David Crawford's WebLog

Bill,

Win2k3 R2 is equivalent to Win2k3 SP1 as far as AzMan.  I suppose that initializing an empty client context and using the ldapquerydn on the client context would give the appearence of using an ADAM name but it would do so with the expense of making ldap calls/queries using dynamic ldap query groups. There are performance advantages to populating the sids using AddStringSids http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/iazclientcontext2_addstringsids.asp?frame=true 
in the client context from a query to the adam user token groups
The following is the location for the interface docs on msdn.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_interfaces.asp?frame=true  

The ones with a (2) are available SP 1 update and the ones with a (3) are a few potentials for LH/Vista - the info on MSDN is early preview.  I would keep an eye out for the next Vista beta for some more AzMan enhancements but Vista does NOT have an initializeclientcontextfromAdamName planned.

The upcoming AzMan white paper will go into some of the SP 1 enhancements.

Look for an ADAM object picker in the MMC at Vista timeframe.  AzMan before then enables user assignment and authorization management via the API only.  Most people make the authorization part of their application.  There would be an admin web page for instance that could allow role assignment using the AzMan API.

Regards,
David

if u get this error:

Unable to cast COM object of type 'Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass' to interface type 'Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{B11E5584-D577-4273-B6C5-0973E0F8E80D}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).

Then u must reregister azroles.dll in system32

Somehow the compoenet wasnt registered properly.

Chris wrote:The problem I am having now, after importing the policy store into AzMan, is that the role, task, and operation definitions and the role assignments are showing up in AzMan but when I call the AccessCheck() method on the API for a series of defined operations, the operations are not seen as assigned to the user/role.  The AccessCheck() call is returning 5 when it should be returning 0.  If I create a new application in AzMan and hand-key in all the definitions and role assignments and then call the AccessCheck() on the new application then the correct values are returned.  There is some small detail that I am missing during the import.

If u are having this problem use OpenApplication2 and get IAzApplication2 instead of the ordinary interface. U might get the interface not registered problem, and after u fix that it will work just fine

David,

Was there an answer to Barry's question about the InvalidCastException being generated when opening the application? I am also using the 1.2 pia and am running into the exact same problem.

Thanks,

-Paul

I want to add a user (or member) to a role. I am using the following code:

iAzRole.AddMemberName(strMemberName, null);

It is working fine. But before this, I want to check that the user is valid member in active directory. How to do this?

thank you,

Sreenivas

Hi David,

We are using the AzMan API (W2003 SP1) to import / export an ADAM store and we are getting some problems...

Apparently it works fine and we replicate the original store in the destination machine. If we look at the console, all the operation, roles and groups are created, but if we ask for a certain operation, the Accesscheck return access denied. If we do by hand, all works correctly (this problem is also reported in this blog on 5/2/2006). it seems the problem is on the link between groups and roles.

My code...

azRole = azApp.OpenRole("RoleName", null);

azRole.AddAppMember("GroupName", null);

azRole.Sobmit(o, null);

Any idea?

Thanks in advance.

Hi,

I want to add non-windows user to Azman role. But it is giving following error

Code -

=============================

IAzRole newRole = azApp.OpenRole("MerchantAdmin", null);

newRole.AddMember(user.ProviderUserKey.ToString(), null);

Error -

"The security ID structure is invalid"

Code -

==================================

       IAzRole newRole = azApp.OpenRole("MerchantAdmin", null);

newRole.AddMemberName("vinay100", null);

Error -

The trust relationship between the primary domain and the trusted domain failed

I am using windows 2k3 with SP1.

Thanks

Prashant

Hi Dave

I installed AzMan on windows XP machine.I try to create new xml authorization store. but it display the following error :

"Cannot create a authorization store.The following problem occured: The request is not supported"

Can I create xml store on windows xp machine ?

Thanks in advance

A.Hadi

Instead of getting the task names, when I call IAzRole.Tasks all I get is the name of the role.  Thus for the following code, I get the the output Role(Clerk) Task(Clerk)

     AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();

     store.Initialize(0, @"msxml://E:\adminpak\store\test.xml", null);

     app = store.OpenApplication("Corporate Library Application", null);

     identity = WindowsIdentity.GetCurrent();

     ctx = app.InitializeClientContextFromToken((ulong)identity.Token.ToInt64(), null);

     object[] roles = (object[])ctx.GetRoles("");

     foreach (string str in roles)

     {

       Console.WriteLine("Role({0})", str);

       IAzRole role = app.OpenRole(str, null);

       foreach (string tsk in (object[])role.Tasks)

       {

         Console.WriteLine("Task({0})", tsk);

       }

     }

I found why sometimes AzMan gets the "Reauest is not supported" error because the XML store file should be in an NTFS drive.!!!!

Hi Dave,

First, my problem.  I have a requirement to support groups based on LDAP queries that will be resolved at a Lotus Domino server.  I don't believe that AzMan will support this configuration (please correct me if this is an incorrect assumption).  My solution is to resolve the LDAP groups manually, interpret the results, and dynamically add ApplicationGroups to the ClientContext.

However, I can't get context.AddApplicationGroups to succeed.  I always get an InvalidArgumentException.  Here is a code snip.

Thanks,

Andy

public IAzAuthorizationStore2 _store;

public IAzApplication2        _app;

public IAzClientContext2      _ctx;

public void run()

{

_store = new AzAuthorizationStoreClass();

String store = "msldap://localhost:50000/CN=AzManADAMStore,OU=tester2,O=JanusSearch";

_store.Initialize(0, store, null);

String app = "notesGroup";

_app = (IAzApplication2)_store.OpenApplication(app, null);

//end setup

//get context

string user = "avisser";

string domain = "otg";

_ctx = (IAzClientContext2)_app.InitializeClientContextFromName(user, domain, null);

//end get context

//add groups to context

IAzApplicationGroup group = _app.OpenApplicationGroup("just me", null);

object[] oArr = new object[1];

oArr[0] = group;

//setting up the array this way also fails

// IAzApplicationGroup[] oArr = new IAzApplicationGroup[1];

// oArr[0] = group;

_ctx.AddApplicationGroups(oArr); //throws InvalidArgumentException

}

I figured it out.  You need to pass in an IAzApplicationGroups object, not an array of objects.

