AzMan Questions

I am putting this place holder out for Windows 2003 Authorization Manager ( AzMan) questions.

If you have them,  please ask them.

The AzMan (pronounced "A" "Z" "Man" ) update is included in the following:
Windows 2003 SP1 Admin Pak[^]

Windows 2000 Authorization Manager Runtime [^]

You will need to GAC the PIA. You should use the new interfaces for performance and all the benefits of the new interfaces such as the ability to create an emtpty client context and set the LDAPQueryDN supporting dynamic query groups in ADAM. This  update to azman facilitates ADAM and ADFS integration environments. AzMan acts as a claims transformation engine when used in conjunction with ADFS. In each case, it is possible to build an empty client context and load sids (typically in the case of an ADAM authentication environment) or load roles and groups based on ADFS group claim assertions.

[Update: There was a change in packaging. The PIA is not included in the Win2k3 admin pack for WinXP. It is possible to create an interop from the azroles.dll or use the PIA from Win2k3 under %windir%\Microsoft.Net\Authman\(version) ]

Comments

  • Anonymous
    June 28, 2005
    Hi Dave,
    I've found very little material about the use IBF (Information Bridge Framework) makes of AzMan.
    Are you familiar with articles on the subject?
    Two particular questions which I couldn't find an answer to are
    1. On publication of the IBF Metadata, are the IBF Operations automatically mapped to AzMan operations?(my guess is yes)
    2. Are IBF Actions mapped automatically to AzMan Roles (my guess is no)

    Thanks in advance

  • Anonymous
    June 28, 2005

    Yes, operations are mapped to AzMan
    operations

    No, actions are not mapped to anything in AzMan

    IBF Groups are mapped to tasks in AzMan and they group operations for easier permission setting

    Regards,
    David

  • Anonymous
    August 17, 2005
    The comment has been removed

  • Anonymous
    August 18, 2005
    AzMan works with sharepoint. If you are writing a custom webpart, you will identity the resources or UI that you want to protect as operations,set the tasks and roles accordlingly, assign your user or group to the role, in your web part initializeclientcontextfromtoken() passing in the WindowsIdentity token containing all your sids, call an accesscheck (likely once containing all ops in the webpart). You then check your results. If your operation result is TRUE then you set an item visable, or show a column from the database or etc... like any other app. Just remember that you need to set the SPS site roles as well and assign users to them as well.

  • Anonymous
    September 15, 2005
    I should be clear that TRUE = 0 = NO_ERROR per COM origins... most .net people wrap azman and return a boolean or array of booleans per accesscheck - the actual return is - SAFEARRAY is a VARIANT of type VT_I4.
    If interested in more details...

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/iazclientcontext_accesscheck.asp?frame=true

  • Anonymous
    October 06, 2005
    Hi,

    I'm senior consultant for an Microsoft Gold Certified Partner in Brazil.

    Now I'm studying AzMan and I find a great How To article in MS Patterns & Practices web site. The article is: How To: Use Authorization Manager (AzMan) with ASP.NET - 2.0http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000019.asp

    However this Enterprise currently use .Net Framework 1.1

    My Question is:
    . How I do this integration Between .Net Framework (ASP.Net pages) with AzMan?
    . In .Net 1.1 I'm forced to use AzMan API in my ASP.Net Web Application - code behind pages?


    Thanks

    Hélio Sá Moreira

  • Anonymous
    October 06, 2005
    The Step 6. approach described in article referenced by the link that you provided is a valid approach for .NET 1.1 also. The ASP.NET 2.0 role provider is a wrapper to simplify the use of AzMan by offering a subset of the capabilities of the AzMan API and it also provides a common authorization approach within ASP.NET. Enterprise Library http://www.microsoft.com/downloads/details.aspx?FamilyID=a7d2a109-660e-444e-945a-6b32af1581b3&displaylang=en also contains a wrapper that provides additional functionality - exposing a simplified accesscheck. You would use the AzMan API directly when you want to take advantage of the full set of capabilities. It provides a simplified and common way with a robust api to address professional authorization. An interop can be created or use the pia found on a win2k3 system. People often create their own wrappers to fit a specific purpose. AzMan is very flexible and offers functionality that is applicable to a number of situations. If you would like to use in your code behind pages or web services... it's really up to you. Does this answer your question? Regards, David

  • Anonymous
    October 12, 2005
    The comment has been removed

  • Anonymous
    October 12, 2005
    Absolutely!!! Some find it a great idea to perform the access check with one network call by loading all the operations into a single call, transform in a wrapper (check access OK becomes TRUE in return for op) to an array of boolean results and then for attributes such as visable, disabled, etc... have something like mytexbox.visible = opcheckresults[1]; // cooresponding to the result of operationIds[1]=op_constant. You could use the result for determining access to a function, build a wrapper so that your code is attribute/declarative driven, or even using a scope as data e.g. mynewsgroup and then have roles such as admin, reader, contributer, etc. Then when using SP1 return all the scopes assigned to a user to display all the news groups of which the user is assigned in at least one role.

    Since AzMan is part of the Windows 2003 OS the current SDK location is the Platform SDK. There are a few things planned for the Vista Platform SDK. I suspect that the managed sample from the PDC 2005 hands on lab will make it in regarding - a more complex sample. There are a few more goodies planned for the Vista SDK but I wouldn't want to ruin the suprise :) You will also want to keep an eye out for Active Directory Federation Services and potential AzMan use in the SDK. Check out the .NET show on AzMan with ADFS -
    http://msdn.microsoft.com/security/understanding/webcasts/default.aspx

    Regards,
    David

  • Anonymous
    October 17, 2005
    Hi David,
    Is there any way to bind an ADAM principal to Azman through the user's name ?. I found a way through the user's SID, but the Azman Role provider in ASP.NET 2.0 uses user names instead of SIDs.
    Thanks

  • Anonymous
    October 17, 2005
    Hi David,

    AzMan uses XmlFile or ActiveDirectory (or ADAM) as a backing store for the authorization information, and Vista will add SqlServer, but
    is there any way to extend the backing store or authorization decission processing with a custom class? On the other hand defining custom authorization decission processing will allow using different semantics than Role Based Access Control, for example XACML based on functional access.

    Regards,
    Diego Gonzalez

  • Anonymous
    October 17, 2005


    Hi David,
    Is there any way to bind an ADAM principal to Azman through the user's name ?.
    DC>Not currently. The current approach for store administration using ADAM is the API. The client context may be created empty and sids added to it.

    I found a way through the user's SID, but the Azman Role provider in ASP.NET 2.0 uses user names instead of SIDs.
    DC>You have a great approach listed on your blog.

    With Win2k3 SP 1, if you can get the user DN, you can set the ldapquerydn on the client context and make use of dynamic query groups.

    Regards,
    David

  • Anonymous
    October 21, 2005
    See inline:

    Hi David,
    AzMan uses XmlFile or ActiveDirectory (or ADAM) as a backing store for the authorization information, and Vista will add SqlServer, but
    is there any way to extend the backing store or authorization decission processing with a custom class?
    ---------------------
    DC>No, extension the policy store is not supported. We do however support business rules which allow you to call custom code (script or - .net class if in process) to determine access. You can also expose a web service wrapper.

    ----------------------
    On the other hand defining custom authorization decission processing will allow using different semantics than Role Based Access Control, for example XACML based on functional access.

    ----------------------
    DC> I saw some debate on this related to the sunxacml but I would like to hear more specifics on how you would like to implement.
    ----------------------

    Regards,

    Diego Gonzalez

    ----------------------
    I've heard a few requests for XACML usage but when I tried to dive into it, I couldn't get any concrete requirements. If you would like to take this offline, submit your email on this site or call 610-240-7000 and provide your contact info.

