Programming with Microsoft Access Control Technologies (May 26, 2005)
Posted: June 6, 2005
Please note: Portions of this transcript have been edited for clarity
Introduction
Carolyn [MSFT] (Moderator):
Welcome to today’s chat about Programming with Microsoft Access Control Technologies. We will answer as many questions as we can today and post a transcript of the upper window within a few days at https://msdn.microsoft.com/chats/transcripts/default.aspx
Carolyn [MSFT] (Moderator):
We are pleased to welcome our experts for today. I will have them introduce themselves now.
[MS]Stefan (Expert):
Hello everyone - I own a number of the new authentication and authorization aspects of ASP.NET 2.0.
Eric_MS (Expert):
Hi, I'm Eric Slesar, a programmer writer with the Windows SDK.
Dave and Sunil [MS] (Expert):
Dave McPherson - Windows Security Access Control PM
Sharing console with:
Shawn Wu - Windows Security Access Control Developer
and
Sunil Kadam - Windows Security Access Control Developer
Jeff_MS (Expert):
Hello, I'm Jeff and I work with ACLs and access check.
Carolyn [MSFT] (Moderator):
Here is how it works: Participants are welcome to post their questions for our experts during today’s chat. Just type a question, click the “Submit a question” option button, and click “Send.” These posts will go into a private queue, from which our experts will draft answers and repost questions in the upper window with their answers. To post a comment, type your comment and just click “Send.”
We will try to answer as many questions as we can today. We will post a transcript of this chat within a few days at https://msdn.microsoft.com/chats/transcripts/default.aspx
Let’s actually begin the chat. You may begin posting your questions and comments.
Start of Chat
[MS]Stefan (Expert):
Q: Here is my first question, is there any way to find out the Roles from the windowsPrincipal?
A: By default, a WindowsPrincipal only implements IPrincipal - which does not have the facility to get roles. However, in Whidbey you could from inside of an ASP.NET 2.0 application, use Role Manager with the WindowsTokenRoleProvider. The WindowsTokenRoleProvider "wraps" the authenticated windows user in ASP.NET, and gives access to a class called RolePrincipal. RolePrincipal includes an extra method called GetRolesForUser which will give you a string array of all of the NT groups you belong to.
Dave and Sunil [MS] (Expert):
The media player question is off topic recommend starting w/ support.microsoft.com
Dave and Sunil [MS] (Expert):
Eric is getting you the exact link: speaking of AzMan I may as well point out that a service update of the Win2K runtime version of Authorization Manager (a Windows 2000 version of the role-based access control runtime that shipped in WS2003) just released to the Web yesterday.
Eric_MS (Expert):
Q: (this time with submit a question :)) What is the recommended newsgroup to post to for questions about AzMan? I see a lot of posts but not much participation from MS in this area yet. There is not a lot of expertise in the community yet to field the question.
A: The best newsgroup for questions about AzMan is https://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.platformsdk.security&lang=en&cr=US
You should be able to get questions answered there.
Dave and Sunil [MS] (Expert):
Q: We are using Azman for Authorization in our App, The Azman store type is Active Directory. How the loading process happening , the complete store will be in our application memory or it will load for every AccessCheck call?
A: The AzMan AD store will lazy load the policy. So as accessCheck or OpenScope, etc., is called, the policy for that scope will be loaded into memory.
Dave and Sunil [MS] (Expert):
Q: What are the strengths and advantages of Azman?
A: Forgive the marketing voice: here are the strengths and advantages of AzMan:
Simple Common RBAC Administration
A simple common role-based administrative experience; administrators learn fewer authorization models and require less training.
Simple Role-based Development Model
Easy to integrate with native or managed apps, provides broad RBAC management and enforcement functionality.
Flexible Authorization Rules
Ability to define membership through dynamic ldap queries or custom BizRules.
Centralized Administration
Multiple applications can be managed centrally and leverage common application groups.
Flexible Storage Options
Ability to store policy in Active Directory, .xml Files or SQL Server (Longhorn Beta2.)
Platform Integration and Alignment
Support for platform features such as Active Directory groups, Windows security auditing, and MMC. Assurance of proper integration of system access control objects such as the NT access token and better alignment for future Windows access control features.
Reduced
Dave and Sunil [MS] (Expert):
Q: We do AccessCheck for 30 scopes. Will it run from the memory or it will hit Azman 30 times?
A: In Azman access check (for the AD store) the first use of each scope will load it into memory from the store. Future accessChecks will use the in memory cache.
Carolyn [MSFT] (Moderator):
Q: Is there a chat available for security issues? For Windows XP Home Edition?