If my assumption that AzMan and Lotus Domino won't play together is still false, please let me know.

Thanks,

Andy

Hi

I'm currently developing a RBAC enabled application using Visual C#.net. I have the Windows Server 2003 installed on a seperate machine(which has the azman) which is connected to a client via a HUB.

If i execute the app i have created on the client it should grab the current user's logon token and pass it to server for authentication. Currently i have included reference to Azroles DLL in my C# app.

Do i need a network related library as well to make the token exchange over the network to work or is it taken care of automatically?

Cheers

Hi David,

Yes my policy store resides on the Windows Server 2003 machine which is connected to the actual client's machine via a hub (LAN). I have implemented a DC on the Server and have added the user's for the experiment on to the Active Directory. I'm hoping to run the Visual C#.NET application on the client's machine and it should pass on the client's credentials to the WinServer2003. So if i adjust the initializeclientcontextfromtoken i should be able to run the app from client . Am i correct?

Regards

Janantha

Using integrated authN to web svc wouldn't require passing anything... run  init context and access check from a/the server.

David

Hi david,

I'll give it a go..thanks for the info..

regards

Jay

I've seen it referenced that in Vista there will be the option for a SQL Policy Store location.  I have been unable to find anything about this other than that it will be an option in Vista.  Can you provide a link talking about this more?

Hi David,

As previously mentioned I have a client (WinXP Prof) and a server (windows server 2003 SE) connected via  a hub. I have written a simple application using Visual C#.NET to demonstrate RBAC. As i'm running the application on the client's machine what is the path im required to put for store.Initialize ()? that is the path to the auth store.. please help!

When I launch the app i built using Visual C#.net on my client's machine but i get this error code, I installed the azroles assembly onto the GAC of the client using the .NET SDK 2.0 's admin tools.. the client currently has .NET version and is a windows XP professional with SP2.. I tried every thing possible within my knowledge but couldn't solve it. For store location i have used

msxml://\\server\share\ constructionapp.xml

Running a file server on Windows Server 2003 over the LAN

EventType : clr20r3     P1 : constructionapp.exe     P2 : 1.0.0.0    

P3 : 45f6bb1b     P4 : constructionapp     P5 : 1.0.0.0     P6 : 45f6bb1b    

P7 : 3     P8 : c     P9 : system.security.security  

David,

Thanks for the reply. But can't i simply install the win23k admin pack on win XP ? as it consists of the runtime.

regards

Janantha

Hi david,

I manage to run my application successfully on Win XP machine after installing the Azman Runtime! After installation it was able to load the XML file over the network using a shared server path!..So if anyone is out there stuck like me ..simply install the run time!

Hi david,

I have an application that spawns 10 STA threads (as it uses a STA COM component) and each thread loads its own copy of Azman (PIA-1.2) which then initializes the store kept in AD. The environment is a multi domain environment with 100K+ users in AD. I have noticed that after a system restart when the app is loaded 1 thread gets hung up initializing the store while other 9 threads are able to load the store successfully in a few seconds. On application restart, all the threads seem to initialize the store properly.

Any idea what the initialize store might be doing that could cause this?

Hello David,

Could you provide some pointers on connecting to the AzManAdamStore that i built per http://msdn2.microsoft.com/en-us/library/ms998331.aspx

I am attempting to use Softerra's LDAPBrowser and can not get the User DN and Password correct.  I am trying this because when I built and ran the default web app, i am getting an error when attempting to do the Roles.IsUserInRole("TestRole") request.  I added a button to the default.aspx form to do only that function.  I get an error "Insufficient access rights to perform the operation".

I have added "Everyone" to the WAA and PreWin 2k Compatible Access groups also.

My connection string is: msldap://w2k3std-adtest:50000/CN=AzManADAMStore,OU=SecNetPartition,O=SecNet,C=US for the RoleManagerAzManAdamProvider from the test described in the article.

My MembershipAuth portion for the login, using the AD, is working fine...

And then, after I get Roles working, I will need to put the std Profile info into the AD too...

Thanx,

G

Hi David,

  I created a authorization manager web UI i got a problem adding a new role definition. I use application.createrole but it goes to role assignment. how can i add new role definition. Please help.

Thanks,

chripk

Hi everybody,

I have a problem with Azman+Adam role management. I am using membership provider as Active Directory and role manager as azman which uses store as adam. Adam is installed windows server 2003. I'm making some changes in azman.(Assigning users to roles etc.) But application doesn't get the changes until web application republihed or web server restarted. Also I tried storing roles data in xml file. There is no delay in getting changes in that method.

hi David,

I build a website using AZMAN on XP successfully. However, when I try to move stuff to liveserver which is 2003. I always get error as below:

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)

Source Error:

Line 27:    <providers>

Line 28:     <add connectionStringName="LDMMSRPolicyStore" applicationName="LDMMailSummaryReport"

Line 29:      name="RoleManagerAzManProvider" type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=2.0.0.0; Culture=neutral, publicKeyToken=b03f5f7f11d50a3a" />

Line 30:    </providers>

Line 31:   </roleManager>

Do you have any ideas.

Haina

Hi David,

I have got one requirement in which i have to add ad group,roles,task and operation to the azman file at run time. I mean I don’t have to go and type azman.msc to create all these, directly I want to add all these from code behind.I want to provide one interface where user can select all these.

Is that possible?? if possible then please reply its very urgent.

Thanks in advance

Prabhat

Hi David,

Thanks a lot for your speedy reply,can u please tell me more about this api. it would be great help if you can provide me some sample code for this i mean adding ad group to azman.xml using c# code.

Thanks,

Prabhat

I'm trying to use scopes to authorize access to different application domains (different views into application data).  The Domain/Scope is provided by the client when he attempts to access the data.