    Regards,
    David

  • Anonymous
    January 18, 2006
    David

    I am having no joy with working with dynamic groups in AzMan, despite following the "bouncing ball" on articles such as this one: http://msdn.microsoft.com/msdnmag/issues/03/11/AuthorizationManager/

    I am using the sample "workbench" app from this site to test my dynamic groups - but I can only get the basic groups to work, and only for AD-based users (not ADAM users).

    We are running with W2003SP1, with an AZMAN instance in an ADAM store (as well as one in AD for comparison).

    Firstly, is there some trick to getting dynamic groups working? Even basic queries such as (cn=*) don't work for us.

    Secondly, will this work for ADAM users too? I was expecting a way to nominate a directory source somehow as a root node, but all the samples seem to assume that this is a given (i.e. the current domain).

    Can you perhaps direct me to some more examples/articles on this? There seems to be very little info on the dynamic groups feature.

    Thanks!

    Bob Bradley
    Solutions Architect
    Unify Solutions Pty Ltd
    Suite 23, 213 Greenhill Road
    Eastwood, SA, AUSTRALIA, 5063
    www.unifysolutions.net
    MCP ID: 1956368

  • Anonymous
    February 02, 2006
    You will require Win2k3 "SP 1" or the appropriate update for azman. Then create an empty client, use AddStringSids to copy the sids that you queried from tokengroups of the ADAM user that you authenticated, then set the ldapquerydn to that of the authenticated ADAM user. Note: from an infrastructure standpoint - the process will need to have rights to access the object that you specified in the ldapquerydn on the azman client context (IAzClientContext2). More info is available at the following link...

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/iazclientcontext2_ldapquerydn.asp

    An updated white paper targeted for MSDN including Win2k3 SP 1 aspects is pending release. I do not have a date for that at this time however...

  • Anonymous
    February 06, 2006
    Hi David,

    Question about the dynamic business rules in AZMan roles and tasks.

    I was wondering if it is possible to create a business rule that uses an external store like a database or even the result of a webservice to validate an authorization request.

    Thanks,
    Koen

  • Anonymous
    February 07, 2006
    This is possible. In addition, It is possible via ccw to call a .net function when azman is in the same process.  I would also recommend that business rules be short operations focused on authorization.

    From the mmc - azman.msc , look at the properties, then limits tab for additional settings related to business rules.

    Regards,
    David

  • Anonymous
    February 14, 2006
    The comment has been removed

  • Anonymous
    February 15, 2006
    David,

    I'm almost certain that I heard in an MSDN Webcast delivered by Kevin Ramsaur that W2K3 R2 would support binding ADAM principals to AzMan roles using the ADAM username instead of the current SID-only method. Is this a true statement?

    Thank you,
    -bill

  • Anonymous
    February 15, 2006
    Bill,

    Win2k3 R2 is equivalent to Win2k3 SP1 as far as AzMan.  I suppose that initializing an empty client context and using the ldapquerydn on the client context would give the appearence of using an ADAM name but it would do so with the expense of making ldap calls/queries using dynamic ldap query groups. There are performance advantages to populating the sids using AddStringSids http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/iazclientcontext2_addstringsids.asp?frame=true 
    in the client context from a query to the adam user token groups
    The following is the location for the interface docs on msdn.
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_interfaces.asp?frame=true  

    The ones with a (2) are available SP 1 update and the ones with a (3) are a few potentials for LH/Vista - the info on MSDN is early preview.  I would keep an eye out for the next Vista beta for some more AzMan enhancements but Vista does NOT have an initializeclientcontextfromAdamName planned. The upcoming AzMan white paper will go into some of the SP 1 enhancements. Look for an ADAM object picker in the MMC at Vista timeframe.  AzMan before then enables user assignment and authorization management via the API only.  Most people make the authorization part of their application.  There would be an admin web page for instance that could allow role assignment using the AzMan API.
    Regards,
    David

  • Anonymous
    February 15, 2006
    Simon,

    First of all - Thanks!

    I have seem some custom code implementations with Indigo/WCF and AzMan. So there are integration points with WCF but there is nothing built-in to the WCF OM per se.  AzMan remains a key API of the Operating System and has some exciting futures planned with Vista bringing some very cool features. AzMan has the PIA for .NET programability as you are probably aware.  I am sure that there will be more material on how Indigo/WCF works with AzMan as time goes on.  Keep an eye out for the upcoming AzMan white paper.  I do not have a release date yet but should be relatively soon.  

    Regards,
    David

  • Anonymous
    February 22, 2006
    David,

    I have used Azman on a few projects and am quite happy with the functionality, features and flexiblity.
    One item I am interested in seeing is a web front end for mananging the AzMan store. Are there such projects out there or any vendors that supply such functionality?

  • Anonymous
    February 23, 2006
    There is a web ui sample which is likely to make it into Vista Platform SDK. This one would mimic the MMC to some degree but the important thing to focus on IMHO is that your administration may match certain features of your application that look nothing like the MMC.  For instance, if you were writing a newgroup application, you may chose each newsgroup to be a scope, and in each scope define roles Administrator, Contibuter, Reader.  When a user creates the new group, the API in the background would create the scope for that group matching the database entry for the newsgroup.  You would likely expose role assignment to the end user as you are controlling the constructs.  

    Another example where a custom UI may be used is for ADAM administration.  You would make the calls to ADAM and list the user names but on role assignment, you would submit the sids via the API for role assignment then display performing name lookups in adam based on the sids returned from the authorization policy store.

    Regards,
    David

  • Anonymous
    February 23, 2006
    Marcel,

    To your other question, aside from the Microsoft products utilizing azman there is a vendor http://www.nakisa.com/contents/default.asp that I believe is using AzMan at the core...

    Regards,
    David

  • Anonymous
    March 21, 2006

    Hi Dave,

    I am currently writing a utility to export an application's operations, tasks, and role definitions to flat files and then import them into a new application in another policy store.  I am using the AzMan API to accomplish this.  I have no problems exporting the definitions but importing them is giving me a problem.  When I call the CreateApplication method of AzAuthorizationStoreClass, the application can be seen in the authorization store object while debugging and it exists in a separate IAzApplication also.  The problem is the application never gets created in the authorization store when viewing it with the MMC.  And later when I try to call the CreateOperation method on the IAzApplication object I get the following error:

    The operation could not be performed because the object's parent is either uninstalled or deleted.

    Do you have any ideas what could be causing this?  The steps involved seem pretty obvious but I must be missing something.

    Thanks.
    Chris

  • Anonymous
    March 22, 2006
    The comment has been removed

  • Anonymous
    March 23, 2006

    Thanks for the sample, Dave.

    After reading through the white paper again I found that I was not calling the Submit method after creating the application.  Your example above just validates the need to call Submit after creating each operation, task, etc.

  • Anonymous
    March 24, 2006
    The comment has been removed

  • Anonymous
    April 11, 2006
    David and all AzMan experts

    Was wondering, does anyone know of a good utility/tool to export out an AzMan xml store directly into the Active Directory?

    Our DEV environment runs based on AzMan xml store, but we are facing performance issues in the TEST environment. I was looking to create a task in my daily build to export the authorisation store to the AD everyday, so that the TEST can use the AD instead of xml store.

    Cheers, _Guru


  • Anonymous
    April 23, 2006
    We are targeting Vista SDK beta 2 to include sample code in C++ that would demonstrate migrations...  Likely to be available, I think, June/July timeframe...

    Regards,
    David

  • Anonymous
    April 27, 2006
    Hi David,

    A queston for you please.

    My environmet is W2K3 SP2 with .NET 2.0 and WCF beta 2. The client has requested that we do not create appication groups in the AD, but rather in ADAM and then assign the AD users to the groups in ADAM. I am using AzMan for authorization. Does it make sense to use ADAM to define the application groups, or would it be better to define the application groups as Basic groups in AzMan and then assigning the AD users to those groups, if the ONLY reason we would consider using ADAM is purely for creating the Application Groups ?

    Regards
    Kurt

  • Anonymous
    April 27, 2006
    Hi David,

    A queston for you please.

