Feb 8, 2011 at 4:44 PM
Edited Feb 8, 2011 at 4:50 PM
we've been using EntLib 3.1 for several years now, with applications built in .NET 2.0 or 3.0. We have an AzMan instance on the A/D.
Prior to Windows 7, we have been happily using CASPOL to trust a network share and running executables from there. Everything there works fine.
We're trying to develop against Windows 7 now (x64), using .NET 4.0, and EntLib 5.0 and have come up against an issue that we can't seem to work around. I wrote a test console application that simply opens the azman store and checks access to an operation.
Here are my results:
1. If I run it locally it works just fine, both with a file store and the A/D store.
2. if I run it off the networ, the file store works, but the A/D store blows up with a security exception down in the AzMan.Interop library, called from this line in GetClientContext in AzManAuthorizationProvider:
store.Initialize(0, this.storeLocation, null);
I've tried using various security policies (dropping back to CASPOL with the legacy tag, setting Level1 ...) and I just seem to be missing whatever's making it break.
Here's the output of my program (I tried dumping security rights and the only difference between local and off the share is the "Zone Evidence").
Zone Evidence: Intranet
Security Rule Set: Level1
Is Fully Trusted: True
Class IsSecurityCritical: False
Class IsSecuritySafeCritical: False
Class IsSecurityTransparent: True
Permissions Count: 0
Store Initializing msldap://CN=name,CN=Program Data,DC=whatever,DC=com
The remote computer refused the network connection. (Exception from HRESULT: 0x800704C9)
at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessOperations(String auditIdentifier, WindowsIdentity identity, String operations) in D:\External\EntLib50Src\Blocks\Security\Src\AzMan\AzManAuthorizationProvider.cs:line
at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.Authorize(IPrincipal principal, String context) in D:\External\EntLib50Src\Blocks\Security\Src\AzMan\AzManAuthorizationProvider.cs:line 118
at My.SecurityService.IsAuthorized(String operation) in D:\V\TFS\X_Dev\Core\Application\Source\Services\ApplicationServices\Security\SecurityService\SecurityService.cs:line 33
at SecurityHeadaches.Program.Main(String args) in D:\Random\SecurityHeadaches\Program.cs:line 50
Should I be doing something special to the security of my application when I'm running off a network path? I currently have no Software Restriction Policies defined. I'm really hoping that I've missed something simple. Has anybody got any ideas/workarounds?
Running our old .NET 2.0 applications on W7 (off the network) doesn't work either. They all work fine on XP and when run locally on W7.
I also have a different exception when trying to check authorisation on an impersonated WindowsIdentity (locally)... perhaps that's related. I can post more detail on that one if it would help.
Edit: the old applications use EntLib 3.1, the console one I wrote is using EntLib 5.0.