When I pass an application domain in as a scope which doesn't exist, I get a "NO SUCH SCOPE error, as you would expect.  However, once I create the scope, even with no definitions nor role assignments, AccessCheck ALWAYS passes!  

What am I doing wrong here?  I'd like to have each scope have use the same role, defined in the application, but with different assignments.  Even with no assignments for that role anywhere, even at the application level, the AccessCheck still passes.

Any help is most appreciated!  If there is another suggestion on how to model application domains (other than AzMan Scopes), I'd love to hear them.

Thanks!

I've had no problems accessing the AzRole.AzAuthorizationStore object from service (SYSTEM) and user account.  I created a domain account (no admin rights),  and now I get CreateObject 80070005 on AzRole.AzAuthorizationStore when I run as that user.  What as a domain admin, and SYSTEM have that this user doesn't?

Thanks!

Hi!

How can I copy the AzMan store one AD domain to another AD domain? The another AD domain users same as original domain, but the user's sid different.

Thanks!

Hi David,

I know that AZMan is not available on Windows XP. Does it mean I can't even program on XP. How do people develop AZMan apps? Do they install Visual Studio on Windows 2003 or they first build it on XP and then test on 2003.

Thank U

Declarative security using AzMan:

Am I missing something?  There seems to be no support declarative security with AzMan API.  The AzMan store provides that missing extra layer of abstraction that maps roles to operations - so technically I shouldn't need to worry about roles at all from my application code...

Is there a way to mark methods (that map to your operations) with an attribute such as  [AuthorizedAccessOnly()] that uses the name of the method it's decorating (or perhaps you'd need to supply the corresponding operation id) to perform an access check with AzMan?

I've been scouring the web all afternoon for info on this...  There's concepts like code interception or injection but these seem a touch... Extreme?  Is there anything in the application blocks that does this?  Or has anyone rolled their own?

Matt.

PingBack from http://mystepstones.wordpress.com/2007/10/31/azman-authorization-manager-exporting-and-importing-fromto-xmlactive-directory/

I am trying to use ADAM principals with dynamic query groups, but I do not seem to get it working. As soon as I specify the LDAPqueryDN attribute and call the AccesCheck method I get this exception:

HRESULT 0x800704EA “The security identifier provided does not have a domain component.”

The SIDs and the LDAPqueryDN I am passing are valid. Tried installing it various times with different operating systems but all with the same result.

Currently I am using Windows 2003 SP2 and ADAM SP1.

What am I doing wrong?

Richard Ruben.

We are reviewing solutions for implementing rolebased access to SharePoint 2007 sites using Azman and Windows authentication. Based upon the ASP.NET descriptions this should work. The following was added in the web.config on the appropriate places.

<connectionStrings>

<add connectionString="msxml://C:/SharePoint2007/IIS/Azman/bin/sampleazmanstore.xml" name="AzMan" />

</connectionStrings>

 <roleManager

 enabled="true"

 cacheRolesInCookie="true"

 defaultProvider="RoleManagerAzManProvider"

 cookieName=".ASPXROLES"

 cookiePath="/"

 cookieTimeout="30"

 cookieRequireSSL="true"

 cookieSlidingExpiration="true"

 createPersistentCookie="false"

 cookieProtection="All">

 <providers>

 <clear/>

 <add name="RoleManagerAzManProvider"

  type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a"

connectionStringName="Azman"

cacheRefreshInterval="5"

applicationName="SharePoint"/>

 </providers>

 </roleManager>

However, after configuring this, I am not able to retrieve the roles from Azman and the SharePoint logging shows the following:

Error in searching user 'azmanrole1' : System.Configuration.ConfigurationErrorsException: Provider must implement the class 'System.Web.Security.MembershipProvider'. (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\web.config line 36)

Any ideas?

Best regards,

Andries

Hi,

I posted the following question (http://msdn.microsoft.com/newsgroups/default.aspx?dg=microsoft.public.dotnet.framework.aspnet.security&mid=9e466d0e-7372-471e-87ad-9230131f9ba4) about windows groups and Azman to MSDN forums.

Do you have some information why do I need to boot my development machine each time I make changes to the windows group if I want those changes to take effect in Azman. What kind of cache is it having on my develoment machine?

Second question is that is it possible to get windows groups based authorization to work with sids? We have a layered application and we're not able to pass windows identies between layers. The scenario here is that our web application passes user's sid as string to the service layer and we should be able to authorize this user against Azman where our roles are assigned to windows groups.

-Timo

Hi,

I found this posting (http://www.tutorials-win.com/ActiveDirectory/AzMan-AccessCheck/) that pretty much answers my first question in my previous posting.

To the second question I found answer from the excellent article "Developing Applications Using Windows Authorization Manager"

(http://msdn2.microsoft.com/en-us/library/aa480244.aspx#azmanapps_topic5_troub1) where it says:

"The AzInitializeClientContextFromStringSID method creates an Authorization Manager context from a given SID in textual form. This behaves in a similar manner as the InitializeClientContextFromName method. When the AZ_CLIENT_CONTEXT_SKIP_GROUP flag is used, the AzInitializeClientContextFromStringSID method does not attempt to determine the group memberships of the given SID. The resulting client context only contains the specified SID. If the IAzAccessCheck method is called from this client context instance, role membership is only granted if the specified SID is used as a member of a role or group assigned to a role."

-Timo

I am having Administartive Previlage on my machine.

I want to generate AzMan Authorization store based on XML file.

I used Azman.msc and running in it developer mode to create Authorization Store based on Xml file

.

I am giving proper inputs but it is giving error

"Cannot create authorization store.The request is not supported. "

Please help me.

Hi David

I tried to save it in C drive and it worked. It was NTFS issues only as I was trying in D drive earlier.

Thanks for suggestion.

I have one more Query

I want show use list of all XML file based Authorization Stores on my machine. Can I get it? I tried exploring "Microsoft.Interop.Security.AzRoles" but no clue to get list of Authorization Stores.

