.Net Role Authentication PrincipalPermission fails

Question

I have a vb.net 3.5 application using PrincipalPermission class to ensure a user is a member of a role. The code works for some groups in Active Directory domain but not others. At first I thought the space was an issue but I checked 'Domain Users' which worked. Running this code I am a member of App Group.

Imports System.Security
Imports System.Security.Principal
Imports System.Security.Permissions

    Private Function DemandSecurity() As Boolean
        AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)
        Dim principalGroup As New PrincipalPermission(Nothing, "App Group")
        Try
            principalGroup.Demand()
            Debug.Print("Demanding pricipal permissions for current user on 'App Group' role succeeded. ")
        Catch secEx As SecurityException
            Debug.Print("Security Exception - Demanding pricipal permissions for current user on 'App Group' role failed. ")

            Application.DoEvents()
            MessageBox.Show("Permission denied. Output: " & vbNewLine & secEx.ToString, "App - Security Exception", MessageBoxButtons.OK, MessageBoxIcon.Error, MessageBoxDefaultButton.Button1)

            Return False
            Exit Function
        End Try
        Return True
    End Function

The error output from secEx.ToString is

"System.Security.SecurityException: Request for principal permission failed. at System.Security.Permissions.PrincipalPermission.ThrowSecurityException() at System.Security.Permissions.PrincipalPermission.Demand() at App.My.MyApplication.DemandSecurity() in C:\Documents and Settings\me\My Documents\Visual Studio 2008\Projects\App\App\ApplicationEvents.vb:line 28

The action that failed was: Demand The type of the first permission that failed was: System.Security.Permissions.PrincipalPermission

The first permission that failed was: IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1"> Identity Authenticated="true" Role="App Group"/>

The demand was for: IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1"> Identity Authenticated="true" Role="App Group"/>

The assembly or AppDomain that failed was: mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"

Let me know if I need to include anything else.

Answer 1

I think you better check your AD Groups to see this issue : http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3e8e9209-17c7-4674-8780-7ae09c607118

Answer 2

ok, this is just a wild guess, I happened to see this discussion regarding SAMAccountName and distinguished names, but no idea if this is still current issue: Active Directory and PrincipalPermission

honestly I don't know if the "Role" can perform a full LDAP filter, but let's give it a try: Let's suppose your group distinguished name is like this:

"CN=MyGroup,OU=SecurityGroups,OU=Department,DC=Company,DC=com"

why not trying this:

Role="CN=MyGroup,OU=SecurityGroups,OU=Department,DC=Company,DC=com"

Role=@"Company.com\Department\Security Groups\MyGroup"  // Not sure about this one though

And because this one seems more logic, maybe like this:

Role=@"Company\SAMAccountNameOfYourGroup"

I think your groups in CN=Users may succeed because probably they are in the root of your active directory, so for the other groups you may need to give either the SAMAccount which is unique, or give some structure for the search.