A: Look for MSDN chats at https://msdn.microsoft.com/chats/ look for TechNet chats at https://www.microsoft.com/technet/community/chats/default.mspxland look at https://www.microsoft.com/communities/chats/default.mspx. There is a general chat for Windows XP on May 15 at 10:00 a.m. PST. Maybe that will help.
Dave and Sunil [MS] (Expert):
And btw, regarding scopes: if you call IAzAuthorizationStore::UpdateCache and policy has been changed on in the store. The scope is reloaded.
Eric_MS (Expert):
Q: Ok. When I click on Internet Explorer, it won’t even bring up a screen. I open up my Task Manager, click on processes and "iexplore.exe" is all the way at 100% CPU and it won’t load.
A: This question is off-topic for this chat. You can find support options at http:\support.microsoft.com
Dave and Sunil [MS] (Expert):
Another AzMan FYI - In Windows Server 2003 Service Pack 1 AzMan is enhanced to support Active Directory Federation Services and the use of ADAM (Active Directory Application Mode) principals in AzMan roles.
There is a .Net Show on this post at:
https://msdn.microsoft.com/theshow/episode047/default.asp
Dave and Sunil [MS] (Expert):
Q: Why is AD store is faster than XML store in Azman?
A: Actually "faster" is a bit strong. XML is ideal for grass roots departmental deployments and is very fast in these scenarios where the policy is relatively small. AD scales better as a store than an .xml file and offers better delegation support. The AD store lazy loads so it appears to initialize faster but really is just smarter. As far as accessCheck goes, they are the same - but again the first access check call to a scope when using the AD store is a bit slower since the policy has to get loaded - make sense?
Eric_MS (Expert):
Q: I had an invoice designed for me in Excel and I need to know how to program it to automatically input invoice numbers.
A: This question is off-topic for this chat. You can try posting your question in the Office general questions newsgroup at https://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.office.misc&lang=en&cr=US
Dave and Sunil [MS] (Expert):
Q: Can you explain what is ADAM Principal, is it like windows Principal ?
A: ADAM has a light-weight principal object. This is an object that basically wraps a username and password. Typically this is authenticated via an LDAP Bind call. The typical scenario for ADAM principals is a DMZ where customer accounts are maintained for specific apps and AD (for whatever reason) is not used for these accounts. AzMan in WS03 SP1 adds support for adding the ADAM principal and group sids to the AzMan roles, groups, ldap queries and support for manually creating a client context from the Adam principals user and group sids.
Dave and Sunil [MS] (Expert):
Q: Do you guys have any sample applications you like to show off using AzMan in an ASP.NET app to do some non-trivial authorization work?
A: We have a sample that will be published in an upcoming release of the SDK. It has an AzMan ASP.net app and an AzMan web based UI.
Dave and Sunil [MS] (Expert):
Q: Can we say ADAM is a subset of AD? If so, are the User IDs and passwords stored in ADAM?
A: ADAM is basically as subset of AD, though the AD user principal is much different than the ADAM principal. But yes, when using ADAM principals the creds are stored in ADAM
[MS]Stefan (Expert):
Q: Impersonation and Trusted Sub System model, which one is best?
A: It depends. If you need to flow credentials to back-end data stores in a way that preserves the original client identity - then you need impersonation. However, it is usually easier to set up distributed applications that use trusted subs-systems since you don't have to wrestle with flowing credentials through other back-end systems. For more discussion on this, also see the whitepaper at: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/athmanwp.mspx
Dave and Sunil [MS] (Expert):
Q: From my Web App, I m using Azman for Authorization, but while loading the store, I’m getting the "The parameter is incorrect" error. I believe this is related with my machine account permissions. Can anyone tell possible causes for this error?
A: The syntax of the URL could be incorrect or the flags sent in could be bad (0, 1 and 2) are the valid flags. Also make sure you have the rights to the store (open the store via the AZMan UI and check the security tab and make sure the context you’re calling from is an admin or reader as appropriate.)
Carolyn [MSFT] (Moderator):
I'd like to thank our experts for joining us today on a Microsoft Community Chat to talk about Programming with Microsoft Access Control Technologies. We are sorry we could not answer all your questions.
If you would like further information on today's topic, please visit the following URL:
https://technet2.microsoft.com/WindowsServer/en/library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx?mfr=true
We will post the transcript from today’s chat on Programming with Microsoft Access Control Technologies within a few days at https://msdn.microsoft.com/chats/transcripts/default.aspx
Thanks for your interest and feedback! We are going to leave now. You are welcome to continue chatting in the lower window. We encourage you to use it anytime we are not doing a scheduled chat.
Dave and Sunil [MS] (Expert):
Looks like we're closing down. If there are follow up questions please post them to the news group mentioned previously. https://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.platformsdk.security&lang=en&cr=us
.gif) |
Top of Page |