AzManAuthorizationProvider off a network share => 0x800704C9

Topics: Security Application Block
Feb 8, 2011 at 3:44 PM
Edited Feb 8, 2011 at 3:50 PM

Hello,

we've been using EntLib 3.1 for several years now, with applications built in .NET 2.0 or 3.0. We have an AzMan instance on the A/D.

Prior to Windows 7, we have been happily using CASPOL to trust a network share and running executables from there. Everything there works fine.

We're trying to develop against Windows 7 now (x64), using .NET 4.0, and EntLib 5.0 and have come up against an issue that we can't seem to work around. I wrote a test console application that simply opens the azman store and checks access to an operation. Here are my results:

1. If I run it locally it works just fine, both with a file store and the A/D store.

2. if I run it off the networ, the file store works, but the A/D store blows up with a security exception down in the AzMan.Interop library, called from this line in GetClientContext in AzManAuthorizationProvider:

store.Initialize(0, this.storeLocation, null);

I've tried using various security policies (dropping back to CASPOL with the legacy tag, setting Level1 ...) and I just seem to be missing whatever's making it break.

Here's the output of my program (I tried dumping security rights and the only difference between local and off the share is the "Zone Evidence").

Zone Evidence: Intranet

Security Rule Set: Level1

Is Fully Trusted: True

Class IsSecurityCritical: False
Class IsSecuritySafeCritical: False
Class IsSecurityTransparent: True

Permissions Count: 0
Store created
Store Initializing msldap://CN=name,CN=Program Data,DC=whatever,DC=com
System.Security.SecurityException
The remote computer refused the network connection. (Exception from HRESULT: 0x800704C9)
   at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessOperations(String auditIdentifier, WindowsIdentity identity, String[] operations) in D:\External\EntLib50Src\Blocks\Security\Src\AzMan\AzManAuthorizationProvider.cs:line 251
   at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.Authorize(IPrincipal principal, String context) in D:\External\EntLib50Src\Blocks\Security\Src\AzMan\AzManAuthorizationProvider.cs:line 118
   at My.SecurityService.IsAuthorized(String operation) in D:\V\TFS\X_Dev\Core\Application\Source\Services\ApplicationServices\Security\SecurityService\SecurityService.cs:line 33
   at SecurityHeadaches.Program.Main(String[] args) in D:\Random\SecurityHeadaches\Program.cs:line 50

Should I be doing something special to the security of my application when I'm running off a network path? I currently have no Software Restriction Policies defined. I'm really hoping that I've missed something simple. Has anybody got any ideas/workarounds?

Note:

Running our old .NET 2.0 applications on W7 (off the network) doesn't work either. They all work fine on XP and when run locally on W7.

I also have a different exception when trying to check authorisation on an impersonated WindowsIdentity (locally)... perhaps that's related. I can post more detail on that one if it would help.

Many thanks,

Tim.

Edit: the old applications use EntLib 3.1, the console one I wrote is using EntLib 5.0.

Feb 9, 2011 at 12:20 AM

It would seem it has something to do with using Windows 7 but you should also consider the .NET Framework version (from 2.0 to 4.0) and the computer architecture (or are you already using a 64-bit machine with EntLib 3.1?).  I didn't consider the EntLib version since you pointed out that the AuthorizationStore.Initialize is where the actual exception is being thrown.  If you can do tests to see which of the three is actually causing the error, that would narrow the search  

I haven't found any information yet as to what is causing the exception you're encountering since it looks an issue more on the Azman itself rather than EntLib.    I suggest you also post this in the MSDN's Common Language Runtime forum.

 

Sarah Urmeneta
Global Technologies and Solutions
Avanade, Inc.
entlib.support@avanade.com

Feb 9, 2011 at 8:36 AM

Hello Sarah,

thanks for the input; I posted a code sample on the group you suggested, http://social.msdn.microsoft.com/Forums/en-US/clr/thread/755c5afd-c84b-4c1a-a991-6c19a34fa7a0

Regards,

Tim.