Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / IIS / IIS Security / July 2008

Tip: Looking for answers? Try searching our database.

ASP.Net 2.0 windows IsInRole error

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
bake - 17 Jul 2008 19:24 GMT
We are sometimes getting the following error when calling User.IsInRole:
The trust relationship between the primary domain and the trusted domain
failed.

If the user is in the group we are specifying, IsInRole returns true. If
they are not in the group we are specifying, IsInRole throws that error.

Has anyone seen this before, or now how we might be able to troubleshoot
this? Perhaps there is additional logging we can turn on for the lower level
security calls?

Details:
The IsInRole call is happening in a Web Service method, called from a
Winform app.
User is in Domain A, Group exists in Domain B. Full trust between domains.
Trust is definitely fully functional as we would be experiencing many other
failures otherwise.
We are specifying the Domain in the IsInRole call. For instance
DomainB\TestGroup
IIS Directory Security - Windows Authentication
ASP.Net authentication - Windows (not impersonating)
Web Server - 2003 Server
AD Domain - 2003 Server

Code where we are setting the credentials in Winform prior to Web Service
Call:
ws.Credentials = System.Net.CredentialCache.DefaultCredentials;

Exception Stack Trace:
at
System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
  at
System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection
sourceAccounts, Type targetType, Boolean& someFailed)
  at
System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection
sourceAccounts, Type targetType, Boolean forceSuccess)
  at System.Security.Principal.WindowsPrincipal.IsInRole(String role)
  at WebService.ServiceMethod()

Thanks so much!
Mike
Reply to this Message
Steven Cheng [MSFT] - 18 Jul 2008 07:13 GMT
Hi Mike,

From your description, when calling the "WindowPrincipal.IsInRole" method
in an ASP.NET webservice , you got the following exceptiton, correct?

"The trust relationship between the primary domain and the trusted domain
failed...."

Based on my research, there are some existing common issue related to this
error message. And most of them are caused by not supplying the domain name
when call "IsInRole" function.  However, as you said that you've already
supply the domain name in the account name parameter, I think the problem
here is a bit different. Would you also post the code snippet in your
webmethod which call the "IsInRole" function?

Also, for the trusted domain part, have you verified that if the account
(you passed into "isInRole" function) is from the same domain(rather than
another trusted domain) of the webserver, it will work correct?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: =?Utf-8?B?YmFrZQ==?= <mikeemail@nospam.nospam>
>Subject: ASP.Net 2.0 windows IsInRole error
>Date: Thu, 17 Jul 2008 11:24:08 -0700

>X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
[quoted text clipped - 40 lines]
>Thanks so much!
>Mike
Reply to this Message
bake - 21 Jul 2008 22:59 GMT
Hi Steven,

I have an update for you. I wrote a test app to remove any application
specific variables, and found that we were actually calling IsInRole with a
non-existent group and without specifying the domain. Sorry about that, there
was some miscommunication between the person who wrote the code and me. So
the group does not exist anywhere, and no domain was specified. I would think
that in a perfect world (no bugs in framework, our network set up correctly,
etc.), it would not blow up, but it is easy enough for us to work around.

However, we are still seeing strange behavior from the IsInRole call. It is
acting differently on our XP Pro workstations (in one domain) than when it is
running on our 2003 Web Servers (in another domain).

I'll create a new posting to cover the scenarios, and include code snippets,
etc.

Thank you,
Mike

> Hi Mike,
>
[quoted text clipped - 98 lines]
> >Thanks so much!
> >Mike
Reply to this Message
Steven Cheng [MSFT] - 22 Jul 2008 03:21 GMT
Thanks for your followup Mike,

I'm glad that you've figured out the original issue and let us know the
progress.  

Sure, welcome to post in the newsgroup for any new issuess you encounter.

Sincerely,

Steven Cheng
Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

>From: =?Utf-8?B?YmFrZQ==?= <mikeemail@nospam.nospam>
>References:  <7F58E31C-DF7A-4374-A1B2-0ED8A5760F8C@microsoft.com>
<WHBmo1J6IHA.1620@TK2MSFTNGHUB02.phx.gbl>
>Subject: RE: ASP.Net 2.0 windows IsInRole error
>Date: Mon, 21 Jul 2008 14:59:01 -0700

>Hi Steven,
>
[quoted text clipped - 40 lines]
>>
>> Microsoft MSDN Online Support Lead
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.