0

I have two domains that are set up with a two way trust.

Domain A has a group (group A) with a member (User A).

Domain B has a group (group B) with Group A (from the other domain) as a member.

I'm checking with:

if(User.IsInRole(group B))
{
  // logging in as User A should provide access because this use is part of Group A which is part of Group B
}

but that's not working.

what am I missing here?

user1154725
  • 7
  • 1
  • 1
  • 3
  • How did you specify `groupB`? Did you specify it by name? Or did you specify it by SecurityIdentifier? Try to use SecurityIdentifier – Harvey Kwok Aug 07 '12 at 05:12
  • not entirely sure what you mean. Group B is the "destination" group on the secondary domain (domain B). Group A (from the primary domain) is nested within Group B. – user1154725 Aug 08 '12 at 16:49
  • There are multiple versions of `IsInRole`. One of them accept `string` as parameter. Another one accept `SecurityIdentifier` as parameter. What's the type of groupB? – Harvey Kwok Aug 08 '12 at 21:52
  • ahh ok...I'm passing in a string. How do I obtain the SID to pass in instead? – user1154725 Aug 09 '12 at 20:25
  • You can get [GroupPrincipal](http://msdn.microsoft.com/en-us/library/bb359530.aspx) and then get its `Sid` – Harvey Kwok Aug 10 '12 at 04:11

1 Answers1

0

This fails for me when run on a machine logged in as the user and joined to that domain.

        private static SecurityIdentifier GetGroupSid(string domainName, string groupName)
    {
        using (var d = Domain.GetDomain(new DirectoryContext(DirectoryContextType.Domain, domainName)))
        {
            using (var context = new PrincipalContext(ContextType.Domain, d.Name))
            {
                using (var group = GroupPrincipal.FindByIdentity(context, groupName))
                {
                    return group.Sid;
                }
            }
        }
    }
    [Test]
    public void should_check_role_with_sid()
    {

        var barDomain = "bar.example.com";
        var groupinBar = GetGroupSid(barDomain, "group_in_bar");
        var identity = WindowsIdentity.GetCurrent();
        var windowsPrincipal = new WindowsPrincipal(identity);
        Assert.That(windowsPrincipal.IsInRole(groupinBar), Is.True, "Checking role " + groupinBar);
    }
dave
  • 185
  • 1
  • 4