I've seen other posts that seem to have a similar problem but none
with a posted solution, so here goes again..

My application does not allow anonymous access, and integrated windows
authentication is enabled.

In my web config I have the following:

<authentication mode="Windows"/>
<authorization>
<allow roles="ie.mydomain\EDI_GROUP,ie.mydomain\EDI_OPS"/>
<deny users="*"/>
</authorization>
<identity impersonate="true"/>

As far as I can tell this should be all I need.


However users who are members of the domain groups EDI_GROUP or
EDI_OPS get access denied for the default.aspx page (in application
root directory).


I have verified the users are members of the groups and that host is
aware of the groups ( double checked by restarting the server..
twice!).

Interesting, within the application I can programatically identify the
users as members of the groups but only if I use:

WindowsPrincipal principal = new
WindowsPrincipal(WindowsIdentity.GetCurrent());
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

If I try to use :

IPrincipal principal = Thread.CurrentPrincipal;
bool memberOfEDI_Ops = principal.IsInRole("EDI_Ops");

memberOfEDI_Ops will be false ( further investigation revealed that
the IPrincipal here was in fact a GenericPrincipal and not the
required WindowsPrincipal).


This may be a red herring but the second approach will in fact return
a WindowsPrincipal when running on the devstudio web server on my
development machine.


My development machine is an XP SP2 machine and the IIS server is a
2003 machine with SP1.

Any Ideas, suggestions?

It is strange that your Thread.CurrentPrincipal isn't a WindowsPrincipal.
What is the Context.User property in this case? Thread.CurrentPrincipal and
Context.User should be the same in an ASP.NET app in most circumstances.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"TygerKrash" <dave.mcgowan (AT) gmail (DOT) com> wrote

Hi Joe,
Thanks for the reply.

I've just checked and Context.User is also appearing as a
GenericPrincipal (representing the same user).

I can ,and given time constraints I probably will, just identify the
users role programatically and enforce my authorization that way,
so this isn't that serious a problem, but I am curious to get to the
bottom of this.


Dave.

On Nov 10, 2:58 pm, "Joe Kaplan"
<joseph.e.kap... (AT) removethis (DOT) accenture.com> wrote:

If your app is using Windows security in IIS and web.config, the
authenticated user (Context.User) should be a WindowsPrincipal. Is it
possible something else has been added to the stack like membership or
something? I honestly don't know.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"TygerKrash" <dave.mcgowan (AT) gmail (DOT) com> wrote

Theres no Membership entry in our application web config, maybe it's
something set in the machine.config but looking at that makes me kind
of dizzy! Guess I'll mark this one up as 'weird' for the time being.
I'll work around it and move on.

thanks for your help.

On Nov 12, 5:35 pm, "Joe Kaplan"
<joseph.e.kap... (AT) removethis (DOT) accenture.com> wrote: