.Net Role Authentication PrincipalPermission fails

Question

I have a vb.net 3.5 application using PrincipalPermission class to ensure a user is a member of a role. The code works for some groups in Active Directory domain but not others. At first I thought the space was an issue but I checked 'Domain Users' which worked. Running this code I am a member of App Group.

Imports System.Security
Imports System.Security.Principal
Imports System.Security.Permissions

    Private Function DemandSecurity() As Boolean
        AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)
        Dim principalGroup As New PrincipalPermission(Nothing, "App Group")
        Try
            principalGroup.Demand()
            Debug.Print("Demanding pricipal permissions for current user on 'App Group' role succeeded. ")
        Catch secEx As SecurityException
            Debug.Print("Security Exception - Demanding pricipal permissions for current user on 'App Group' role failed. ")

            Application.DoEvents()
            MessageBox.Show("Permission denied. Output: " & vbNewLine & secEx.ToString, "App - Security Exception", MessageBoxButtons.OK, MessageBoxIcon.Error, MessageBoxDefaultButton.Button1)

            Return False
            Exit Function
        End Try
        Return True
    End Function

The error output from secEx.ToString is

"System.Security.SecurityException: Request for principal permission failed. at System.Security.Permissions.PrincipalPermission.ThrowSecurityException() at System.Security.Permissions.PrincipalPermission.Demand() at App.My.MyApplication.DemandSecurity() in C:\Documents and Settings\me\My Documents\Visual Studio 2008\Projects\App\App\ApplicationEvents.vb:line 28

The action that failed was: Demand The type of the first permission that failed was: System.Security.Permissions.PrincipalPermission

The first permission that failed was: IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1"> Identity Authenticated="true" Role="App Group"/>

The demand was for: IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1"> Identity Authenticated="true" Role="App Group"/>

The assembly or AppDomain that failed was: mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"

Let me know if I need to include anything else.

I have also tried using My.User.IsInRole which also returns false. I am definitely in the role. — Russell Hart, Nov 23 '12 at 21:56

score 0 · Answer 1 · answered Nov 23 '12 at 21:07

0

I think you better check your AD Groups to see this issue : http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3e8e9209-17c7-4674-8780-7ae09c607118

answered Nov 23 '12 at 21:07

Jorge Alvarado

2,664
22
33

Thanks Jorge. The cn name matches the pre-windows 2000 name so that won't work. Unless I missed the point of that article. – Russell Hart Nov 23 '12 at 21:17
To clarify, this does not answer the question. Hope someone can suggest what might be wrong with this. – Russell Hart Nov 24 '12 at 11:30
@RussellHart the fact that you state that some searches fail and others not, is quite odd, smells like a naming problem as you stated in your info at the begginning, have you tried using an LDAP browser and querying for the objectSID instead of the name? – Jorge Alvarado Nov 24 '12 at 12:24
The groups which succeed are in CN=Users. The groups which fail are in OU=Security Groups in the same domain. How do you change the above code to demand on a groups in an organisational unit? Any pointers are much appreciated, please post as a new answer so I can accept. Thanks – Russell Hart Nov 25 '12 at 00:22

score 0 · Answer 2 · edited May 23 '17 at 11:44

ok, this is just a wild guess, I happened to see this discussion regarding SAMAccountName and distinguished names, but no idea if this is still current issue: Active Directory and PrincipalPermission

honestly I don't know if the "Role" can perform a full LDAP filter, but let's give it a try: Let's suppose your group distinguished name is like this:

"CN=MyGroup,OU=SecurityGroups,OU=Department,DC=Company,DC=com"

why not trying this:

Role="CN=MyGroup,OU=SecurityGroups,OU=Department,DC=Company,DC=com"

Role=@"Company.com\Department\Security Groups\MyGroup"  // Not sure about this one though

And because this one seems more logic, maybe like this:

Role=@"Company\SAMAccountNameOfYourGroup"

I think your groups in CN=Users may succeed because probably they are in the root of your active directory, so for the other groups you may need to give either the SAMAccount which is unique, or give some structure for the search.

.Net Role Authentication PrincipalPermission fails

2 Answers2