Hello,

here comes the description of the trouble:

I try to guard my code by PrincipalPermissionAttribute (but I did also try
to call IsInRole directly and even LsaLookupNames2...).
When I ask for role that exists I receive reply "true", which is good.
When I ask for role that doesn't exist, I sometimes receive "false", which
is also good, and sometimes System.Exception (trust related error), which is
not so good - especially in the case of declarative security...

Interesting observations:
- Query for roles begining with domain name (i.e. "DOMAIN\GROUP") work
always OK (returning "true" or "false")
- Query for role "Personal" would return "false"
- Query for role "PersonalPlus" would throw exception.
OS: Windows Vista in domain

Did anybody experienced (and solved) this?

Thank for your comments.

if you omit the Domain\ part - local groups are assumed.

What exact exception do you get (including inner exception) ?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Dominick,

return false
for non-existent group, not exception.

remember the exact message).
..NET Framework calls internally Win32 native function (LsaLookupNames2).
Return value of this function is C000018C (STATUS_TRUSTED_DOMAIN_FAILURE).
This coverts into windows error message "The trust relationship between the
primary domain and the trusted domain failed."

Please note interesting point, that for some calls it fails and for others
it does not. And it does not depend on whether the group exists or not, if
account that runs the request is administrator or member of the group in
question or not.

Regards

djk