I can get List of Roles, Application Groups and all but I Need to show list of Authorizations stores before this. Is it possible?

Will appreciate your help.

Archana

Hi David

Your blog has been very helpful in understanding the working of azman. However, I have a query which has not been addressed in any documentation.

Is it possible to intercept the accesscheck call to azman from a .NET application? I need to implement custom authorization in AzMan. If I implement a custom HTTP module, I can extract only the URI of the resource being requested, which can not be mapped to operations defined in AzMan. So, how can I implement custom authorization?

Thanks in advance

Smith

I am trying to manually add Azman PIA v1.2 to the GAC (instead of installing Win 2003 administrative tools pack).

I have GACutil for .NET 2.0 which I run as follows:

gacutil.exe -i microsoft.interop.security.azroles.dll

It says it successfully added the assembly, however, this doesnt work for me as when I run our application it throws an error.

Is there something I am missing as far as configuration?  When I install windows 2003 admin pack, it works fine.

Appreciate any suggestions.

Thanks David. That offers some good information and helped me resolve my issue.

Thank you for the hint ;)

Hi David,

I am trying to port an AZMAN store from one server to another and the servers cannot talk to each other.  The only way I can think of doing this is to export one store out to xml format and then import it into the other.

Do you know of a better way and do you know where I can find the published xml schema so I know how to create it?  I tried creating one in xml format from scratch and looking at it, but the hierarchy is not clear to me and also it is using id's that i do not see exposed in the object.

Thanks,

NS

I am trying to follow the HelloAzMan example from a vide on channel 9.

I get an exception on business rules disabled

because i am using a Vista box

I tried the script on the documentation to enable scripts

The script reports succes on changing the status

but i still get the exception.

What is the procedure to enable rules?

is it necesaary to run as adminstrator the script or the cliente code?

Hi David,

I'm having the same problem as Richard Ruben posted about in November, when I'm doing an access check on a scope that has a dynamic group in it I'm gettin the following error:

The security identifier provided does not have a domain component. (Exception from HRESULT: 0x800704EA)

I've followed the example at posted by  Sudheer Mamidipaka (http://blogs.msdn.com/azman/archive/2006/05/06/591230.aspx) for connecting and using ADAM principles with dynamic groups.

I would expect that the SIDs I'm passing in wouldn't have a DC part to them because they're coming from ADAM rather than a domain AD.  Do you have a pointers on where I should look for the cause of the problem?

Regards,

Peter

hello David

I'm tired to working on AzMan BizRule in .Net2.0, becauese I encountered an unexpected error;

Exception from HRESULT: 0x800A0005 (CTL_E_ILLEGALFUNCTIONCALL)

//////////////////////////////////

public class DotNetBizRuleClass

{

private string _amount;

public DotNetBizRuleClass(string amount)

{

   SetAmount(amount);

}

public void SetAmount(string amount)

{

_amount = amount;

}

public string GetParameter(string paramName)

{

return _amount;

}

}

//////////////////////////////////

DotNetBizRuleClass m_DotNetBizRuleClass = new DotNetBizRuleClass("200");

           m_DotNetBizRuleClass.setAmount(Amount.Text);

           object[] oScopes = new Object[1];

           oScopes[0] = null;

           object[] oOperations = new Object[1];

           oOperations[0] = 1;

           object[] oInterfaceName     = new Object[1];

           object[] oInterfaceFlags    = new Object[1];

           object[] oInterfaces        = new Object[1];

           oInterfaceName[0]   = "DotNetBizRuleClass";

           oInterfaceFlags[0]  = 0;

           oInterfaces[0] = m_DotNetBizRuleClass;

           object[] results =

                                       (object[])clientContext.AccessCheck (

              "TestApp",

              oScopes,

              oOperations,

              null,

              null,

              oInterfaceName,

              oInterfaceFlags,

              oInterfaces);

please help me.

Hi David,

We are trying to setup a test application for AzMan using Active Directory.  We have our Active Directory and policy store on Domain A and Machine A. We have a sample asp.net web application on Machine B, Domain B.  The web application has a simple Login page that uses asp.net login control, and a default page that authenticated users can see.

In the web.config we are trying to access the policy store on Domain A from Domain B.  When we try to login we keep getting “The parameter is incorrect” (Exception from HRESULT: 0x80070057 (E_INVALIDARG)) error.  The point of error is Roles.IsUserInRole(“RoleNameInActiveDirectory”).  We cannot seem to find any help on this.  Do you have any suggestions as to what we could be doing wrong?  The web application works fine when we are on the same domain but using a different machine.

We are using WS 2003 SP2, Forms Authentication, and separate Service Account with Admin privileges (same user name and password on both domains), separate Application pool with service account user, No impersonation, Service account is added to the Active directory (Administrators, Readers, Delegated user) roles.

Thanks,

Su

Hi David,

We are trying to setup a test application for AzMan using Active Directory.  We have our Active Directory and policy store on Domain A and Machine A. We have a sample asp.net web application on Machine B, Domain B.  The web application has a simple Login page that uses asp.net login control, and a default page that authenticated users can see.

In the web.config we are trying to access the policy store on Domain A from Domain B.  When we try to login we keep getting “The parameter is incorrect” (Exception from HRESULT: 0x80070057 (E_INVALIDARG)) error.  The point of error is Roles.IsUserInRole(“RoleNameInActiveDirectory”).  We cannot seem to find any help on this.  Do you have any suggestions as to what we could be doing wrong?  The web application works fine when we are on the same domain but using a different machine.

We are using WS 2003 SP2, Forms Authentication, and separate Service Account with Admin privileges (same user name and password on both domains), separate Application pool with service account user, No impersonation, Service account is added to the Active directory (Administrators, Readers, Delegated user) roles.

Thanks,

Su

Great information on this page!  Very good.

my goal: I want to create a console application that can run in any domain (Domain A) and use AzMan auth data in a network reachable Active Directory in a different domain (Domain B).

