User.IsInRole is always FALSE

Hi, I have the following problem...

Pre-requisites:
Installation of an Asp.net webservice on a IIS5 server (win2k). Anonymous
access is not allowed, only using windows authentication (intranet app),
webmethoda are using the Principalpermssion attribute
([PrincipalPermission(SecurityAction.Demand,
Role=@"DomainName\WindowsGroup...")]) for identification.

Result --> does not work

When I change the to [PrincipalPermission(SecurityAction.Demand,
name=@"DomainName\Windowsuser...")]) -> it runs fine

--> conclusion: IIS cannot determine if a user belongs to an AD group -->
IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!

I already found an article on the web
(http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share), but
didn't solved the problem...

Does anyone know more about this issue?

Thanks
Oliver Rainer

June 7, 2005

hehe I actually have to go to a meeting right now, but a quick suggestion
before I leave. Try switching the PrincipalPermission
role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more to
this change, but it should work.... depending on which role it is, so if you
could post it, that would really help... until later! :-)

--
Joseph Bittman
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

"Oliver Rainer" <olrainer@tiscali.ch> wrote in message
news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...[color=blue]
> Hi, I have the following problem...
>
> Pre-requisites:
> Installation of an Asp.net webservice on a IIS5 server (win2k). Anonymous
> access is not allowed, only using windows authentication (intranet app),
> webmethoda are using the Principalpermssion attribute
> ([PrincipalPermission(SecurityAction.Demand,
> Role=@"DomainName\WindowsGroup...")]) for identification.
>
> Result --> does not work
>
> When I change the to [PrincipalPermission(SecurityAction.Demand,
> name=@"DomainName\Windowsuser...")]) -> it runs fine
>
> --> conclusion: IIS cannot determine if a user belongs to an AD group -->
> IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
>
> I already found an article on the web
> (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share), but
> didn't solved the problem...
>
> Does anyone know more about this issue?
>
> Thanks
> Oliver Rainer
>
>
>[/color]

June 7, 2005

hehe I actually have to go to a meeting right now, but a quick suggestion
before I leave. Try switching the PrincipalPermission
role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more to
this change, but it should work.... depending on which role it is, so if you
could post it, that would really help... until later! :-)

--
Joseph Bittman
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

"Oliver Rainer" <olrainer@tiscali.ch> wrote in message
news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...[color=blue]
> Hi, I have the following problem...
>
> Pre-requisites:
> Installation of an Asp.net webservice on a IIS5 server (win2k). Anonymous
> access is not allowed, only using windows authentication (intranet app),
> webmethoda are using the Principalpermssion attribute
> ([PrincipalPermission(SecurityAction.Demand,
> Role=@"DomainName\WindowsGroup...")]) for identification.
>
> Result --> does not work
>
> When I change the to [PrincipalPermission(SecurityAction.Demand,
> name=@"DomainName\Windowsuser...")]) -> it runs fine
>
> --> conclusion: IIS cannot determine if a user belongs to an AD group -->
> IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
>
> I already found an article on the web
> (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share), but
> didn't solved the problem...
>
> Does anyone know more about this issue?
>
> Thanks
> Oliver Rainer
>
>
>[/color]

Thanks for your suggestion... that really works for local groups (BUILTIN),
but IIS still has the problem to resolve AD groups (OURDOMAIN\...)... The
strange thing is that on certain machines (our developer machines), IIS can
succesfully determine if a user belongs to an AD group...

Do you have other suggestions??

Thanks
Oliver Rainer


"Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
news:eIRT4F4aFHA.3280@TK2MSFTNGP12.phx.gbl...[color=blue]
> June 7, 2005
>
> hehe I actually have to go to a meeting right now, but a quick suggestion
> before I leave. Try switching the PrincipalPermission
> role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more to
> this change, but it should work.... depending on which role it is, so if[/color]
you[color=blue]
> could post it, that would really help... until later! :-)
>
> --
> Joseph Bittman
> Microsoft Certified Application Developer
>
> Web Site: http://71.35.110.42
> Dynamic IP -- Check here for future changes
>
> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
> news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...[color=green]
> > Hi, I have the following problem...
> >
> > Pre-requisites:
> > Installation of an Asp.net webservice on a IIS5 server (win2k).[/color][/color]
Anonymous[color=blue][color=green]
> > access is not allowed, only using windows authentication (intranet app),
> > webmethoda are using the Principalpermssion attribute
> > ([PrincipalPermission(SecurityAction.Demand,
> > Role=@"DomainName\WindowsGroup...")]) for identification.
> >
> > Result --> does not work
> >
> > When I change the to [PrincipalPermission(SecurityAction.Demand,
> > name=@"DomainName\Windowsuser...")]) -> it runs fine
> >
> > --> conclusion: IIS cannot determine if a user belongs to an AD[/color][/color]
group -->[color=blue][color=green]
> > IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
> >
> > I already found an article on the web
> > (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share), but
> > didn't solved the problem...
> >
> > Does anyone know more about this issue?
> >
> > Thanks
> > Oliver Rainer
> >
> >
> >[/color]
>
>[/color]

