Re: IsInRole always return fasle on secure remoting call (Framework 2.0)

The problem is that the WindowsIdentity.GetCurrent() does return the account
of the service is running under and this is not what I need, what I need is
to test the remote caller.

I just remind you what I am doing:

I doing remoting calls over a TCP channel set to "SECURE", which so far I
can see, means that on the server side (service) the
System.Threading.Thread.CurrentPrincipal will be set with the identiy of the
remote caller. Because I am not, and do not want, impersonating, the
WindowsIdentity.GetCurrent() is still set to the serive account.
The System.Threading.Thread.CurrentPrincipal contains the identidy of the
remote caller, the one on which I want to test if he is member of a group or
not.

I based my code on the following document tation from MS
http://msdn2.microsoft.com/en-us/library/kw7c6kwc.aspx to set the property
of the TCP channel:

secure (TcpChannel)
A Boolean value (true or false) that specifies whether communications
on the channel are secure. The default is false. When it is set to true, the
tokenImpersonationLevel property is set to Identification and the
protectionLevel property is set to EncryptAndSign. Note that a secure
TcpClientChannel may connect only to a secure TcpServerChannel, and a
non-secure TcpClientChannel may connect only to a non-secure
TcpServerChannel.

Note
If the server computer is running Windows 95, Windows 98, or
Windows Me, the TcpServerChannel cannot be specified as secure.

TcpChannel

TcpClientChannel

TcpServerChannel



Also here is a decription of the tokenImpersaonationLevel from
http://msdn2.microsoft.com/en-us/library/system.security.principal.tokenimpersonationlevel.aspx:

Member name Description
Anonymous The server process cannot obtain identification
information about the client, and it cannot impersonate the client.
Delegation The server process can impersonate the client's security
context on remote systems.
Identification The server process can obtain information about the
client, such as security identifiers and privileges, but it cannot
impersonate the client. This is useful for servers that export their own
objects, for example, database products that export tables and views. Using
the retrieved client-security information, the server can make
access-validation decisions without being able to use other services that
are using the client's security context.
Impersonation The server process can impersonate the client's
security context on its local system. The server cannot impersonate the
client on remote systems.
None An impersonation level is not assigned.




When debuging my code, I can see the
System.Threading.Thread.CurrentPrincipal set properly with the remote
caller, the AuthetificationToken is set to Identification but I am not able
to test if the user is member of a specific group (IsInrole) return false
all the time, which is the only thing I want to do -:) . Reading the
description of "Identification" above you will think that it should be
possible no?

Cheers,
Eric


"Luke Zhang [MSFT]" <lukezhan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:iNeqt8YQGHA.4620@xxxxxxxxxxxxxxxxxxxxxxxx
I mean "System.Threading.Thread.CurrentPrincipal.IsInRole()" won't return
correct result, you may still use:

WindowsPrincipal aWinPrinc = new
WindowsPrincipal(WindowsIdentity.GetCurrent());

If there is anything unclear, please feel free to let me know.

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



begin 666 kw7c6kwc.note.gif
M1TE&.#EA"@`*`+,)`/\$`/]=6L;#QM;3UO_/`(2&A(R.C ```/__SO___P``
M`````````````````````"'Y! $```D`+ `````*``H```0HT,@Y1 `&Z7T(
AWEIW)!E'C.16G$.2(L-1((5;%D-H@_H+HH>@,.B*```[
`
end

.

Relevant Pages

  • Re: help on caller credentials !! :-(
    ... I am runing my client application under user BOB on an Windows 2000 ... machine Then my server component is hosted in a windows service ... under windows 2000 and prefer mode should be "Impersonate". ...
    (microsoft.public.dotnet.security)
  • Re: help on caller credentials !! :-(
    ... the back end SQL server maybe. ... In fact I simply try to flow the client user until the database level. ... Hosting my remote object in IIS would be much more simple but thi is not my ... under windows 2000 and prefer mode should be "Impersonate". ...
    (microsoft.public.dotnet.security)
  • Re: help on caller credentials !! :-(
    ... Network service has network access ... Bob calls the remoting server - the server gets bob account from Thread.CurrentPrincipal and you can pass that e.g. to a sproc. ... I am runing my client application under user BOB on an Windows 2000 ... under windows 2000 and prefer mode should be "Impersonate". ...
    (microsoft.public.dotnet.security)
  • Re: Under which credentials COM makes calls from another process?
    ... There are two ways our server application (server here is not ... authenticate via SSPI. ... which is used later to impersonate thread on the server ... can get some properties of these objects: client IP address and port, ...
    (microsoft.public.win2000.developer)
  • Re: Under which credentials COM makes calls from another process?
    ... There are two ways our server application (server here is not ... authenticate via SSPI. ... which is used later to impersonate thread on the server ... can get some properties of these objects: client IP address and port, ...
    (microsoft.public.platformsdk.security)