The API for AzMan allows me to point to any AzMan repository via the MSLDAP:// URL, but does not have formal params for Username and Password.  

How would you suggest I go about this?

Thanks!

Hi David,

Thank you so much for providing this! I'm currently working on bulk import xml file into sql store, do you also have any class or tool that support this operation as well?

Thanks & Regards,

Zheng

Hi David/Everyone,

I was wondering if you could provide any new information on the issue regarding initializing the AzMan store from an XP machine as described in your "Wednesday, July 19, 2006 12:00 PM" post? I'm currently encountering "The parameter is incorrect" on XP SP2 when attempting to initialize the [Active Directory] store under an impersonated "service" account.

Is this in fact due to the AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION flag being unsupported in XP (at least in connecting to an AD/ADAM store)? Is there a workaround?

I'm looking to use AzMan in our existing client/server scenario until we scale out to a 3-tier architecture. Our workstations are XP SP2 and servers are Windows Server 2003 SP1.

Thanks,

Tony

If you reply via email, please remember to delete the "-removetoreply-" string from the address below:

davisam2@bellsouth-removetoreply-.net

David,

I have a couple of questions regarding SQL Server and AzMan.

1. AzMan on Vista supports MS SQL as a policy store, will/is it possible to access the store from an application running on XP ?.

2. Is there an API for using AzMan in MS SQL TSQL stored proc, or would we have to wrap use C#/VB stored procedures (assuming we can still use the AzMan COM object from SQL Server) ?.

Thanks and Regards

Mark.

David,

Sorry to follow on from my MS SQL, how can I create a store on MS SQL.

I am running Vista with SQL Express but don't know how to go about setting the url and any steps required to prepare SQL for AzMan ?..

Is there a paper on this ?

Many thanks

Mark

David,

Many thanks for your response, I managed to stumble upon this in the help link when I tried to connect to a SQL Store, but since I had to rush out to pick up the son and heir from nursery I didn't manage to post my findings.

I am disappointed by the lack of SQL supprt for XP since this would make or deployment of an offline capable application much simpler.

We would only need to push the information in SQL to SQL\Express on the client laptop and change their DSN for Offline mode.

It looks like we will have to use ADAM and this means further information stores to manage and synchronise.

Thanks and Regards

Mark.

You say AzMan doesn't work properly on an XP client. I wrote a test application and it worked fine.

What am I doing ... uh ... wrong?

Not to belabor a point, but is there a list of specific instances where XP AS A CLIENT does not work?

Are there calls to avoid?? Objects to be left empty?

Thanks.

Hi

I'm hopping you can give me some help on this problem I'm having with azman/adam:

- The azman stops responding. When accessing the azman console, and trying to reconnect with the Active Directory it gives me an error "More data is available".

This is the second time the problem occurs.

The 1st solution was to reeinstall the azman and works fine.

The problem is now back.

Can you give me an help on this.

Thank you very much

Gonzalo

Mr. David

I need HELP!

i have an aplication in ASP 3.0 (not .NET) the issue is that i must use AzMan to manage the security of the website, (my dev machine is a XP and the production server is a 2000 Server) in my Dev enviroment (http://localhost/myapp) when i ran the page it goes Ok, but when i try to access from another pc (http://pcname/myapp) it throws and error like this: "The system cannot open the device or file specified".

to manage azman from ASP 3, i built a DLL in C#.NET for Interop and i call a Server.CreateObject in my website.

As You know ASP 3 doesnt have System.Security.Principal.WindowsIdentity, that way in my DLL i instanciate that class with a GetCurrent() and use it to call the AzMan CheckAccess and just have to pass by params the OperationID.

The problem is that it throw me the error i gave you.

I thought the problem was by permission accesing the DLL then i put the DLL that i built in C#.net inside a DLL built in VB6 that goes in COM PLUS and that way both have the same Identity.

in this case the GetCurrent Method of the WindowsIdentity always return the User that i have in Com Plus.

PLEASE send me an email if you can to

jmpena@sii.com.do AND jmpena@shiftingtech.com

PLEASE..

i can Lose my job :'(

hello again.

well firts time i wrote you, about a problem using azman with asp 3.0, you sent me a link with a script and it worked great, but now im getting this error with no reason and with no changes in the program.

"Value does not fall within expected range"

when i run this line:

AZROLESLib.AzAuthorizationStore AzManStore = new AZROLESLib.AzAuthorizationStore();

AzManStore.Initialize(0, this.storeLocation, null);

can you help me please ?

Thanks so much.

*sorry about my english.

Is it possible to use relative path or dynamically created file for xml store in Initialize method? Can we use store as embedded resource? We have a situation where we need to load xml store dynamically, not from physical path. Please help.

Thanks.

Thanks David for your reply. Another question, can we load provider at runtime?

Thanks.

Hi David,

Is it possible to access a MS SQL Authorization Store via AuthorizationStoreRoleProvider (shipped with .NET 3.5) from a Windows 2003 SP2 machine?

I have already installed Microsoft.Interop.Security.AzRoles.dll 2.0.0.0 in GAC, but I still get the following error when trying from a Windows 2003 SP2 machine:

COMException (0x800704b4): The specified network provider name is invalid. (Exception from HRESULT: 0x800704B4)]

I guess this has something to do with the mssql provider?

Thank you!

How do we pass AD groups in IAzClientContext? It seems only user token, sid, and name are the only parameter option that can be use with the accesscheck to query operations.

My purpose is to use AD groups to directly associate with Role Assignment without using Azman group.

Hi David -

Was wondering if you knew of a way to deploy the AZMan runtimes to many clients, in an automated fashion.  I am looking at deploying the runtimes to 22,000 XP workstations in support of an in-house developed application.  

I was hoping there were some command line switches on the installer that would allow me to silently install the runtimes.

Any insite you can provide would be greatly appreciated.

Thanks!