Thanks for your suggestion... that really works for local groups (BUILTIN),
but IIS still has the problem to resolve AD groups (OURDOMAIN\...)... The
strange thing is that on certain machines (our developer machines), IIS can
succesfully determine if a user belongs to an AD group...

Do you have other suggestions??

Thanks
Oliver Rainer


"Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
news:eIRT4F4aFHA.3280@TK2MSFTNGP12.phx.gbl...[color=blue]
> June 7, 2005
>
> hehe I actually have to go to a meeting right now, but a quick suggestion
> before I leave. Try switching the PrincipalPermission
> role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more to
> this change, but it should work.... depending on which role it is, so if[/color]
you[color=blue]
> could post it, that would really help... until later! :-)
>
> --
> Joseph Bittman
> Microsoft Certified Application Developer
>
> Web Site: http://71.35.110.42
> Dynamic IP -- Check here for future changes
>
> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
> news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...[color=green]
> > Hi, I have the following problem...
> >
> > Pre-requisites:
> > Installation of an Asp.net webservice on a IIS5 server (win2k).[/color][/color]
Anonymous[color=blue][color=green]
> > access is not allowed, only using windows authentication (intranet app),
> > webmethoda are using the Principalpermssion attribute
> > ([PrincipalPermission(SecurityAction.Demand,
> > Role=@"DomainName\WindowsGroup...")]) for identification.
> >
> > Result --> does not work
> >
> > When I change the to [PrincipalPermission(SecurityAction.Demand,
> > name=@"DomainName\Windowsuser...")]) -> it runs fine
> >
> > --> conclusion: IIS cannot determine if a user belongs to an AD[/color][/color]
group -->[color=blue][color=green]
> > IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
> >
> > I already found an article on the web
> > (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share), but
> > didn't solved the problem...
> >
> > Does anyone know more about this issue?
> >
> > Thanks
> > Oliver Rainer
> >
> >
> >[/color]
>
>[/color]

June 9, 2005

:-) Yes, the BUILTIN will only work for local groups. AD groups are
somewhat more mysterious and have had problems with them myself. When you
call IsInRole, where is the IPrincipal coming from? Are you using the
interface directly, or using an object taken from the
System.Threading.Thread.CurrentPrincipal, or the User object???? This makes
a big difference in the result that you will get, because I believe in your
case that only a principal taken from User will reflect the user's identity
and not ASPNET. If you could post how you got Iprincipal.IsInRole, then I
believe that I can help you further! :-) Have a great day and until later!!!

--
Joseph Bittman Beta ID# 678424
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

"Oliver Rainer" <olrainer@tiscali.ch> wrote in message
news:O$%23NC1$aFHA.1044@TK2MSFTNGP10.phx.gbl...[color=blue]
> Thanks for your suggestion... that really works for local groups
> (BUILTIN),
> but IIS still has the problem to resolve AD groups (OURDOMAIN\...)... The
> strange thing is that on certain machines (our developer machines), IIS
> can
> succesfully determine if a user belongs to an AD group...
>
> Do you have other suggestions??
>
> Thanks
> Oliver Rainer
>
>
> "Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
> news:eIRT4F4aFHA.3280@TK2MSFTNGP12.phx.gbl...[color=green]
>> June 7, 2005
>>
>> hehe I actually have to go to a meeting right now, but a quick
>> suggestion
>> before I leave. Try switching the PrincipalPermission
>> role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more to
>> this change, but it should work.... depending on which role it is, so if[/color]
> you[color=green]
>> could post it, that would really help... until later! :-)
>>
>> --
>> Joseph Bittman
>> Microsoft Certified Application Developer
>>
>> Web Site: http://71.35.110.42
>> Dynamic IP -- Check here for future changes
>>
>> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
>> news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...[color=darkred]
>> > Hi, I have the following problem...
>> >
>> > Pre-requisites:
>> > Installation of an Asp.net webservice on a IIS5 server (win2k).[/color][/color]
> Anonymous[color=green][color=darkred]
>> > access is not allowed, only using windows authentication (intranet
>> > app),
>> > webmethoda are using the Principalpermssion attribute
>> > ([PrincipalPermission(SecurityAction.Demand,
>> > Role=@"DomainName\WindowsGroup...")]) for identification.
>> >
>> > Result --> does not work
>> >
>> > When I change the to [PrincipalPermission(SecurityAction.Demand,
>> > name=@"DomainName\Windowsuser...")]) -> it runs fine
>> >
>> > --> conclusion: IIS cannot determine if a user belongs to an AD[/color][/color]
> group -->[color=green][color=darkred]
>> > IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
>> >
>> > I already found an article on the web
>> > (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share),
>> > but
>> > didn't solved the problem...
>> >
>> > Does anyone know more about this issue?
>> >
>> > Thanks
>> > Oliver Rainer
>> >
>> >
>> >[/color]
>>
>>[/color]
>
>[/color]

