Configuring Microsoft Authorization Manager (AzMan)

Installing AzMan

Here is a brief instruction how to download and install AzMan on different systems. (Note: this relates only to the system where designer is running):

http://msdn2.microsoft.com/en-us/library/ms998331.aspx

AzMan is available for Windows Server 2003, Windows XP Professional, and Windows 2000 Server as follows:

Note:  If you are running Windows XP Service Pack 2 or later, you must install Service Pack 1 or later of the Windows Server 2003 Administration Tools Pack.

This installs the run-time components only and not the AzMan administration Microsoft Management Console (MMC) snap-in. You can still use the MMC snap-in on a computer that uses Windows Server 2003 or on a computer that uses Windows XP and has the Windows Server 2003 Administration Tools Pack installed, to remotely administer AzMan on a computer running Windows 2000 Server.

You must have Azroles.dll in your ...\<Windows>\System32 folder to allow the Security Wizard to retrieve roles from AzMan.  Without this DLL, Iron Speed Designer cannot retrieve the list of roles from AzMan nor allow you to assign roles to your application web pages.  Azroles.dll is automatically installed on your system when you install AzMan as described above or you may simply download this DLL file directly and than register it by executing the this command from within your ...\<Windows>\System32 folder:

Regsvr32 azroles.dll

There are several sources where this file could be found:

http://www.dlldll.com/microsoft.interop.security.azroles.dll_download.html

http://www.dlllab.com/microsoft.interop.security.azroles.dll_download.html

File-based policy store names

Note, that although Microsoft Authorization manager allows you to use spaces in the file name and application name of your file-based policy store, the Microsoft AuthorizationStoreRoleProvider run-time library is unable to open such files and policy stores.

Configuring AzMan on Windows Server 2003

If you choose to locate your AzMan policy store in Active Directory (the better choice for production), your Active Directory domain must be in Microsoft Windows 2003 Functional Mode.

If you are developing on Microsoft Windows XP, install the Windows 2003 Administration Tools from the Windows 2003 CD on your machine to use AzMan for development on Windows XP.

We recommend you verify that you installed ASP.NET application server support on your Windows 2003 Server.

Make sure that you added permissions to read the policy information for the user whose credentials are used to run your application.

Configuring AzMan on Windows Server 2003 64bit

If you configured your application and at the run-time at the attempt to retrieve role information from AzMan receive this error:

The authorization store component is not installed

Description: The AuthorizationStoreRoleProvider requires the authorization store components to be installed on the machine. The authorization store components are only installed and available by default on Windows Server 2003. Currently it appears that either the components have not been installed, or that the primary interop assembly has not been registered in the global assembly cache (GAC). Both of these steps can be accomplished by downloading the Authorization Manager installation package from the web for your operating system, and installing the package on the machine. Installations for other operating systems can be found by navigating to http://download.microsoft.com and searching with either the keyword "AzMan" or the keywords "authorization manager".

Most likely that means that your AzRoles assembly has not been registered in the global assembly cache (GAC). To register assembly perform the following steps:

Step 1:  Run the Microsoft .NET Framework 2.0 Configuration utility in the Control Panel’s Administrative Tools group.

Step 2:  Expand MyComputer, right-click on Assembly Cache and choose Add...

Step 3:  Browse to Windows\Microsoft.net\Authman\1.2\ microsoft.interop.security.azroles.dll and add this assembly.

Step 4:  Verify that you have this assembly in the list.  Note that there may be already Version 2 of this assembly present.  There are known compatibility issues with Version 2, so if you receive errors after adding assembly version 1.2, remove assembly version 2.

Configuring Microsoft IIS to operate with AzMan

The default process identity for IIS 6 (default application pool) is NT AUTHORITY\NETWORK SERVICE.

Microsoft IIS may not grant the proper security permissions necessary to get responses from AzMan.  If this is the case, application users will not be able to authorize and get their roles from AzMan and attempts to view any page with a non-empty list of custom roles will be re-directed to your application’s Forbidden page.