Derek,

Yes, it is possible to automate AzMan deployment to 22,000 machines but I believe this is an unsupported usage and so you cannot expect assistance from Microsoft in this regard.

If you can't figure out how to do it, your next option would be to just roll out the Win2003 admin pack via group policy msi deployment.

Hi David -

Thanks for the response.  Thankfully, I think we've convinced our dev folks to move away from this approach.  

Thanks again for your response, and for providing this great spot on the 'net.

I've been trying to find out if it's possible to use AzMan for policy management in a heterogeneous network.  AzMan definately fits what we'd like to have, but several of our services run on non-MS platforms and there is zero likelihood of getting them ported to Windows (for very good reasons).  What are the options for a mixed shop (where AD already is used for user and group management)?  Would the combination AzMan+AD storage be accessible through LDAP?

Hello,

I'm attempting to use Authorization Manager to control authorization for a number of web sites. I think I've got a good handle on the AccessCheck() method as that all seems to be working, but I'm now interested in the authenticaion of users to the site as a whole.

I understand (and can get it to work) that I can change the roleManager in the applications web.config to point at "RoleManagerAzManADAMProvider" and as a result I can use AzMan roles in the <authorization> section.

However, I was hoping to create an application group into which I could add all users who have the basic permission to the application and use this group instead of roles in the <authorization>. So far i've drawn a blank on this aim.

Do you know if it is possible to achieve this aim and if so how I would go about it?

Thanks

Starting out from an article found at LeastPrivilege we have created a custom principal that merges roles from AD and Azman

http://www.leastprivilege.com/CustomPrincipalsAndWCF.aspx

Using IAzClientContext.GetRoles we can read roles for a user. But in Azman it's possible to create roles "Employee", "Manager" and then include Employee in Manager. If an AD account is assigned a Manager role a call to GetRoles will only return "Manager" not "Manager" and "Employee" as I had hoped! Is there a way to read "subroles" for a role?

It's a bit confusing ...

If I use

AzAuthorizationStoreClass store=new AzAuthorizationStoreClass();

store.Initialize(...);

IAzApplication app=store.OpenApplication(...);

And the read Tasks (Note a task i a Role Definition in the mmc console) with

foreach(IAzTask myTask in app.Tasks)

It is possible to read sub tasks to myTask!

BUT  the roles read for my user are not Role objects but String. I read them like this;

Collection<string> roles = new Collection<string>();

IAzClientContext ctx = app.InitializeClientContextFromToken((ulong)clientIdentity.Token.ToInt64(), null);

Object[] rls =(Object[]) ctx.GetRoles("");

  for (int index = 0; index <= rls.GetUpperBound(0); index++)

  {

   roles.Add((string)rls[index]);

  }

To cast to AzRole will render "Unable to cast object of type 'System.String' to type 'AZROLESLib.IAzRole"

And since the name property, "Role Assignment" read with getRoles above is a string without correlation to the underlying "Role Definition" in Azman I am lost...

I'm having a problem...I get an exception on the line that calls InitializeClientContextFromToken.  Only one user gets the error...and there are 12 users in that group.  Now, if that user is added to another active directory group that is linked to another group within Azman, for another application, then the user works for both applications.  And if the user is then taken out of the original group and left in the second group the correct page is displayed saying "you are not authorized to view this application."  

We have not been able to recreate this error and it is only happening with one user to one application. We have tried taking him out of the group and adding him back in and it still didn't work.  Could there be something wrong with the users Token?  Or something wrong with AzMan or the Application that calls it?

Thanks in Advance,

Jerald

Oh I'm sorry the Exception message is "The program issued a command but the command length is incorrect.(Exception from HRESULT: 0x80070018)"

Hello David

Is there a way of looking at operations and tasks for a role, but without specifying a user?

Thanks

Richard

Hi David

I've managed to create my intranet application using AzMan and tested on W2k3 and everything works great. However, I have just bought the live server which will host the intranet app and it is W2k8. When I run the app on this server it contiuously crashes out when doing AccessCheck with the result

Value does not fall within the expected range.

Do you know why this might be happening. Any help would be greatly appreciated as I have spent 6 months working on this project and am pulling out what is left of my hair!

Cheers

Nick

nwatt@hotmail.com

I'm trying to connect to a SQL Store through the AZMan MMC UI on Windows Server 2008 and justam  getting "Cannot open the authorization store. The following problem occurred: Access is denied."

If I tell it to create a new store I get the same message although the DB does actually get created in SQL.

What could be wrong?

Hi Jerald,

Not sure if you're still looking, but I have a resolution for the issue you have and thought I should post it here so others could benefit as well :)

We had the same problem as you, some users fine, some users "program issued ..." and then adding to groups made the error go away.

It is a problem with the win64 subsystem and you will need to open up a PSS incident with MS to get hold of the hotfix identified in KB948931.

HTH

Cheers

Dan

I'm using SQL Server 2005.

Protocols enabled are: Shared Memory, Named Pipes and TCP/IP. Remote connections are enabled.

The account I'm running the AZMan snapin as is a domain account and an administrator on the local machine. This account is a member of the sysadmin SQL role.

Server collation is Latin1_General_CS_AS

My connection string is:

"mssql://Driver={SQL Server};Server={KHSVELOCITY09};/AZManDB/KHSWorkflow"

I noticed that although it creates the DB OK. It does not add the application to the AzMan_AzApplication table.

I should've said:

although it creates the DB OK, it does not add the policy store to the AzMan_AzAuthorizationStore table.

Another data point:

I previously had SQL Express edition installed. I can still open a store in a DB that I had created when SQL Express was installed.

But if I try to make any edits to that old store that I can open, I again am faced with "Access Denied".

(wish comment editing was available here!)

We're testing ADFS with Forms Auth on the front end, triggering Basic Auth via ADFS Agent on the back end, to implement system security (runs as the logged on user).  We understand it is also possible to use Azman in this context.  However, ADFS examples seem to be overloaded with options we don't need.  We have a Federation Service in place, and the app will run in the same domain.  Can you point us to a simple configuration script for setting up a W2003 R2 IIS6 web server with ADFS Agent to enable use of Azman on the back end?  

