I am having invalid token, it cannot be duplicated error 70% of the time on
one machine. We are creating and validating the current user. The following
line of code raise exception.

System.Security.Principal.WindowsIdentity winIden=new
System.Security.Principal.WindowsIdentity(iToken);

Exception:
String Message = "LoginWI() Invalid token; it cannot be duplicated. at
RtReports.Security.LocalAuthentication.CheckUserGr oups(IntPtr iToken,
StringCollection strGroupsCollection)


Any help is really appreciated.

Thanks,
Kamal

Where do you get the token from?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Domnic,

Thanks for your response. Here the code from Login() webmethod and the same
token will be passed to another method which has the actual problem.

WindowsIdentity wi = WindowsIdentity.GetCurrent();
IntPtr iToken = wi.Token;
string domainName="";
string userName="";
if (wi.Name != null)
{
string curUser = wi.Name;
if (curUser.Length>0)
{
int sepIndex = curUser.IndexOf(@"\");
if (sepIndex>-1)
{
domainName = curUser.Substring(0,sepIndex);
int len = curUser.Length-domainName.Length;
if (len>0)
{
userName = curUser.Substring(sepIndex+1,len-1);
}
}
else //just in case , no domain
userName=curUser;
}
}

Thanks,
Kamal.

"Dominick Baier" wrote:

Hi,

well - frankly, i don't understand what you are doing...

and why do you have to pass tokens around??


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Dominik,
Because the login method will be used by asp.net application and also used
by sharepoint webpart to access some webservice calls, we splited into two.

So, the login method is common and before that we received the Token, we are
passing the token to Login method and it tries to get the Priniciple.

Sequence is:

1. SharepointLogin() using
WindowsIdentity wi = WindowsIdentity.GetCurrent();
IntPtr iToken = wi.Token;
and passing this token to LogInUser() method fo Global.ascx.

2. static internal void LogInUser(System.Web.HttpApplication appState,
IntPtr iToken, string domainName, string userName)

which internally calls another method to retreive valid groups list by
passing the iToken again.

3. public string CheckUserGroups(IntPtr iToken, StringCollection
strGroupsCollection)

which uses the following.
System.Security.Principal.WindowsIdentity winIden=new
System.Security.Principal.WindowsIdentity(iToken);

This is where the "Invalid token" problem happens.

I can create a sample application if you like.

Please let me know if there is any best way to accomblish this one.

Thanks
Kamal

"Dominick Baier" wrote:

Are you passing the pointer across process boundaries or something? You
can't do that.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Kamal" <Kamal (AT) discussions (DOT) microsoft.com> wrote

Some things strike me odd...

First - you are using WindowsIdentity.GetCurrent() - this implies you are
using client impersonation (and also that your code will only work with that
setting) - you can always get to the authenticated client name by using Context.User.Identity.Name.

This also means - why do you have to factor that out? The client information
is always available..


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Dominic,

Thank you so much. Reallized after your comment that the following line of
code is not right way of doing it.

System.Security.Principal.WindowsIdentity winIden=new
System.Security.Principal.WindowsIdentity(iToken);

Replaced with

System.Security.Principal.WindowsIdentity winIden
=(WindowsIdentity)this.Context.User.Identity;

Problem is resolved now.

This helps lot to resolve few other security related questions.

http://www.leastprivilege.com/ASPNET...otingTool.aspx

Thanks for your Help.

-Kamal.


"Dominick Baier" wrote: