Reputation: 33
PrincipalPermission only works with some AD groups
The following works perfectly (DOMAIN\DEVELOPERS):
[PrincipalPermission(SecurityAction.Demand,Role="DEVELOPERS")]
public string Test()
{
return "Works..";
}
The user that runs is a member of this group, so "of course" it works. I have another group, for this WCF service that is named AdvisoryWcfUsers, which contains a couple of users as well as groups (in the AD; so DOMAIN\AdvisoryWcfUsers). I'm 100 percent sure I'm a member of this group, but nevertheless, I get:
System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied
It's not a typo, it just seems that the IIS doesn't have permission to look up this new group. The DEVELOPERS group is an "old" group, while the AdvisoryWcfUsers was created today, for this purpose. Any suggestions?
Upvotes: 3
Views: 1619
Answers (1)
Reputation: 1097
Did you log in again after the group was created and you were made a member of it? Windows groups are so called "subauthorities" that are attached to your security token at login. Any change of group memberships is therefore only detected after a login (must be a domain login, not a cached one!).
Upvotes: 0
Related Questions
- Principal Error in AD when user is in group?
- Active Directory and PrincipalPermission
- Authentication / PrincipalPermission not work
- Request for principal permission failed - probably due windows group?
- WCF PrincipalPermission Attribute Exception loggin
- Why might UserPrincipal.GetAuthorizationGroups() fail for one principal but not another?
- WCF Active Directory Authorization - PrincipalPermission -> access denied
- WCF: Custom RoleProvider with PrincipalPermissions: Doesn't appear to get hit / how to debug it?
- Error with PrincipalPermission authentication in WCF
- Using PrincipalPermissionAttribute with Custom role provider