    My environmet is W2K3 SP2 with .NET 2.0 and WCF beta 2. The client has requested that we do not create appication groups in the AD, but rather in ADAM and then assign the AD users to the groups in ADAM. I am using AzMan for authorization. Does it make sense to use ADAM to define the application groups, or would it be better to define the application groups as Basic groups in AzMan and then assigning the AD users to those groups, if the ONLY reason we would consider using ADAM is purely for creating the Application Groups ?

    Regards
    Kurt

  • Anonymous
    April 27, 2006
    The comment has been removed

  • Anonymous
    April 28, 2006
    Thanks for the reply. I am not sure I understand your question though, " - was the aspect of creating an application group utilizing any policy store what you were looking for?"

    :)

  • Anonymous
    April 28, 2006
    The comment has been removed

  • Anonymous
    May 01, 2006
    I need help please!!!

    I received 'InvalidCastException' using the code below:

    IAzAuthorizationStore2 _store = new AzAuthorizationStoreClass();

    Thanks,

    Barry

  • Anonymous
    May 01, 2006
    Try this...

    AzAuthorizationStoreClass _store = new AzAuthorizationStoreClass();

    _store.Initialize(...)

    IAzApplication2 _azApp =
    _store.OpenApplication2(...);

    ...

    Regards,
    David

  • Anonymous
    May 02, 2006

    Hi Dave,

    I posted earlier (March 21) about creating a console application to export/import a policy store from/to AzMan via the API.

    The problem I am having now, after importing the policy store into AzMan, is that the role, task, and operation definitions and the role assignments are showing up in AzMan but when I call the AccessCheck() method on the API for a series of defined operations, the operations are not seen as assigned to the user/role.  The AccessCheck() call is returning 5 when it should be returning 0.  If I create a new application in AzMan and hand-key in all the definitions and role assignments and then call the AccessCheck() on the new application then the correct values are returned.  There is some small detail that I am missing during the import.

    Do you have any ideas?

    Chris

  • Anonymous
    May 02, 2006
    The comment has been removed

  • Anonymous
    May 02, 2006
    Barry,

    What version of the PIA are you using?  Is it 1.2? (%windir%Microsoft.NETAuthMan1.2)

    Regards,
    David

  • Anonymous
    May 02, 2006
    Chris,

    Could be a few things potentially as simple as role assignment where SIDs do not match between environments.  Please send your contact info via the "Email" link on this page and I will take a look at your stores.

    Regards,
    David

  • Anonymous
    May 02, 2006
    David,

    That's correct. We are using PIA 1.2
    (%windir%Microsoft.NETAuthMan1.2)

    Thanks,
    Barry

  • Anonymous
    May 02, 2006
    The comment has been removed

  • Anonymous
    May 25, 2006
    Dave, we are concidering using AzMaz for authorizing external users. I have a couple of questions:
    1.Is there a method in the AzMan API that will give me all tasks/operations a giver user have access to?
    2.Where can I find documentation on AzMan API?
    3.I read in one article that in order to use AzMan without using Windows accounts to represent users "you need to define custom security identifiers (SIDs) for each user", and that in this case "you won't be able to use the AzMan snap-in to manage your stores".
    My question is does it mean that I won't be able to use AzMan to assign these users to roles? What is the alternative?

    Thanks you,
    Mariya

  • Anonymous
    May 25, 2006
    Hello David,

    Is the Authorization Policy Store XML Schema public? in this case, where can I find it?

    best regards,
    Geykel

  • Anonymous
    May 26, 2006
    The schema is not public.  The only supported way to work with the XML store is through the API.  It is possible for the underlying store schema to change and in fact does with Vista.

    Regards,
    David

  • Anonymous
    June 01, 2006
    Hi David,
    We have our existing applications where security objects like users,roles,groups,menu items is configured on the database.when an individual user opens the application his menu will be displayed dynamically in a tree view.
    Now we would like to explore on Azman since in our future applications we would like the users to be authenticated USING Active Directory.

    Now i would like to simulate the dynamic menu generation using AZMAN.Is it possible.If so how..

    iam trying to create menus as tasks and diffrent functionalities of a menu as operations.But when the user is authenticated i would like to display tasks dynamically...Is it possible...

    Please suggest.

    regards
    varma

  • Anonymous
    June 01, 2006
    Hello David,

    I am currently building an access control solution for a client based around AzMan. We came across the following article on AzMan : http://msdn.microsoft.com/msdnmag/issues/03/11/AuthorizationManager

    "Be aware of concurrency issues if you share a store among multiple applications because stores do not yet support concurrent editing. If you think there's a chance two administrators might be editing a single store at the same time, you need to provide some external locking to serialize access to the store; otherwise, it might become corrupted."

    Could you add a little bit on how exactly could the store become corrupted ? Specifically, does this issue only happen on XML stores or also on Active Directory ones ?

    Is there a better solution at this time to this issue then just using single-application stores ?

    Thanks for your help!

  • Anonymous
    June 01, 2006
    The wording "corrupted" from our initial guidance is perhaps a bit strong. The issue is that last-in-wins.  In that scenario if two administrators make a change on the same item the one who performs that change last with an identical starting point will win.  Often people think that means the store will not load and a restore necessary. The issue with AD vs XML is that the XML store is fully loaded into memory and a change writes the whole policy store down to disk.
    Another case where a similar inconsistency is possible could be the same scenario as above but in a replicated scenario with AD or ADAM.  Each admin changes an identical item on a different server and the change creates an inconsistency.  This would not effect memberships or permission assignments which are done through multivalued attributes to which updates would get reconciled as distinct adds and removes however it possible that a description could become inconsistent.

    As an FYI - this strong wording from our guidance is also echoed with Keith Brown's site http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook.WhatIsAuthorizationManager

    The concurrency with the XML store is dependent on environment and probably a topic of its own.  If you are using .NET and the API you can put locks around access to the store and/or catch access errors and retry (XML DOM locks the file on load)

    The ASP.NET 2.0 authorization provider caches at a minimum of 1 minute so changes made via the MMC (AzMan.MSC) at the same time as programatic changes within the ASP.NET provider model would have the same issue.  Once again, not corruption but inconsistent if possible to load the store when it isn't locked.

    A further mitigation to an inconsistency would be to wrap AzMan with a service to manage writes.  AzMan, to date, relies on the capability of the underlying store type.

    So to wrap it up... corruption would be better described as inconsistent.

    Regards,
    David

  • Anonymous
    June 01, 2006
    Varma,

    You can manage menus in a number of ways... one approach I mentioned in the comments of the following... http://blogs.msdn.com/azman/archive/2006/02/22/536513.aspx#comments

    Another approach is to specify an operation for each menu item and batch an accesscheck with all the operations and set the result of the visibility/readonly/enabled/etc property for each item in a list.  I could see why you would want tasks as they are collections of operations but tasks are only for administrative groupings.  A better approach for groupings would be utilizing scopes. See http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/iazclientcontext2_getassignedscopespage.asp?frame=true for more info...
    then utilize that scope within the menu item.

    The best approach depends on your situation and given that I don't have all the information these are a couple ideas to get started with :)

    Regards,
    David

  • Anonymous
    June 05, 2006
    Hello David,

    First, thanks for your prompt reply on my first question. I have a second question on which i found little or no documentation.

    I've read that when you use the InitializeClientContextFromToken AzMan reads group sids from the PAC portion of the Kerberos token.

    My question is this : I know that windows security groups get added to the Kerberos token's PAC, but does the PAC also carry AzMan information ?

    If it does, which info does it carry exactly ? Roles ? Scopes ? and what rules can i put in place to make sure i dont run out of space in my kerberos token ?

    Also, let me know if i am not clear :)

    Maxime

  • Anonymous
    June 05, 2006
    Maxime,
    Q> I know that windows security groups get added to the Kerberos token's PAC, but does the PAC also carry AzMan information ?