June 9, 2005

:-) Yes, the BUILTIN will only work for local groups. AD groups are
somewhat more mysterious and have had problems with them myself. When you
call IsInRole, where is the IPrincipal coming from? Are you using the
interface directly, or using an object taken from the
System.Threading.Thread.CurrentPrincipal, or the User object???? This makes
a big difference in the result that you will get, because I believe in your
case that only a principal taken from User will reflect the user's identity
and not ASPNET. If you could post how you got Iprincipal.IsInRole, then I
believe that I can help you further! :-) Have a great day and until later!!!

--
Joseph Bittman Beta ID# 678424
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

"Oliver Rainer" <olrainer@tiscali.ch> wrote in message
news:O$%23NC1$aFHA.1044@TK2MSFTNGP10.phx.gbl...[color=blue]
> Thanks for your suggestion... that really works for local groups
> (BUILTIN),
> but IIS still has the problem to resolve AD groups (OURDOMAIN\...)... The
> strange thing is that on certain machines (our developer machines), IIS
> can
> succesfully determine if a user belongs to an AD group...
>
> Do you have other suggestions??
>
> Thanks
> Oliver Rainer
>
>
> "Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
> news:eIRT4F4aFHA.3280@TK2MSFTNGP12.phx.gbl...[color=green]
>> June 7, 2005
>>
>> hehe I actually have to go to a meeting right now, but a quick
>> suggestion
>> before I leave. Try switching the PrincipalPermission
>> role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more to
>> this change, but it should work.... depending on which role it is, so if[/color]
> you[color=green]
>> could post it, that would really help... until later! :-)
>>
>> --
>> Joseph Bittman
>> Microsoft Certified Application Developer
>>
>> Web Site: http://71.35.110.42
>> Dynamic IP -- Check here for future changes
>>
>> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
>> news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...[color=darkred]
>> > Hi, I have the following problem...
>> >
>> > Pre-requisites:
>> > Installation of an Asp.net webservice on a IIS5 server (win2k).[/color][/color]
> Anonymous[color=green][color=darkred]
>> > access is not allowed, only using windows authentication (intranet
>> > app),
>> > webmethoda are using the Principalpermssion attribute
>> > ([PrincipalPermission(SecurityAction.Demand,
>> > Role=@"DomainName\WindowsGroup...")]) for identification.
>> >
>> > Result --> does not work
>> >
>> > When I change the to [PrincipalPermission(SecurityAction.Demand,
>> > name=@"DomainName\Windowsuser...")]) -> it runs fine
>> >
>> > --> conclusion: IIS cannot determine if a user belongs to an AD[/color][/color]
> group -->[color=green][color=darkred]
>> > IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
>> >
>> > I already found an article on the web
>> > (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share),
>> > but
>> > didn't solved the problem...
>> >
>> > Does anyone know more about this issue?
>> >
>> > Thanks
>> > Oliver Rainer
>> >
>> >
>> >[/color]
>>
>>[/color]
>
>[/color]

Hi Joseph,

I executed the following code for testing the stuff --> all booleans were
false except the local admin groups...

WindowsPrincipal windowsPrincipal =
(WindowsPrincipal)Thread.CurrentPrincipal;

IPrincipal iPrincipal = Thread.CurrentPrincipal;

WindowsIdentity windowsIdentity =
System.Security.Principal.WindowsIdentity.GetCurre nt();

string user = windowsIdentity.Name;


bool isLocalAdmin =
windowsPrincipal.IsInRole(WindowsBuiltInRole.Admin istrator);

bool isInTestgroup1 = windowsPrincipal.IsInRole(@"DOMAIN\Testgroup1");

bool isInTestgroup2 = windowsPrincipal.IsInRole(@"DOMAIN\Testgroup2");

bool isLocalAdmin_2 = iPrincipal.IsInRole(@"BUILTIN\Administrators");

bool isInTestgroup1_2 = iPrincipal.IsInRole(@"DOMAIN\Testgroup1");

bool isInTestgroup2_2 = iPrincipal.IsInRole(@"DOMAIN\Testgroup2");

Thanks for your help...

