Using AZMan Provider with ADAM Principles

Topics: Security Application Block
Dec 11, 2007 at 10:26 PM
Hi. I would like to know how to get the following to work please:

I have got an ADAM instance running on my machine and am using it as the AZMAN store. I have created a user in ADAM called "Kurt" which is a memberOf "Members" container. I have configured a Security Block AZMAN provider to point to my ADAM store successfully. In my code when create a Generic Identity and create a Generic Principle from it (Generic Identity) and try and call the authorize method passing in the Generic Principle, I get an error that says "The identity must be of type WindowsIdentity to perform the authorization." - in the sample (Security block sample) though a Generic Identity is used - below is my code:

GenericIdentity gi = new GenericIdentity("Kurt");
IPrincipal wp = new GenericPrincipal(gi, new string[] { "Members" });
IAuthorizationProvider ruleProvider = AuthorizationFactory.GetAuthorizationProvider("AZMANProv");
bool canDo = ruleProvider.Authorize(wp, "Calculate Sum");

Has anyone successfully got ADAM Principles working with AZMAN and the Security Block ? :)

My scenario is:
I have got a WCF Service using as wsHttp binding, using Message credentials (Username/Password token). I am able to retrive the on the service side as a generic identity, and now need to check if the calling user is authorized to perform the operation. This service is being consumed from a Java client.

Aug 12, 2008 at 2:01 AM

I am having the same problem with this code. This is pretty serious, could somebody help us please?




GenericIdentity genericIdentity = new GenericIdentity(requestBOUser.UserName);



IPrincipal principal = new GenericPrincipal(genericIdentity, null);



VWGLogger.LogEvent(gotAccountTokenEventId, "success", "got generic identity for user " + requestBOUser.UserName);



IAuthorizationProvider authenticationProvider =






AzManAuthorizationProvider azManAuthorizationProvider =





bStatus = azManAuthorizationProvider.Authorize(principal, requestBOUser.RoleRequest);



catch (Exception ex2)




string errMsg2 = ex2.Message;


requestBOUser.Message = errMsg2;


return (requestBOUser);



Aug 12, 2008 at 4:08 PM

The AzMan authorization provider only works with Windows identities because it initializes the AzMan client context using a client token; while there are other approaches this is the recommended one according to the docs.

Now, using ADAM principals doesn't seem to be the same as using the GenericIdentity. I'm not really familiar with this feature, but it can be seen in the lengthy sample posted in the Authorization Manager Team's blog that you still need to log in the user using a password (by performing a directory search in this case) and use a new IAzApplication2 interface.

You can log a feature request to support this. My guess is that a new set of IPrincipal/IIdentity implementations will be necessary to hold the SIDs required to use AzMan with ADAM principals (similar to the internal WindowsSidPrincipal and WindowsSidIdentity from WCF.)