To verify this is the source of the problem, you may download the ShowContexts.aspx utility or any other tool which shows security context of the page.  Configure your application with AzMan role authorization in Iron Speed Designer, login with any valid user name, copy this (or any other) utility to application’s root folder and finally open it.  If your application works properly you will see a list of roles for the current user at the bottom of the page.

However, if you have the authorization problem described above you will see:

Roles: error fetching roles using RolePrincipal

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException (0x80072098): Insufficient access rights to perform the operation. (Exception from HRESULT: 0x80072098) --- End of inner exception stack trace --- at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) at System.Type.InvokeMember(String name, BindingFlags invokeAttr, Binder binder, Object target, Object[] args, CultureInfo culture) at System.Web.Security.AuthorizationStoreRoleProvider.CallMethod(Object objectToCallOn, String methodName, Object[] args) at System.Web.Security.AuthorizationStoreRoleProvider.InitApp() at System.Web.Security.AuthorizationStoreRoleProvider.GetClientContext(String userName) at System.Web.Security.AuthorizationStoreRoleProvider.GetRolesForUserCore(String username) at System.Web.Security.AuthorizationStoreRoleProvider.GetRolesForUser(String username) at System.Web.Security.RolePrincipal.GetRoles() at ASP.showcontexts_aspx._getRoles() in c:\Apps\MyApp3\ShowContexts.aspx:line 133,

and also

Process Identity: NT AUTHORITY\NETWORK SERVICE

To solve this problem, create a separate Application Pool and a separate Service Account for your ASP.NET 2.0 Application.

Step 1:  Create new user and add it to IIS-WPG group

Step 2:  Create new Application Pool in IIS and set Identity to this user

Step 3:  Set your application’s www site properties (Home Directory, Application settings, Application Pool) to this new pool.

For additional details about creating a Service Account:

http://msdn2.microsoft.com/en-us/library/ms998297.aspx

Granting your application access to AzMan policy stores

If you are running your application on a non-Windows 2003 computer and the Microsoft IIS web server while using an AzMan policy store located in the Active Directory, make these changes to allow your application to access the AzMan policy store:

Step 1:  Add the username account to the ‘Pre-Windows 2000 Compatible Access’ group in your Active Directory.

See http://support.microsoft.com/kb/331951 for details.

Step 2:  Set the <processModel .../> property of the <system.web> section in your machine.config file to allow the Microsoft IIS web server to run the ASP.NET application worker process (aspnet_wp.exe) using the account you added to the ‘Pre-Windows 2000 Compatible Access’ group instead of the built-in ASPNET account with lesser permissions.  The Authorization Store running on the Domain Controller machine and located in your Active Directory does not allow processes owned by the ASPNET account to access any information.

This property should have these attributes:

enable="true" userName="domain\username" password="validpassword"

See http://msdn2.microsoft.com/en-us/library/aa291339(VS.71).aspx  for details.

Note: the Microsoft IIS web server will assign all processes it starts to this account.

If you change your machine.config file, reboot your computer to make these changes effective.

If you do not change your machine.config file, you can still use AzMan role management, with an XML file-based policy store, but in a less efficient mode.  This mode only affects authorization of users different from the current user logged into Microsoft Windows.  Namely instead of using the GetRolesForUser(username) method to retrieve the list of roles for a particular username, your application will create a new HttpContext with username as a current user, retrieve its roles via the GetRolesForUser() method and then roll back to the previous context.

Related Topics

http://geekswithblogs.net/drewby/archive/2004/09/14/11122.aspx

http://msdn2.microsoft.com/en-us/library/ms998331.aspx

See Also

Configuring Your System for Application Security

Configuring Microsoft IIS and IIS Express for Application Security

Configuring IIS Express

Active Directory Role Management

Configuring Microsoft Active Directory

Microsoft Authorization Manager (AzMan) Role Management

Configuring Microsoft Authorization Manager (AzMan)

Microsoft SharePoint Authentication and Authorization

Data Transmission Encryption

Configuring Firewall Security

Handling SQL Injection Attacks