Oliver Rainer




"Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
news:OJWiWGEbFHA.3032@TK2MSFTNGP10.phx.gbl...[color=blue]
> June 9, 2005
>
> :-) Yes, the BUILTIN will only work for local groups. AD groups are
> somewhat more mysterious and have had problems with them myself. When you
> call IsInRole, where is the IPrincipal coming from? Are you using the
> interface directly, or using an object taken from the
> System.Threading.Thread.CurrentPrincipal, or the User object???? This[/color]
makes[color=blue]
> a big difference in the result that you will get, because I believe in[/color]
your[color=blue]
> case that only a principal taken from User will reflect the user's[/color]
identity[color=blue]
> and not ASPNET. If you could post how you got Iprincipal.IsInRole, then I
> believe that I can help you further! :-) Have a great day and until[/color]
later!!![color=blue]
>
> --
> Joseph Bittman Beta ID# 678424
> Microsoft Certified Application Developer
>
> Web Site: http://71.35.110.42
> Dynamic IP -- Check here for future changes
>
> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
> news:O$%23NC1$aFHA.1044@TK2MSFTNGP10.phx.gbl...[color=green]
> > Thanks for your suggestion... that really works for local groups
> > (BUILTIN),
> > but IIS still has the problem to resolve AD groups (OURDOMAIN\...)...[/color][/color]
The[color=blue][color=green]
> > strange thing is that on certain machines (our developer machines), IIS
> > can
> > succesfully determine if a user belongs to an AD group...
> >
> > Do you have other suggestions??
> >
> > Thanks
> > Oliver Rainer
> >
> >
> > "Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
> > news:eIRT4F4aFHA.3280@TK2MSFTNGP12.phx.gbl...[color=darkred]
> >> June 7, 2005
> >>
> >> hehe I actually have to go to a meeting right now, but a quick
> >> suggestion
> >> before I leave. Try switching the PrincipalPermission
> >> role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> >> this change, but it should work.... depending on which role it is, so[/color][/color][/color]
if[color=blue][color=green]
> > you[color=darkred]
> >> could post it, that would really help... until later! :-)
> >>
> >> --
> >> Joseph Bittman
> >> Microsoft Certified Application Developer
> >>
> >> Web Site: http://71.35.110.42
> >> Dynamic IP -- Check here for future changes
> >>
> >> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
> >> news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...
> >> > Hi, I have the following problem...
> >> >
> >> > Pre-requisites:
> >> > Installation of an Asp.net webservice on a IIS5 server (win2k).[/color]
> > Anonymous[color=darkred]
> >> > access is not allowed, only using windows authentication (intranet
> >> > app),
> >> > webmethoda are using the Principalpermssion attribute
> >> > ([PrincipalPermission(SecurityAction.Demand,
> >> > Role=@"DomainName\WindowsGroup...")]) for identification.
> >> >
> >> > Result --> does not work
> >> >
> >> > When I change the to [PrincipalPermission(SecurityAction.Demand,
> >> > name=@"DomainName\Windowsuser...")]) -> it runs fine
> >> >
> >> > --> conclusion: IIS cannot determine if a user belongs to an AD[/color]
> > group -->[color=darkred]
> >> > IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
> >> >
> >> > I already found an article on the web
> >> > (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share),
> >> > but
> >> > didn't solved the problem...
> >> >
> >> > Does anyone know more about this issue?
> >> >
> >> > Thanks
> >> > Oliver Rainer
> >> >
> >> >
> >> >
> >>
> >>[/color]
> >
> >[/color]
>
>[/color]

Hi Joseph,

I executed the following code for testing the stuff --> all booleans were
false except the local admin groups...

