myself to a BUILTIN group (say, Power Users), and change the
> above <location> element to allow only that BUILTIN group, with
> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
> BUILTIN groups work though.
>
> I've not ever edited any of the
> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
>
> Can someone explain what is happening? Is this a known ASP.NET
> WindowsTokenRoleProvider limitation? Am I doing something wrong?
>
> I've a production deployment going on a similarly configured site, and
> we need to use local-machine groups.
>
> Thanks in advance,
>
> Howard Hoffman
>

> IIRC
>=20
> if you use the WindowsTokenRoleProvider you have to omit the machine =
name=20
> for local groups.
>=20
> Why do you use the provider at all?
>=20
> I wrote about it here:
> http://www.leastprivilege.com/SearchView.aspx?q=3DTokenRole
>=20
> but meanwhile i came to the conclusion that all the optimization is =
also=20
> done by the LSA - so i really not see the point of this provider at =
all.
>=20
>=20
> -----
> Dominick Baier (http://www.leastprivilege.com)
>=20
> Developing More Secure Microsoft ASP.NET 2.0 Applications =
(http://www.microsoft.com/mspress/books/9989.asp)
>=20
>> I've an IIS6 ASP.NET 2.0 web site (not a virtual directory, a
>> web-site).
>>=20
>> I've configured the web-site (following directions at
>> http://support.microsoft.com/kb/215383) in the MetaBase to allow NTLM
>> and Negotiate access, and the site itself is using Integrated Windows
>> Authentication and allow-anonymous.
>>=20
>> I've added an entry to my local HOSTS file, since there is no real
>> domain-name (yet) for the web-site DNS. So, my urls look like
>> http://mysite.com/Admin.aspx, where I've an entry in HOSTS for
>> mysite.com (127.0.0.1). The mysite.com site is in my Local Intranet
>> sites in IE (I put it there) as http://*.mysite.com.
>>=20
>> I have a local group on the server computer (W2K3) named "Local PAIS
>> Admins". I have added myself to that group, and logged out of =
Windows
>> and logged back in (to the local machine -- the same computer that is
>> hosting the web site).
>>=20
>> In web.config, I have a <location> element for the Admin.aspx page:
>>=20
>> <location path=3D"Admin.aspx">
>> <system.web>
>> <authorization>
>> <allow roles=3D"COMPUTER-NAME-HERE\Local PAIS Admins" />
>> <deny users=3D"*" />
>> </authorization>
>> </system.web>
>> </location>
>> obviously, substituting the actual machine name for
>> COMPUTER-NAME-HERE.
>>=20
>> If I run with RoleManager enabled in ASP.NET (<roleManager
>> enabled=3D"true" defaultProvider=3D"AspNetWindowsTokenRoleProvider"
>> cacheRolesInCookie=3D"false">), I cannot get access to Admin.aspx, =
even
>> though I am in that group. I am prompted 3 times for the my
>> credentials, and I enter them correctly. Finally, I get the Access =
is
>> Denied default error page, with a 401.2 error.
>>=20
>> If I run with the RoleManager element commented out, it works, and I
>> can see the page.
>>=20
>> If I add myself to a BUILTIN group (say, Power Users), and change the
>> above <location> element to allow only that BUILTIN group, with
>> RoleManager enalbed for the WindowsTokenRoleProvider, it works. Only
>> BUILTIN groups work though.
>>=20
>> I've not ever edited any of the
>> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG config files.
>>=20
>> Can someone explain what is happening? Is this a known ASP.NET
>> WindowsTokenRoleProvider limitation? Am I doing something wrong?
>>=20
>> I've a production deployment going on a similarly configured site, =
and
>> we need to use local-machine groups.
>>=20
>> Thanks in advance,
>>=20
>> Howard Hoffman
>>=20
>=20