    A>
    The Kerberos Protocol, PAC or (Privilege Access Certificate) does not contain AzMan information per se however AzMan uses the security identifiers (SID)s to compare with  the SIDs that are asigned to a role in the policy store. Role assignment is a seperate aspect to the runtime.

    AzMan consumes the SIDs from the protocol to a client context however and the developer is abstracted from loading this information directly when calling initializeclientcontextfromtoken (a freebie if you will).  

    When using non-windows integrated security for authentication then you must do the SID gathering work yourself such as described in ADAM integration with AzMan on the team blog http:/blogs.msdn.com/azman.  

    Some additional information on the Kerberos protocol and windows settings may be found here http://technet2.microsoft.com/WindowsServer/en/Library/b36b8071-3cc5-46fa-be13-280aa43f2fd21033.mspx?mfr=true and the PAC specification from http://www.microsoft.com/downloads/details.aspx?FamilyID=bf61d972-5086-49fb-a79c-53a5fd27a092&displaylang=en


    Regards,
    David

  • Anonymous
    June 05, 2006
    Mariya,

    Per your questions -
    We are concidering using AzMaz for authorizing external users.

    > Check out ADAM integration code posted on the AzMan team blog at http://blogs.msdn.com/azman

    Question list:

    1.Is there a method in the AzMan API that will give me all tasks/operations a giver user have access to?

    At runtime you have the ability to return roles and scopes.  Access to operations is determined through the accesscheck call. See the API docs referenced below.  Tasks or collections of operations are a store concept for eased administration. There is code on GotDotNet but IMHO, I would stick with the support directly on the API.  

    2.Where can I find documentation on AzMan API?

    http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_reference.asp?frame=true

    3.I read in one article that in order to use AzMan without using Windows accounts to represent users "you need to define custom security identifiers (SIDs) for each user", and that in this case "you won't be able to use the AzMan snap-in to manage your stores".
    My question is does it mean that I won't be able to use AzMan to assign these users to roles? What is the alternative?

    As of Windows 2003 SP 1, you may add roles, azman appliction groups or SIDs to the client context.  I would recommend looking into ADFS for claims based applications and utilizing AzMan as the claims transformation engine (loading claims as AzMan roles or application groups depending on desired pivotability for roles).

    Role assignment with custom security may be performed using the AzMan API directly prior to Vista.  As of Vista Beta 2 (currently available) you have API support in the MMC/UI to write a custom object picker.  I believe sample code for an ADAM object picker will be in the Vista SDK -  scheduled this summer.

    Regards,
    David



  • Anonymous
    June 15, 2006
    Hi David,

    We have established AzMan/ADAM configuration setup on Windows 2003 and AzMan Admin console (MMC snap-in) on Window XP.

    The console launched successfully when a user with Administrator credentials on ADAM's machine (Windows 2003) connects to AzMan store using the snap-in whereas any other domain user generates an error.

    My questions is, how can we get domain users without administrator privileges to successful connect to AzMan store using the snap-in from their local Windows XP machine? Is this the role of Delegated User? If so, how is this accomplished?

    Many thanks!

    Barry

  • Anonymous
    June 16, 2006
    Hi David - I was wondering if there are any supported methods to installing the AzMan runtime on Windows XP as part of a client install without installing the W2k3 Admin Pack.

    Thanks!
    Phil

  • Anonymous
    June 16, 2006
    The key to your question is "supported" and AzMan is only supported for policy store administration from XP via the W2k3 Admin Pack (SP 1) and hence only distributed that way.  Support is planned for all Vista versions as it is part of the OS moving forward from Win2k3.

    It is "unsupported" to only copy the  azman.msc,azroles.dll and
    azroleui.dll to %windir%system32 and register the COM DLLs using regsvr32.

    David

  • Anonymous
    June 16, 2006

    My questions is, how can we get domain users without administrator privileges to successful connect to AzMan store using the snap-in from their local Windows XP machine? Is this the role of Delegated User? If so, how is this accomplished?

    >
    When you assign users to either the Administrator or Reader Authorization Manager administrative roles at the application or scope level you must also assign them to the Delegated Users role at the store and application levels. This will allow those principals to read the objects at the store and application levels (such as application groups) that can be used in definitions and membership assignments at the lower application and scope levels. When using ADAM, the user must also be in the administrator or readers role on the container of the policy store.  As a side note, a UPN should be set on all user accounts - offhand I believe this is the default behavior.

    Regards,
    David

  • Anonymous
    June 19, 2006
    Hi,

    In Autorization Management Console (azman.msc) I've defined a group and trying to assign members (W2003sp1). Assigning AD users from current domain works ok, but once I try to assign a user from other (trusted) domain, then I get the following error: "Cannot save one or more changes. The following problem occured: The system cannot find the file specified."

    Does that means that Azman supports users from one domain only?

    Thanks,
    Arturas

  • Anonymous
    June 26, 2006
    Hi David!
     This is an incredible resource.  I am looking for ideas to store string data in AD.
     I have an AzMan enabled outlook plugin to help with regulatory compliance.  We have rules provisioned as "Operations" in AzMan.  Am looking for ideas to store & retrieve rules specific data in AD. The data is in XML format.  I was thinking of using one AzOpObjectContainer attributes, but am looking for better options.
     Any help will be appreciated.

    Thanks,
    Sanjay

  • Anonymous
    June 26, 2006
    Thanks Sanjay.  Actually, the ApplicationData property was designed to hold misc application data.  See the following link for more details: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/iazoperation_applicationdata.asp?frame=true
    but help me understand what you mean by "ideas to store & retrieve rules specific data in AD" or what you are trying to accomplish.

    Regards,
    David

  • Anonymous
    June 26, 2006
    Arturas,

    Sounds like the following.  Please contact PSS.
    http://support.microsoft.com/?kbid=906381

    Regards,
    David

  • Anonymous
    June 27, 2006
    David,
     Thanks for the quick reply.  I did read about ApplicationData property.  Unfortunately, the xml data I was planning on storing could be more than 4K.
     Each operation is a rule which would have specific set of data associated with it. For example one of the rule would be to warn users if the email message contains an unprotected office document and is addressed to users in specific domains.  The list of those domains would be stored as xml.  Some of the rules have complex logic.  I was looking for options to store this information somewhere in AD.

    Regards,
    Sanjay

  • Anonymous
    June 27, 2006
    Sanjay,

    You have a few constructs that will support what you are looking for... you could use BizRules, you could drop the xml and use an LDAP query group and either replicate the valid domain data within an multivar attribute for each person Or set the ldapquerydn to shared object for all users and perform the same query as an ldap query group, Or you could make each domain a scope and check for access in each scope.  Since you said that you have complex logic, it may be that BizRules are your best option.  As for where to store your data, you may look for an existing attribute http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asp?frame=true or extend the schema to support the construct you are looking for
    Stefan Schackow's book, Chapter 12, "Professional ASP.NET 2.0 Security, Membership, and Role Management" has a brief section on extending AD to support password reset in AD using the role provider.  As with any AD schema change, you may want test with ADAM first or run a VPC environment matching your current and setup an appropriate test matrix. You would also want to take into consideration replication aspects and concurrent administrators for your list e.g. if you have a single attribute with only XML then you will have a single user administrative access model whereas if you load your data in a multi-var attribute then you can support distinct additions and removals.  Just something to keep in mind...

    Regards,
    David

  • Anonymous
    June 27, 2006
    I just released my import/export code to open source and it is being hosted on Dominick's site...enjoy!

    http://www.leastprivilege.com/SourceCodeForAzManBulkImporter.aspx

  • Anonymous
    June 27, 2006
    Very Cool Joe!  Thanks for sharing!

    David

  • Anonymous
    July 11, 2006
    David,

    I have an ASP.NET app connecting to an AD AzMan Store. When i test it from the host it worked fine but from a client machine, I get an error when it tries to initialize the AzManStore:
    "The system cannot open the device or file specified"

    The web site impersonate the user and that user has read access to the Azman store.

    any clues for me?