WindowsPrincipal windowsPrincipal =
(WindowsPrincipal)Thread.CurrentPrincipal;

IPrincipal iPrincipal = Thread.CurrentPrincipal;

WindowsIdentity windowsIdentity =
System.Security.Principal.WindowsIdentity.GetCurre nt();

string user = windowsIdentity.Name;


bool isLocalAdmin =
windowsPrincipal.IsInRole(WindowsBuiltInRole.Admin istrator);

bool isInTestgroup1 = windowsPrincipal.IsInRole(@"DOMAIN\Testgroup1");

bool isInTestgroup2 = windowsPrincipal.IsInRole(@"DOMAIN\Testgroup2");

bool isLocalAdmin_2 = iPrincipal.IsInRole(@"BUILTIN\Administrators");

bool isInTestgroup1_2 = iPrincipal.IsInRole(@"DOMAIN\Testgroup1");

bool isInTestgroup2_2 = iPrincipal.IsInRole(@"DOMAIN\Testgroup2");

Thanks for your help...

Oliver Rainer




"Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
news:OJWiWGEbFHA.3032@TK2MSFTNGP10.phx.gbl...[color=blue]
> June 9, 2005
>
> :-) Yes, the BUILTIN will only work for local groups. AD groups are
> somewhat more mysterious and have had problems with them myself. When you
> call IsInRole, where is the IPrincipal coming from? Are you using the
> interface directly, or using an object taken from the
> System.Threading.Thread.CurrentPrincipal, or the User object???? This[/color]
makes[color=blue]
> a big difference in the result that you will get, because I believe in[/color]
your[color=blue]
> case that only a principal taken from User will reflect the user's[/color]
identity[color=blue]
> and not ASPNET. If you could post how you got Iprincipal.IsInRole, then I
> believe that I can help you further! :-) Have a great day and until[/color]
later!!![color=blue]
>
> --
> Joseph Bittman Beta ID# 678424
> Microsoft Certified Application Developer
>
> Web Site: http://71.35.110.42
> Dynamic IP -- Check here for future changes
>
> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
> news:O$%23NC1$aFHA.1044@TK2MSFTNGP10.phx.gbl...[color=green]
> > Thanks for your suggestion... that really works for local groups
> > (BUILTIN),
> > but IIS still has the problem to resolve AD groups (OURDOMAIN\...)...[/color][/color]
The[color=blue][color=green]
> > strange thing is that on certain machines (our developer machines), IIS
> > can
> > succesfully determine if a user belongs to an AD group...
> >
> > Do you have other suggestions??
> >
> > Thanks
> > Oliver Rainer
> >
> >
> > "Joseph Bittman MCAD" <RyanBittman@msn.com> wrote in message
> > news:eIRT4F4aFHA.3280@TK2MSFTNGP12.phx.gbl...[color=darkred]
> >> June 7, 2005
> >>
> >> hehe I actually have to go to a meeting right now, but a quick
> >> suggestion
> >> before I leave. Try switching the PrincipalPermission
> >> role="domain\groupname" to "BUILTIN\GROUPNAME". There is a little more[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> >> this change, but it should work.... depending on which role it is, so[/color][/color][/color]
if[color=blue][color=green]
> > you[color=darkred]
> >> could post it, that would really help... until later! :-)
> >>
> >> --
> >> Joseph Bittman
> >> Microsoft Certified Application Developer
> >>
> >> Web Site: http://71.35.110.42
> >> Dynamic IP -- Check here for future changes
> >>
> >> "Oliver Rainer" <olrainer@tiscali.ch> wrote in message
> >> news:ubg7WH3aFHA.2440@TK2MSFTNGP10.phx.gbl...
> >> > Hi, I have the following problem...
> >> >
> >> > Pre-requisites:
> >> > Installation of an Asp.net webservice on a IIS5 server (win2k).[/color]
> > Anonymous[color=darkred]
> >> > access is not allowed, only using windows authentication (intranet
> >> > app),
> >> > webmethoda are using the Principalpermssion attribute
> >> > ([PrincipalPermission(SecurityAction.Demand,
> >> > Role=@"DomainName\WindowsGroup...")]) for identification.
> >> >
> >> > Result --> does not work
> >> >
> >> > When I change the to [PrincipalPermission(SecurityAction.Demand,
> >> > name=@"DomainName\Windowsuser...")]) -> it runs fine
> >> >
> >> > --> conclusion: IIS cannot determine if a user belongs to an AD[/color]
> > group -->[color=darkred]
> >> > IPrincipal.IsInRole(@"DomainName\WindowsGroup") is always FALSE!
> >> >
> >> > I already found an article on the web
> >> > (http://www.kbalertz.com/kb_894432.aspx --> web dir is UNC share),
> >> > but
> >> > didn't solved the problem...
> >> >
> >> > Does anyone know more about this issue?
> >> >
> >> > Thanks
> >> > Oliver Rainer
> >> >
> >> >
> >> >
> >>
> >>[/color]
> >
> >[/color]
>
>[/color]