On machines where Vista/W7 is installed there appears to be an issue when checking to see if a user is in a role. User Account Control (UAC) must be on to reproduce the issue. The result is that the value returned is always FALSE even when the user does belong to the group.
If My.User.IsInRole(“My Domain\My Group”) Then
Return True
Else
Return False
End If
To get around this I created a function using other .Net functions.
Public Function IsInUserRole(ByVal RoleToFind As String) As Boolean
Dim id As WindowsIdentity = WindowsIdentity.GetCurrent
Dim irc As IdentityReferenceCollection
‘ Gets a SID list of groups the user belongs to
irc = id.Groups
For Each ir As IdentityReference In irc
‘ Need to convert the SID to plain english
Dim act As NTAccount = CType(ir.Translate(Type.GetType("System.Security.Principal.NTAccount")), NTAccount)
If act.Value = RoleToFind Then
Return True
End If
Next
Return False
End Function
1 Comment
Steve Froebel
My VB app worked file in XP and win2k3 authorizing users based on AD groups. I switched my development workstation to Win 7. Now I am never authorized by the app. I am worried that when we switch our servers to 2008 the same thing will happen in production.
My original VB code is similer to your “workaround”. I tried using the IsInRole approach as a workaround.
Neither works because it looks like they both get group memberships from the same place.
Tracing the code I can see 56 groups returned, but they are not my groups – I have less than a dozen memberships. The returned groups are a subset of the groups defined in my AD.
Unless I missed a reference in VS, it looks like a bug to me.
9 Mar
Leave a Comment