Azman + EntLib + Scope

Topics: Security Application Block
Oct 20, 2010 at 9:04 AM

Hello,

Can anyone offer any advice with regards to using scope in an Azman authentication store?

I am trying to use the Azman store to store a scenario where we have a user that on Site A has a role of "Administrator" and on site B "Manager" but with the roles inheriting from a common heirachy of roles, tasks and operations. I was hoping to use scopes within the application store to provide this separation. Is this possible and is it the correct approach?

Currently getting an error from the EntLib Azman provider of:

System.Security.SecurityException was unhandled
  Message=Element not found. (Exception from HRESULT: 0x80070490)
  Source=Microsoft.Practices.EnterpriseLibrary.Security.AzMan
  StackTrace:
       at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessTasks(String auditIdentifier, WindowsIdentity identity, String[] tasks)
       at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.Authorize(IPrincipal principal, String context)
       at Mears.MCS.WinClient.Application.Program.AuthorizeUserWithRules(IPrincipal principal, IAuthorizationProvider authProvider) in W:\EXETERXP14_MEARSCARE_ALL\SourceCode\DevStream\WinClient\Mears.MCS.WinClient.Application\Program.cs:line 154
       at Mears.MCS.WinClient.Application.Program.AuthWithAzMan() in W:\EXETERXP14_MEARSCARE_ALL\SourceCode\DevStream\WinClient\Mears.MCS.WinClient.Application\Program.cs:line 172
       at Mears.MCS.WinClient.Application.Program.Main() in W:\EXETERXP14_MEARSCARE_ALL\SourceCode\DevStream\WinClient\Mears.MCS.WinClient.Application\Program.cs:line 247
       at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
       at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
       at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
       at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
  InnerException: System.Runtime.InteropServices.COMException
       Message=Element not found. (Exception from HRESULT: 0x80070490)
       Source=Microsoft.Interop.Security.AzRoles
       ErrorCode=-2147023728
       StackTrace:
            at Microsoft.Interop.Security.AzRoles.IAzScope.OpenTask(String bstrTaskName, Object varReserved)
            at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.GetTaskOperations(IAzApplication azApp, String[] tasks)
            at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessTasks(String auditIdentifier, WindowsIdentity identity, String[] tasks)
       InnerException:

 

which suggests it's not happy with this approach!

Thanks for any advice.

Oct 20, 2010 at 1:16 PM

I haven't really used Azman but have you read the Security Considerations on using it?

 

Sarah Urmeneta
Global Technology & Solutions
Avande, Inc.
entlib.support@avanade.com

Oct 20, 2010 at 1:49 PM

Hello Sarah,

yes I have seen that article and the security is fine on the XML store. The problems come when I try and segregate the permissions using scopes. I think the Azman admin tool doesn't help, in that it allows "root" roles and tasks to be assigned in a scoped section which when accessed by the EntLib throws the error above. If I access the root role (not setting Application Scope on the EntLib authorisation provider) it works without exception.

I don't know whether this plays better when hosted in AD, but it seems the use of scopes is a hard filter which doesn't fulfill our requirement of a core task and role set that can be used acroos multiple sites (or scopes).

Looks like a large role inheritance model is the only way forward.

Any ideas greatly appreciated and thanks for your help.

Cheers

Oct 21, 2010 at 9:23 AM

Can you check this if this is what is possibly happening? 

I, unfortunately, can't offer expert advise regarding Azman but I suggest debugging through the EntLib source code using the PDB files.  If you're using version lower than 5.0, the pdb files are available as a separate download here in Codeplex.  If you're using version 5.0, the PDB files are already part of the installation located in the same directory where the entlib assemblies are.  If you need info on how to use the pdb files, check out this thread.

 

Sarah Urmeneta
Global Technology & Solutions
Avande, Inc.
entlib.support@avanade.com

Oct 21, 2010 at 3:40 PM

Hello,

I've checked and it's the the application name or suchlike. The Azman provider is opening the xml store, it is also opening the scope (thanks to the debug file tip I've stepped into EntLib code), the actual line that is failing is this one:

		private object[] GetTaskOperations(IAzApplication azApp, string[] tasks)
{
string[] scopes = new string[] { this.scopeName };
StringCollection operations = new StringCollection();
foreach (String task in tasks)
{
IAzScope scope = null;
if ((scopes != null) && (scopes[0].Length > 0))
{
scope = azApp.OpenScope(scopes[0], null);
}

IAzTask azTask = null;
if (scope != null)
{
azTask = scope.OpenTask(task, null);
}
else
{
azTask = azApp.OpenTask(task, null);
}

Array ops = azTask.Operations as Array;
foreach (String op in ops)
{
operations.Add(op);
}
}

if (operations.Count == 0)
{
throw new ConfigurationErrorsException(Properties.Resources.NoOperations);
}

object[] operationIds = new object[operations.Count];
for (int index = 0; index < operations.Count; index++)
{
operationIds[index] = azApp.OpenOperation(operations[index], null).OperationID;
}

return operationIds;
}
Where it is opening the tasks from the scope.
It seems it can't see my task from the scope, despite it definitely being assigned to the role I am a member of within the scope.
Hence why I feel the Azman manager snap in has a contradiction within that allows 'root' tasks to be assigned to roles within a scope but then the runtime doesn't allow for this. 
Or is that entlib only supports the passing of a single scope name into the Azman interop which would actually accommodate an array of scope names? Perhaps passing all 
store scopes over would make it work? Just guessing!
Thanks
Oct 22, 2010 at 12:54 AM
Edited Oct 22, 2010 at 2:32 AM

The IAzTask.OpenScope does not provide an overload which takes a list or array or scope names so entlib doesn't support it as well. 

It seems it can open the task if it uses the OpenTask method of the IAzApplication interface, that is when you didn't specify a scope name:

       azTask = azApp.OpenTask(task, null);

So I suggest double checking the spelling of your scope name.

After confirming that you are passing the correct scope name, then I would recommend posting the question in the MSDN forum for CLR or other .NET forums since we have narrowed it down that the exception is thrown by the IAzTask interface and not an entlib class.  I advise mentioning about your scopes and ask why the IAzTask.OpenTask doesn't work where as the IAzApplication.OpenTask does.

 

Sarah Urmeneta
Global Technology & Solutions
Avande, Inc.
entlib.support@avanade.com