  • Anonymous
    July 11, 2006
    Jon,

    I had similar experience as the one you described. Our policy store was located on ADAM. We resolved the problem by granting the user an Admin access to the AzMan store.

    Perhaps David may shed light on why simply granting a read access doesn't seem to work.

    Good luck!

    Aby

  • Anonymous
    July 14, 2006
    The comment has been removed

  • Anonymous
    July 14, 2006
    Just to let you know... we are in the lab attempting to repro your issue.  It doesn't occur on Vista. We are trying on multiple operating systems.  Please provide all your system details. OS, AzMan version, and runtime env.  


    Thanks,
    David

  • Anonymous
    July 19, 2006
    We (Sudheer) was able to reproduce an impersonation issue on XP. It’s happening while initilializing the AuthzResoucrceManager. Issues is with AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION flag which is not supported on XP and connecting to ADAM policy store.  (Which explains Admin support only for XP) However the symptom in this case looks to be IAzAuthorizationStore::Initialize fails with "the parameter is incorrect" or error code 87.  I think this one may explain Aby's observation.

    The original post states the error - "The system cannot open the device or file specified" which could simply mean that the caller can not reach the policy store for any number of reasons.  We are going to need more information to repro this one.

    Thanks,
    David

  • Anonymous
    July 26, 2006
    Did you guys get that email from me on how to repo this error and how to fix it?

  • Anonymous
    July 31, 2006
    Hi David - great blog by the way.

    Have you ever come across an implementation of using preferences with AzMan?  The two ways I can think of are using the application-specific storage, or storing them in a database.  If I store them in a database, would the SID be the appropriate foreign key?

    Thanks,
    Phil

  • Anonymous
    July 31, 2006
    Phillip-

    I tried something like that as a proof of concept...it was actually more of using ScopeID to store a database primaryID and then doing data authorization by making calls to the store....it was a killer in performance (and could only be done from sql 2005 bec. of .NET capability). What exactly do you want to do? If you mean user preferences...I suggest using the built in provider for .net 2.0, building your own provider, using one of the old application blocks which had a profile provider, or building your own.

    AzMan is really just an authorization tool...

    Let me know if I can be of help.

    -Joe

  • Anonymous
    August 01, 2006
    "The original post states the error - "The system cannot open the device or file specified" which could simply mean that the caller can not reach the policy store for any number of reasons. We are going to need more information to repro this one. "asp.net web application host on win2k3..net framework 1.1Azman store in active directoryI get that error only if impersonate = true in web.config and if the web browser isn't running on the host. The user account used to test is Domain admin.Could it be related to the network/server settings? (gpo, com+, trustedForDelegation etc...)thank you for your time.Jon

  • Anonymous
    August 04, 2006
    Ok i found my problem. It was a misconfiguration of Kerberos/delegation. Now everything is working fine except the function getRoles. That function return an empty array if i want to get the roles from a scope.Is there any know problems with that function?

  • Anonymous
    August 10, 2006
    Hi Joe - sorry I haven't replied until now...this might not directly apply to AzMan, even. Anyway, what I'm trying to do is have my 'users' stored in something other than the database (AD, AzMan) but allow some information to be stored in a database on a per-user basis. I was looking for a good way to tie the two stores together - and the piece of information that I was thinking of using was the SID. The SID is the external 'unique identifier' for users, right? And doesn't AzMan use a SID for both AD and non-AD users?Thanks!Phil

  • Anonymous
    August 22, 2006
    I also have a ASP.NET page that needs to connect to AD Azman but getting the error "The system cannot open the device or file specified" . It works when I run the page on the localhost but not from a client. What was the solution for this issue? I noticed that Jon indicated that this was an Kerberos/delegation configuration issue? What did you have to do to resolve this?

  • Anonymous
    August 22, 2006
    Are you running the site with impersonation?

  • Anonymous
    August 22, 2006
    Web.config Impersonation = falseSite (IIS) is using Integrating Windows Authentication. Site is in an application Pool that has a domain account as the identity. The domain account has an SPN added to it and is trusted for Kerberos delegation.Site works fine locally but I get the error from client.Thanks

  • Anonymous
    August 22, 2006
    I tried setting Impersonation = true and get the same results.

  • Anonymous
    August 23, 2006
    I would expect that the site run as impersonation=false and that the process owner has access to the policy store. There are two scenarios that I have seen as problematic but first:Assumption is that you are running IIS 6 and Win2k3 SP 1, utilizing the latest PIA. 1) What is your domain structure?2) Are these machines load balanced? 3)Are you authenticating using Windows Integrated Security sucessfully in another directory and fail on initializing the client context? 4) How are you initializing the client context(fromtoken, fromName, from stringsid)?5) What policy store are you using AD, ADAM or XML?Regards,David

  • Anonymous
    August 24, 2006
    David, We have been using AzMan for some time now and all of a sudden ctx.AccessCheck started throwing exceptions "Value does not fall within expected range". Not sure why.. It only happens for Operation-ID 913. I dropped the operation and recreated it. It then worked for a little bit but then AccessCheck started throwing the "Value does not fall within expected range" error.Please Help,Sanjay

  • Anonymous
    November 16, 2006
    The comment has been removed

  • Anonymous
    November 16, 2006
    Chris wrote:The problem I am having now, after importing the policy store into AzMan, is that the role, task, and operation definitions and the role assignments are showing up in AzMan but when I call the AccessCheck() method on the API for a series of defined operations, the operations are not seen as assigned to the user/role.  The AccessCheck() call is returning 5 when it should be returning 0.  If I create a new application in AzMan and hand-key in all the definitions and role assignments and then call the AccessCheck() on the new application then the correct values are returned.  There is some small detail that I am missing during the import. If u are having this problem use OpenApplication2 and get IAzApplication2 instead of the ordinary interface. U might get the interface not registered problem, and after u fix that it will work just fine

  • Anonymous
    November 24, 2006
    David, Was there an answer to Barry's question about the InvalidCastException being generated when opening the application? I am also using the 1.2 pia and am running into the exact same problem. Thanks, -Paul

  • Anonymous
    November 29, 2006
    I want to add a user (or member) to a role. I am using the following code: iAzRole.AddMemberName(strMemberName, null); It is working fine. But before this, I want to check that the user is valid member in active directory. How to do this? thank you, Sreenivas

  • Anonymous
    December 12, 2006
    Hi David, We are using the AzMan API (W2003 SP1) to import / export an ADAM store and we are getting some problems... Apparently it works fine and we replicate the original store in the destination machine. If we look at the console, all the operation, roles and groups are created, but if we ask for a certain operation, the Accesscheck return access denied. If we do by hand, all works correctly (this problem is also reported in this blog on 5/2/2006). it seems the problem is on the link between groups and roles. My code... azRole = azApp.OpenRole("RoleName", null); azRole.AddAppMember("GroupName", null); azRole.Sobmit(o, null); Any idea? Thanks in advance.

  • Anonymous
    December 25, 2006
    The comment has been removed

  • Anonymous
    January 01, 2007
    Hi Dave I installed AzMan on windows XP machine.I try to create new xml authorization store. but it display the following error : "Cannot create a authorization store.The following problem occured: The request is not supported" Can I create xml store on windows xp machine ? Thanks in advance A.Hadi

  • Anonymous
    January 02, 2007
    Yes, you can create a store on XP and that is fully supported.  Ensure that you are creating your store in a directory that you have permissions in.  You are doing this through the UI, correct? Regards, David

  • Anonymous
    January 22, 2007
    Instead of getting the task names, when I call IAzRole.Tasks all I get is the name of the role.  Thus for the following code, I get the the output Role(Clerk) Task(Clerk)      AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();      store.Initialize(0, @"msxml://E:adminpakstoretest.xml", null);      app = store.OpenApplication("Corporate Library Application", null);      identity = WindowsIdentity.GetCurrent();      ctx = app.InitializeClientContextFromToken((ulong)identity.Token.ToInt64(), null);      object[] roles = (object[])ctx.GetRoles("");      foreach (string str in roles)      {        Console.WriteLine("Role({0})", str);        IAzRole role = app.OpenRole(str, null);        foreach (string tsk in (object[])role.Tasks)        {          Console.WriteLine("Task({0})", tsk);        }      }

  • Anonymous
    January 22, 2007
    I found why sometimes AzMan gets the "Reauest is not supported" error because the XML store file should be in an NTFS drive.!!!!

