BUG: You receive a "False" value when you call the User.IsInRole method in an ASP.NET application even though the user is assigned to the role (894432)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework) 1.0

SYMPTOMS

When you call the User.IsInRole method in a Microsoft ASP.NET application, you receive a False value from the method. This behavior occurs even though the user may be assigned to the role.

Note This issue occurs when the ASP.NET application is mapped to a Uniform Naming Convention (UNC) share.

WORKAROUND

To work around this issue, use one of the following methods:
  • Do not map the ASP.NET application to a UNC share.
  • Run the iisreset command after you add a user to a role but before you request an ASPX Web page.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

Steps to reproduce the issue

  1. Create a Microsoft Internet Information Services (IIS) application that is named Unc. To do this, follow these steps:
    1. Click Start, click Run, type inetmgr.exe, and then click OK.
    2. Expand ServerName.
    3. Right-click Web Sites, and then click New.
    4. Name the site Unc, and then click OK.
  2. Right-click Unc.
  3. In the Properties dialog box, click the Directory security tab.
  4. Under Anonymous access and authentication control, click Edit.
  5. Verify that the Anonymous access check box is selected.
  6. Click to select the Integrated Windows authentication check box.
  7. In the application folder, create an ASPX file that contains the following code example.
    <%@page language="cs"%>

User.Identity.Name=<%=User.Identity.Name%><br>
role=<%=Request.QueryString["role"]%><br>
User.IsInRole(role)=<% = User.IsInRole(Request.QueryString["role"])%><br>
  8. Create a share that is mapped to this physical folder.
  9. Create the local user who is named MyUser. To do this, follow these steps:
    1. Click Start, click Run, type lusrmgr.msc, and then click OK.
    2. Right-click Users, and then click New User.
    3. Name the new user MyUser, and then click Create.
  10. Map the IIS application to the share that you created in step 8, and then connect to the share by using the MyUser account.

    Note Make sure that the MyUser account has Read user rights on the physical folder on the share.

    To do this, follow these steps:
    1. Click Start, click Run, type inetmgr.exe, and then click OK.
    2. Expand ServerName, and then expand Web Sites.
    3. Right-click your Web site, and then click Properties.
    4. Click the Home Directory tab.
    5. Click A share located on another computer.
    6. In the Network directory box, type the path of the application that you created in step 1.
    7. Click OK.
  11. Give the MyUser account Full access to the following folder:

    %windir%\Microsoft.NET\Framework\FrameworkBuild\Temporary ASP.NET Files

  12. Create a new role on your computer, and then assign the MyUser user to this role. To do this, follow these steps:
    1. Click Start, click Run, type lusrmgr.msc, and then click OK.
    2. Right-click Groups, and then click New Group.
    3. In the New Group dialog box, name the group MyRole, and then click Add.
    4. In the Enter the object names to select box, type MyUser, and then click Check Names.
    5. Click OK, and then click Create.
    6. Click Close.
  13. In a Web browser, open your ASPX page by passing the role in the query string. For example, open the following URL:

    http://YourServerName/unc/page.aspx?role=YourServerName\MyRole

  14. When IIS runs the ASPX page, you receive the following output:
    User.Identity.Name = MyUser
    Role = MyRole
    User.IsInRole(role)=False


    Note You expect to receive the following output: 

    User.IsInRole(role)=True
Modification Type:MajorLast Reviewed:4/22/2005
Keywords:kbIIS kbSecurity kbASPNET kbnofix kbBug KB894432 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.