A while back I adopted AzMan for a management utility, wrapping it in a helper class - it's been working well since then.  The helper class is implemented as a Singleton.  The application itself is quite slow to start so, as part of an update, I decided to implement a BackgroundWorker during the initial form Load.  The singleton AzMan helper is used both before Load and during it.  At the point that it's called in the BackgroundWorker thread, I get this:

System.InvalidCastException was unhandled by user code

Message="Unable to cast COM object of type 'System.__ComObject' to interface type 'Microsoft.Interop.Security.AzRoles.IAzClientContext'.

This operation failed because the QueryInterface call on the COM component for the interface with IID '{EFF1F00B-488A-466D-AFD9-A401C5F9EEF5}'

failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE))."

Source="Microsoft.Interop.Security.AzRoles"

StackTrace:

  at Microsoft.Interop.Security.AzRoles.IAzClientContext.AccessCheck(String bstrObjectName, Object varScopeNames, Object varOperations, Object varParameterNames, Object varParameterValues, Object varInterfaceNames, Object varInterfaceFlags, Object varInterfaces)

  at AAA.WiSPA.AzManHelper.CanAccess(String objectName, Int32 operation) in C:\Work\Visual Studio 2008\Projects\WiSPA\WiSPA-Console\WiSPA-Console\AzManHelper.cs:line 172

  at AAA.WiSPA.Console.Console.CreateTabs() in C:\Work\Visual Studio 2008\Projects\WiSPA\WiSPA-Console\WiSPA-Console\Console.cs:line 70

  at AAA.WiSPA.Console.uxConsoleForm.SetupTabs(BackgroundWorker worker, DoWorkEventArgs e) in C:\Work\Visual Studio 2008\Projects\WiSPA\WiSPA-Console\WiSPA-Console\uxConsoleForm.cs:line 79

  at AAA.WiSPA.Console.uxConsoleForm.backgroundWorker_DoWork(Object sender, DoWorkEventArgs e) in C:\Work\Visual Studio 2008\Projects\WiSPA\WiSPA-Console\WiSPA-Console\uxConsoleForm.cs:line 74

  at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)

  at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)

InnerException:

That was the only change I made.  I've removed the BackgroundWorker code and it works okay.  Is this some problem with COM and the threads?  My knowledge of COM is limited - I came to Windows programming straight into .NET.

I forgot to put in my previous post that I can see in the Output window that the AzManHelper is working before the exception: it's called from the Program class before the Application.Run statement for the form with the BackgroundWorker.

Do the dynamic groups (ldap query groups) support querying the extensionAttributeX properties like this:

(&(objectClass=User)(extensionAttribute2=300))

Thanks,

Jim

I think I've solved the HRESULT: 0x80004002 (E_NOINTERFACE) problem.  More searches revealed thd KB article http://support.microsoft.com/kb/912572 which I didn't think was quite the right symptom as my app main was running as STAThread and I'd recreated the problem rolling my own background thread using the Thread class with it set to STA.  But it reminded me that I was running the 2003 SP1 AdminPak on my XP machine. I uninstalled it and installed the SP2 AdminPak from http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en and it's now passing the point where the exception occurred.  I've still got problems but they don't seem to be AzMan related.

David, reading through the comments and responses has been hugely beneficial in better grasping some of the advanced use of AzMan.  I have a question, however, on the custom object picker sample identified multiple times that was targeted at the Vista SDK (and since then I've found a reference to it being in the Windows 2008 SDK).  I am unable to find any such sample in either SDK or anywhere else on the web (except for a Channel9 PluralSight video).  Is this available anywhere?

Thank you,

Jason

Insufficient access rights to perform the operation. (Exception from HRESULT: 0x80072098)

Hi David,

I got the error above when trying to login/access AzMan store using network service account. I already added the account as reader under AzMan store security properties. I am using Windows 2003 R2 on both Active Directory and Application server. In the IIS I am using Network Service account in the application pool identity. I did a lot of experiments but I did have any luck so far. Please help.

Hi David,

Thank you for you prompt response. Can you add a little details on what you mean about

"The network service account translates to COMPUTERNAME$  - network service uses the computer/machine account and requires permission accordingly."

Does this mean AzMan only uses user accounts and not machine?

Is there a solution to the Monday, November 05, 2007 post regarding

HRESULT 0x800704EA “The security identifier provided does not have a domain component.”

Thanks

I am calling IAzAuthorizationStore2.Initialize from an ASPNET web app on win2k3.  My profile is stored in an XML file local to the web app.  When the AppPool identity is an administrator, all is fine.  But if not, I get access denied COM error.  Giving the user full rights to all files didn't help, so it's not a file access thing.  

What rights does the app pool user need to access AzMan?

Thanks,

Riley

I am also getting the "parameter is incorrect" error when trying to perform a role check. I am using Forms authentication, AD Membership, and AzMan for roles. I can get the manual call to work by appending the "@domain.com" to the end of User.Identity.Name in the call to Roles.IsUserInRole and that is all well and good but this is not possible to do when trying to use security trimming with the SiteMap Provider - which appears to always use User.Identity.Name and not have the ability to append the "@mydomain.com" to the end so that the call works. How can I get SecurityTrimming to work with a SiteMapProvider when using Forms Authentication with ActiveDirectory membership and AzMan roles?

Thank you so much for this great post!

In response to Craig Fisher's question, I had this problem as well.

In our case, we were running AZMAN on a Windows Server 2008 32 bit server. It was trying to connect to our Windows Server 2003 64 bit, SQL Server 2005 server to create the AZMAN store. We got the exact message "Cannot open the authorization store. The following problem occurred: Access is denied.". The database had been created, the Extended Stored Procedures had been created in the Master database, but no records had been created in the AZMAN database.