  • Anonymous
    February 07, 2007
    Hi Dave, First, my problem.  I have a requirement to support groups based on LDAP queries that will be resolved at a Lotus Domino server.  I don't believe that AzMan will support this configuration (please correct me if this is an incorrect assumption).  My solution is to resolve the LDAP groups manually, interpret the results, and dynamically add ApplicationGroups to the ClientContext. However, I can't get context.AddApplicationGroups to succeed.  I always get an InvalidArgumentException.  Here is a code snip. Thanks, Andy public IAzAuthorizationStore2 _store; public IAzApplication2        _app; public IAzClientContext2      _ctx; public void run() { _store = new AzAuthorizationStoreClass(); String store = "msldap://localhost:50000/CN=AzManADAMStore,OU=tester2,O=JanusSearch"; _store.Initialize(0, store, null); String app = "notesGroup"; _app = (IAzApplication2)_store.OpenApplication(app, null); //end setup //get context string user = "avisser"; string domain = "otg"; _ctx = (IAzClientContext2)_app.InitializeClientContextFromName(user, domain, null); //end get context //add groups to context IAzApplicationGroup group = _app.OpenApplicationGroup("just me", null); object[] oArr = new object[1]; oArr[0] = group; //setting up the array this way also fails // IAzApplicationGroup[] oArr = new IAzApplicationGroup[1]; // oArr[0] = group; _ctx.AddApplicationGroups(oArr); //throws InvalidArgumentException }

  • Anonymous
    February 07, 2007
    I figured it out.  You need to pass in an IAzApplicationGroups object, not an array of objects. If my assumption that AzMan and Lotus Domino won't play together is still false, please let me know. Thanks, Andy

  • Anonymous
    February 08, 2007
    We support ldap query groups on AD prior to Win2k3 SP1 and ADAM after e.g. http://msdn2.microsoft.com/en-us/library/aa379640.aspx  (those queries are set on application groups) You have three ways to interact with other ldap stores:

  1. Claims based or variation on that theme
  2. BizRules - calling ldap store with custom code
  3. Use MIIS to sync ldap store data between Domino and AD/AM Regards, David
  • Anonymous
    February 14, 2007
    The comment has been removed

  • Anonymous
    February 15, 2007
    You cannot pass the token over the network per se however you can use kerberos delegation.   If you are calling an authorization web service then you could pass the dom/userid and initialize your client context from a string.  If your policy store resides on another machine then you can configure your azman store connection accordingly and utilize initializeclientcontextfromtoken and the azman api will hydrate your context based on that information. Check out the azman white paper and also http://blogs.msdn.com/azman Regards, David

  • Anonymous
    February 15, 2007
    Hi David, Yes my policy store resides on the Windows Server 2003 machine which is connected to the actual client's machine via a hub (LAN). I have implemented a DC on the Server and have added the user's for the experiment on to the Active Directory. I'm hoping to run the Visual C#.NET application on the client's machine and it should pass on the client's credentials to the WinServer2003. So if i adjust the initializeclientcontextfromtoken i should be able to run the app from client . Am i correct? Regards Janantha

  • Anonymous
    February 15, 2007
    Using integrated authN to web svc wouldn't require passing anything... run  init context and access check from a/the server. David

  • Anonymous
    February 15, 2007
    Hi david, I'll give it a go..thanks for the info.. regards Jay

  • Anonymous
    February 16, 2007
    I've seen it referenced that in Vista there will be the option for a SQL Policy Store location.  I have been unable to find anything about this other than that it will be an option in Vista.  Can you provide a link talking about this more?

  • Anonymous
    February 16, 2007
    If you are like me (running Vista :) ) then fire up azman.msc and action->help search for sql in that help file. Connect to an SQL-based Authorization Store You can use a Microsoft SQL Server database as the repository for your authorization store. In order to connect to a SQL server store, use the following procedure. You must be a member of the Authorization Manager Administrator role to complete this procedure. By default, Administrators is the Windows group membership required to do so. Review the details in "Additional considerations" in this topic. Connecting to an SQL-based authorization store When creating or opening an authorization store, type a URL beginning with the protocol prefix MSSQL://. The syntax for the URL is: mssql://<connection string>/<database name>/<policy store name> where: <connection string> is any valid SQL Server connection string, <database name> is the name of the database where the store will be saved, and <policy store name> is the name of the particular store. Examples mssql://dsn=MyTestDataSource;/AzManDB/MyTestStore mssql://Driver={SQL Server};Server={server1-test};/TestDelete/BugRepros Additional considerations If the SQL server instance doesn’t have the named Authorization Manager database, Authorization Manager will create a new database of this name.

  • Anonymous
    March 09, 2007
    Hi David, As previously mentioned I have a client (WinXP Prof) and a server (windows server 2003 SE) connected via  a hub. I have written a simple application using Visual C#.NET to demonstrate RBAC. As i'm running the application on the client's machine what is the path im required to put for store.Initialize ()? that is the path to the auth store.. please help!

  • Anonymous
    March 13, 2007
    The comment has been removed

  • Anonymous
    March 13, 2007
    Runtime use of AzMan is not supported in XP having to due with underlying OS API differences.  It is supported for Administration however.  To use with a client application you must call the API from the server side.  To extend that to the client you would need to use a web service and return the results (as one of many possible architectures). Vista however has full support for all versions. Regards, David

  • Anonymous
    March 13, 2007
    David, Thanks for the reply. But can't i simply install the win23k admin pack on win XP ? as it consists of the runtime. regards Janantha

  • Anonymous
    March 14, 2007
    As said before, you may use AzMan for "Administration" by installing the Win2k3 "Admin" tools for XP however the runtime side - initializing your client content and performing accesschecks is not supported due to differences with the OS APIs that support runtime AzMan calls. Those OS level API's that AzMan uses are in sync when you get to Vista. Regards, David

  • Anonymous
    March 15, 2007
    Hi david, I manage to run my application successfully on Win XP machine after installing the Azman Runtime! After installation it was able to load the XML file over the network using a shared server path!..So if anyone is out there stuck like me ..simply install the run time!

  • Anonymous
    May 14, 2007
    The comment has been removed

  • Anonymous
    May 25, 2007
    Hello David, Could you provide some pointers on connecting to the AzManAdamStore that i built per http://msdn2.microsoft.com/en-us/library/ms998331.aspx I am attempting to use Softerra's LDAPBrowser and can not get the User DN and Password correct.  I am trying this because when I built and ran the default web app, i am getting an error when attempting to do the Roles.IsUserInRole("TestRole") request.  I added a button to the default.aspx form to do only that function.  I get an error "Insufficient access rights to perform the operation". I have added "Everyone" to the WAA and PreWin 2k Compatible Access groups also. My connection string is: msldap://w2k3std-adtest:50000/CN=AzManADAMStore,OU=SecNetPartition,O=SecNet,C=US for the RoleManagerAzManAdamProvider from the test described in the article. My MembershipAuth portion for the login, using the AD, is working fine... And then, after I get Roles working, I will need to put the std Profile info into the AD too... Thanx, G

  • Anonymous
    June 07, 2007
    Hi David,   I created a authorization manager web UI i got a problem adding a new role definition. I use application.createrole but it goes to role assignment. how can i add new role definition. Please help. Thanks, chripk

  • Anonymous
    July 03, 2007
    Hi everybody, I have a problem with Azman+Adam role management. I am using membership provider as Active Directory and role manager as azman which uses store as adam. Adam is installed windows server 2003. I'm making some changes in azman.(Assigning users to roles etc.) But application doesn't get the changes until web application republihed or web server restarted. Also I tried storing roles data in xml file. There is no delay in getting changes in that method.

  • Anonymous
    August 28, 2007
    The comment has been removed

  • Anonymous
    August 29, 2007
    Hi David, I have got one requirement in which i have to add ad group,roles,task and operation to the azman file at run time. I mean I don’t have to go and type azman.msc to create all these, directly I want to add all these from code behind.I want to provide one interface where user can select all these. Is that possible?? if possible then please reply its very urgent. Thanks in advance Prabhat

  • Anonymous
    August 30, 2007
    Prabhat, The store may be modified and fully administered via the api. David

  • Anonymous
    August 31, 2007
    Hi David, Thanks a lot for your speedy reply,can u please tell me more about this api. it would be great help if you can provide me some sample code for this i mean adding ad group to azman.xml using c# code. Thanks, Prabhat

  • Anonymous
    August 31, 2007
    I'm trying to use scopes to authorize access to different application domains (different views into application data).  The Domain/Scope is provided by the client when he attempts to access the data. When I pass an application domain in as a scope which doesn't exist, I get a "NO SUCH SCOPE error, as you would expect.  However, once I create the scope, even with no definitions nor role assignments, AccessCheck ALWAYS passes!   What am I doing wrong here?  I'd like to have each scope have use the same role, defined in the application, but with different assignments.  Even with no assignments for that role anywhere, even at the application level, the AccessCheck still passes. Any help is most appreciated!  If there is another suggestion on how to model application domains (other than AzMan Scopes), I'd love to hear them. Thanks!

  • Anonymous
    September 19, 2007
    I've had no problems accessing the AzRole.AzAuthorizationStore object from service (SYSTEM) and user account.  I created a domain account (no admin rights),  and now I get CreateObject 80070005 on AzRole.AzAuthorizationStore when I run as that user.  What as a domain admin, and SYSTEM have that this user doesn't? Thanks!

  • Anonymous
    September 28, 2007
    Hi! How can I copy the AzMan store one AD domain to another AD domain? The another AD domain users same as original domain, but the user's sid different. Thanks!

  • Anonymous
    October 24, 2007
    Hi David, I know that AZMan is not available on Windows XP. Does it mean I can't even program on XP. How do people develop AZMan apps? Do they install Visual Studio on Windows 2003 or they first build it on XP and then test on 2003. Thank U

  • Anonymous
    October 24, 2007
    You need to download the Win2k3 SP1 Admin Pack for XP to get the bits installed on XP. You may code against the store operations or said another way administrative operations.  In many cases development will work just fine with XP but there are certain scenarios that do not work due to underlying OS APIs.  That is why the runtime (accesscheck and related) isnt supported on XP. Not supported doesnt mean that you couldnt get something working. It just means that there is are a few discrete scenarios that will not work properly. Vista and Windows 2008 are fully supported (and are also more feature rich - introducing new/convenient APIs and adding a SQL AuthZ store) David

  • Anonymous
    October 24, 2007
    Q: How can I copy the AzMan store one AD domain to another AD domain? The another AD domain users same as original domain, but the user's sid different. A: Check out the SDK sample - azman  migration tool. http://www.microsoft.com/downloads/details.aspx?familyid=7614FE22-8A64-4DFB-AA0C-DB53035F40A0&displaylang=en

  • Anonymous
    October 30, 2007
    Declarative security using AzMan: Am I missing something?  There seems to be no support declarative security with AzMan API.  The AzMan store provides that missing extra layer of abstraction that maps roles to operations - so technically I shouldn't need to worry about roles at all from my application code... Is there a way to mark methods (that map to your operations) with an attribute such as  [AuthorizedAccessOnly()] that uses the name of the method it's decorating (or perhaps you'd need to supply the corresponding operation id) to perform an access check with AzMan? I've been scouring the web all afternoon for info on this...  There's concepts like code interception or injection but these seem a touch... Extreme?  Is there anything in the application blocks that does this?  Or has anyone rolled their own? Matt.

  • Anonymous
    October 30, 2007
    PingBack from http://mystepstones.wordpress.com/2007/10/31/azman-authorization-manager-exporting-and-importing-fromto-xmlactive-directory/

  • Anonymous
    November 04, 2007
    The comment has been removed

  • Anonymous
    November 05, 2007
    We are working on a PSS case of the same issue currently. I will let you know asap.  The subdomains are not checked or validated against anything.   David

  • Anonymous
    December 03, 2007
    The comment has been removed

  • Anonymous
    December 10, 2007
    Hi, I posted the following question (http://msdn.microsoft.com/newsgroups/default.aspx?dg=microsoft.public.dotnet.framework.aspnet.security&mid=9e466d0e-7372-471e-87ad-9230131f9ba4) about windows groups and Azman to MSDN forums. Do you have some information why do I need to boot my development machine each time I make changes to the windows group if I want those changes to take effect in Azman. What kind of cache is it having on my develoment machine? Second question is that is it possible to get windows groups based authorization to work with sids? We have a layered application and we're not able to pass windows identies between layers. The scenario here is that our web application passes user's sid as string to the service layer and we should be able to authorize this user against Azman where our roles are assigned to windows groups. -Timo

  • Anonymous
    December 10, 2007
    Hi, I found this posting (http://www.tutorials-win.com/ActiveDirectory/AzMan-AccessCheck/) that pretty much answers my first question in my previous posting. To the second question I found answer from the excellent article "Developing Applications Using Windows Authorization Manager" (http://msdn2.microsoft.com/en-us/library/aa480244.aspx#azmanapps_topic5_troub1) where it says: "The AzInitializeClientContextFromStringSID method creates an Authorization Manager context from a given SID in textual form. This behaves in a similar manner as the InitializeClientContextFromName method. When the AZ_CLIENT_CONTEXT_SKIP_GROUP flag is used, the AzInitializeClientContextFromStringSID method does not attempt to determine the group memberships of the given SID. The resulting client context only contains the specified SID. If the IAzAccessCheck method is called from this client context instance, role membership is only granted if the specified SID is used as a member of a role or group assigned to a role." -Timo

  • Anonymous
    December 11, 2007
    You should be able to use the empty client context as of Win2k SP1 and IAzClientContext2::AddStringSids http://msdn2.microsoft.com/en-us/library/aa480244.aspx and http://msdn2.microsoft.com/en-us/library/aa377850.aspx AddStringSids Adds an array of string representations of security identifiers (SIDs) to the client context. Regards, David

  • Anonymous
    December 27, 2007
    I am having Administartive Previlage on my machine. I want to generate AzMan Authorization store based on XML file. I used Azman.msc and running in it developer mode to create Authorization Store based on Xml file . I am giving proper inputs but it is giving error "Cannot create authorization store.The request is not supported. " Please help me.

  • Anonymous
    December 29, 2007
    One possibility is that you are not creating the store on an NTFS volume - that is required. There is a sample script in one of these posts that I put up that you can attempt to run that programatically creates a store (using vbs) that you can use as a self check also. What OS are you running?  If running Vista or testing Win2k8 check out the following regarding UAC http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx?mfr=true Regards, David

  • Anonymous
    December 30, 2007
    Hi David I tried to save it in C drive and it worked. It was NTFS issues only as I was trying in D drive earlier. Thanks for suggestion. I have one more Query I want show use list of all XML file based Authorization Stores on my machine. Can I get it? I tried exploring "Microsoft.Interop.Security.AzRoles" but no clue to get list of Authorization Stores. I can get List of Roles, Application Groups and all but I Need to show list of Authorizations stores before this. Is it possible? Will appreciate your help. Archana

  • Anonymous
    January 02, 2008
    There is no way to determine where your stores are programtically e.g. list all stores I am interested in.  You could have multiple stores across servers, adam, ad, xml, or sql (vista/win2k8 only) and there would be no way of knowing ahead of time which one would contain either a store or your stores in particular.  You will need to store that list somewhere and populate it accordingly. Regards, David

  • Anonymous
    January 02, 2008
    Hi David Your blog has been very helpful in understanding the working of azman. However, I have a query which has not been addressed in any documentation. Is it possible to intercept the accesscheck call to azman from a .NET application? I need to implement custom authorization in AzMan. If I implement a custom HTTP module, I can extract only the URI of the resource being requested, which can not be mapped to operations defined in AzMan. So, how can I implement custom authorization? Thanks in advance Smith

  • Anonymous
    February 13, 2008
    I am trying to manually add Azman PIA v1.2 to the GAC (instead of installing Win 2003 administrative tools pack). I have GACutil for .NET 2.0 which I run as follows: gacutil.exe -i microsoft.interop.security.azroles.dll It says it successfully added the assembly, however, this doesnt work for me as when I run our application it throws an error. Is there something I am missing as far as configuration?  When I install windows 2003 admin pack, it works fine. Appreciate any suggestions.

  • Anonymous
    February 14, 2008
    The assembly is a PIA or Primary Interop Assembly that supports the COM object installed with Win2k3 SP1 Admin Pack. The supported way is listed here http://msdn2.microsoft.com/en-us/library/ms998336.aspx#paght000019_rtf%20formatting_step1 Regards, David

  • Anonymous
    February 14, 2008
    Thanks David. That offers some good information and helped me resolve my issue. Thank you for the hint ;)

  • Anonymous
    February 21, 2008
    Hi David, I am trying to port an AZMAN store from one server to another and the servers cannot talk to each other.  The only way I can think of doing this is to export one store out to xml format and then import it into the other. Do you know of a better way and do you know where I can find the published xml schema so I know how to create it?  I tried creating one in xml format from scratch and looking at it, but the hierarchy is not clear to me and also it is using id's that i do not see exposed in the object. Thanks, NS

  • Anonymous
    February 21, 2008
    That is exactly what I would do using the Win SDK sample code for store migration.  There should be a switch to dump w/o assignments. Dump to XML and load to your target.  You should avoid working with the XML schema directly as it is subject to change.  Using API is the best approach.   David

  • Anonymous
    March 06, 2008
    The comment has been removed

  • Anonymous
    March 24, 2008
    This is from the Windows SDK... C:Program FilesMicrosoft SDKsWindowsv6.1SamplesSecurityAuthorizationAzManWebExpense What is the exception? http://www.microsoft.com/downloads/details.aspx?FamilyID=E6E1C3DF-A74F-4207-8586-711EBE331CDC&displaylang=en ' '  Enabling or disabling BizRules for an application '  This script uses Authorization Manager Administrative interfaces to enable or disable '  BizRules for a specified AzMan application in a specified AzMan policy store On Error Resume Next Set objArgs = WScript.Arguments If objArgs.count <> 3 then  wscript.echo "Usage: SetBizRule ""AzManStoreURL"" ""AzApplicaitonName"" True/False"  wscript.echo "Example: SetBizRule ""msxml://d:inetpubwwwrootAzStore.xml"" ""MyApp"" True"  wscript.echo "Run with 'cscript' command in cmd.exe to avoid msg boxes"  WScript.Quit Else  ' VBScript source code  Dim AzStoreObj  Dim AzManStoreURL : AzManStoreURL = objArgs(0)  Dim AzManAppName : AzManAppName = objArgs(1)  Dim BizRulesEnabled : BizRulesEnabled = objArgs(2)  ' create azman object  Set AzStoreObj = CreateObject("AzRoles.AzAuthorizationStore")  If Err.Number > 0 Then    WScript.Echo "Can not create AzRoles.AzAuthorizationStore. Check AzMan installation"    WScript.Quit  End If  ' initialize store for Administration  ' assumes store exists - if store is being created (e.g. an installing applicaion)  ' use the value 3 instead of 2 in the call to IAzAuthorizationStore::initialize  Err.Clear  AzStoreObj.Initialize 2, AzManStoreURL  If Err.Number <> 0 Then    WScript.Echo "AzRoles.AzAuthorizationStore failed to initialize. Check store URL"    WScript.Quit  End If  ' open applicaion  set AzApp = AzStoreObj.OpenApplication(AzManAppName)  If Err.Number <> 0 Then    WScript.Echo "AzRoles.AzAuthorizationStore failed to open application: " + AzManAppName + ". Check application Name."    WScript.Quit  End If  ' set BizRulesEnabled property  WSCript.Echo "App BizRule Before:" & AzApp.BizRulesEnabled  AzApp.BizRulesEnabled = BizRulesEnabled  WSCript.Echo "App BizRule After:" & AzApp.BizRulesEnabled  If Err.Number = 0 Then    WScript.Echo "BizRulesEnabled is updated successfully ."  Else    WScript.Echo "BizRulesEnabled is NOT updated successfully."  End If End if

  • Anonymous
    March 25, 2008
    The comment has been removed

  • Anonymous
    April 07, 2008
    hello David I'm tired to working on AzMan BizRule in .Net2.0, becauese I encountered an unexpected error; Exception from HRESULT: 0x800A0005 (CTL_E_ILLEGALFUNCTIONCALL) ////////////////////////////////// public class DotNetBizRuleClass { private string _amount; public DotNetBizRuleClass(string amount) {    SetAmount(amount); } public void SetAmount(string amount) { _amount = amount; } public string GetParameter(string paramName) { return _amount; } } ////////////////////////////////// DotNetBizRuleClass m_DotNetBizRuleClass = new DotNetBizRuleClass("200");            m_DotNetBizRuleClass.setAmount(Amount.Text);            object[] oScopes = new Object[1];            oScopes[0] = null;            object[] oOperations = new Object[1];            oOperations[0] = 1;            object[] oInterfaceName     = new Object[1];            object[] oInterfaceFlags    = new Object[1];            object[] oInterfaces        = new Object[1];            oInterfaceName[0]   = "DotNetBizRuleClass";            oInterfaceFlags[0]  = 0;            oInterfaces[0] = m_DotNetBizRuleClass;            object[] results =                                        (object[])clientContext.AccessCheck (               "TestApp",               oScopes,               oOperations,               null,               null,               oInterfaceName,               oInterfaceFlags,               oInterfaces); please help me.

  • Anonymous
    April 08, 2008
    I do not have enough info to help you e.g. OS, store type, application type, assembly version, etc.   Please use the contact form on this site and I will respond to you.  If you are running Vista or Win2k8 then you will need to enable bizrules.  Check out the script at http://blogs.msdn.com/azman for that purpose or in the Win SDK. Regards, David

  • Anonymous
    April 09, 2008
    Hi David, We are trying to setup a test application for AzMan using Active Directory.  We have our Active Directory and policy store on Domain A and Machine A. We have a sample asp.net web application on Machine B, Domain B.  The web application has a simple Login page that uses asp.net login control, and a default page that authenticated users can see. In the web.config we are trying to access the policy store on Domain A from Domain B.  When we try to login we keep getting “The parameter is incorrect” (Exception from HRESULT: 0x80070057 (E_INVALIDARG)) error.  The point of error is Roles.IsUserInRole(“RoleNameInActiveDirectory”).  We cannot seem to find any help on this.  Do you have any suggestions as to what we could be doing wrong?  The web application works fine when we are on the same domain but using a different machine. We are using WS 2003 SP2, Forms Authentication, and separate Service Account with Admin privileges (same user name and password on both domains), separate Application pool with service account user, No impersonation, Service account is added to the Active directory (Administrators, Readers, Delegated user) roles. Thanks, Su

  • Anonymous
    April 09, 2008
    Hi David, We are trying to setup a test application for AzMan using Active Directory.  We have our Active Directory and policy store on Domain A and Machine A. We have a sample asp.net web application on Machine B, