Possible VB2008 BUG: My.User.IsInRole (When UAC ON)
Scenario
On machines where Vista/W7 is installed there appears to be an issue when checking to see if a user is in a role. User Account Control (UAC) must be on to reproduce the issue. The result is that the value returned is always FALSE even when the user does belong to the group.
Sample Code (UAC must be on to produce error)
If My.User.IsInRole(“My Domain\My Group”) Then
Return True
Else
Return False
End If
Workaround
To get around this I created a function using other .Net functions.
Public Function IsInUserRole(ByVal RoleToFind As String) As Boolean
Dim id As WindowsIdentity = WindowsIdentity.GetCurrent
Dim irc As IdentityReferenceCollection
' Gets a SID list of groups the user belongs to
irc = id.Groups
For Each ir As IdentityReference In irc
' Need to convert the SID to plain english
Dim act As NTAccount = CType(ir.Translate(Type.GetType("System.Security.Principal.NTAccount")), NTAccount)
If act.Value = RoleToFind Then
Return True
End If
Next
Return False
End Function
Related Posts
Pages
Sponsors
Recent Posts
- iPhone OS4 Update for 3G
- Because of a protocol error detected at the client (code 0×1104), this session will be disconnected. Please try connecting to the remote computer again.
- Application Essentials Installer
- Possible VB2008 BUG: My.User.IsInRole (When UAC ON)
- Animated Busy Images (AKA AJAX Busy Spinner)
- RailsConf 09 – A-Z Intro To Rails Tutorial
- ROR Error: undefined method `include_root_in_json=’ …
- Free net monitoring tool gets a makeover
- The Next Social Network: WordPress
- How To: Firefox and Integrated Windows Authentication
Tags
Blogroll
- Dave Burke – Community Server MVP
- Lifehacker – Great Software Reviews
- Railscasts – Ruby on Rails Podcasts
March 9th, 2010 - 14:47
My VB app worked file in XP and win2k3 authorizing users based on AD groups. I switched my development workstation to Win 7. Now I am never authorized by the app. I am worried that when we switch our servers to 2008 the same thing will happen in production.
My original VB code is similer to your “workaround”. I tried using the IsInRole approach as a workaround.
Neither works because it looks like they both get group memberships from the same place.
Tracing the code I can see 56 groups returned, but they are not my groups – I have less than a dozen memberships. The returned groups are a subset of the groups defined in my AD.
Unless I missed a reference in VS, it looks like a bug to me.