I Used SQL Profiler to see what calls were being executed against SQL Server. I grabbed the last one that was executed, and tried running it in SQL Server Management Studio with a Begin Transaction. It failed with an error stating that it could not find "AzSqlExt.dll". I looked in the Master database Extended Stored Procedures created by Azman, and indeed, they used this DLL.

It turns out that Windoes Server 2003 does not have this dll. After some research, and talking to someone from Microsoft, I was told to grab this AzSqlExt from a Windows Server 2008 server, and place it in the System32 folder. Make SURE you get the 32 bit or 64 bit version as needed... It comes with the Operating System, not SQL server...

HTH

[Original Msg from Craig Fisher:

I'm trying to connect to a SQL Store through the AZMan MMC UI on Windows Server 2008 and justam  getting "Cannot open the authorization store. The following problem occurred: Access is denied."

If I tell it to create a new store I get the same message although the DB does actually get created in SQL.

What could be wrong? ]

Does anyone know of a good tool to migrate an AZMAN XML store to an AZMAN SQL store?

I am told there is one in the "Windows SDK for Windows Server 2008 and .NET Framework 3.5" at http://www.microsoft.com/downloads/details.aspx?FamilyID=E6E1C3DF-A74F-4207-8586-711EBE331CDC&displaylang=en

which I am about to look at, but was hoping there was one that did not require such a huge install.

Thanks

David

I need to be able to show a list of users who have are authorized to perform a particular AzMan operation.

I don't think there's any simple way to do this.

Options I'm considering:

1) create an AD group for these users and write code to enumerate the members of that group

2) store a list of the users in SQL.

In each of these cases it means managing these users in two places (in AzMan and in AD or SQL), although with the AD group I can just use that group to grant the operation permission to. The problem with using AD though is that I'd need to grant my ASP.Net app additional permissions to interact with the directory.

Do you have any guidance around the best way to achieve this?

(The reason I want to do this is that one user of the app needs to be able to assign a unit of work to another user. That second user needs to be someone who is authorized to perform the next operation on the unit of work.)

GetOperations isn't what I want. I want to find the list of users who have permission to perform a particular operation.

I'd like to get a clearer defintion of:

The GetOperations method returns a collection of the operations, within the specified scope, that the principal represented by the current client context has permission to perform

Also, GetTasks() is defined the same.

What does 'has permission to perform' mean with respect to BizRule processing. Are BizRules taken into account for the permission check? And if so, how are the BizRule Parameters defined before GetOperations or GetTasks is invoked?

Hi,

I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me

what is the configuration needed, for a WCF to work successfully.

I am using Windows Authentication for my application. I want to use

anonymous access for WCF. I have already created the WCF, but i am

continuously getting 1 or these errors.

Handle is invalid.

Access Denied.

Insufficient Access Rights.

I am not able to bind to AzMan from

WCF, using credentials. What are the requirements, an AzMan Store looks for..

AzAuthorizationStore store = new AzAuthorizationStoreClass();

store.Initialize(0,

@"msldap://localhost:389/CN=AzManSample,OU=AzManADAMStore,O=Kreshiv,C=US",

null);

IAzApplication app =

store.OpenApplication(Roles.ApplicationName, null);

// Get the current user context

IAzClientContext ctx =

app.InitializeClientContextFromToken((ulong)userToken, null);

Here is the error which i am getting stuck with. I can get only access

rights error.

David,

   First i wanna thank you for your time and this wonderful product. I developed A Service to exposes AzMan in a easy way. This is in Codeplex http://www.codeplex.com/authorizationservices as open source. Here in my company we are using AzMan with this service for all our new System and products and migrating the old ones. (More then 100 webapps). But i had a doubt,  we have 2 types of users here, one using AD. This is OK for us now. But the second type of user are external users, and we are using SQL Server (MemberShipProvider) to stores them. But we want to uses AzMan too. What we can do? I'm searching for the the Custom Object Picker examples in the Windows SDK and not found. This is very important, and we need to put this working in 1 week for the new projects and portal.

Hey,

 I'm still looking for a solution to the problem posted about November 05, 2007.  When using a dynamic LDAP group (queried from an ADAM instance which is also hosting my AzMan store) I get the following exception:

HRESULT 0x800704EA “The security identifier provided does not have a domain component.”

Does anyone have a solution to this?

Cheers,

Trevor Ward

Hi all! I've this situation: I'm required to use Azman, with SQL Server store, but my AzMan needs to be executed in a Windows 2003 server. Is this possible? Can I "upgrade" the AzMan version in the 2003 server to the new one that comes with 2008 server?

Thanks a lot!

Best,

Aldo

We have AzMan configured with SQL Server Store, which contains Operations, Tasks, Roles, BizRules.

I have opened the store in AzMan.Msc SnapIn, I am able to see Operations, Tasks, Bizrules, Roles, Groups.

I have added more Operations, Tasks, Bizrules, Roles. After adding these, i have closed the AzMan.Msc and try to re-open the same store again, i got the following error.

"Cannot enumerate child objects. The following problem occured: Access id denied."

I am not able to open the store now, could someone help me out in understanding the problem.

I have an application, which is running pretty fine, but after adding more Operations, Tasks, Bizrules, Roles. Now my application is throwing below error,

System.Unauthorized.AccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED).

at AZROLESLib.AzAuthorizationStoreClass.OpenApplication(String bstrApplicationName, Object varReserved).

If this is not the right place to post this, could you please redirect me to the right place.

I am trying to use xml as an authorization store on my Windows XP SP3 computer (I have installed AzMan through the Admin server pack).

When I try to initialise the AzMan client (using call - AzAuthorizationStore.Initialize(0, storePath, null), I get an argument exception - Value does not fall in range.

the sample store path is as following - "msxml://C:\\RedcloudLive\\TestData\\SecurityStore\\AuthorizationStore.xml"

I am able to use UI for opening policy store. I am using xml stored on the local computer as policy store.

I just found that my local account is able to initialise the Authorization Store but the domain service account is unable to do so.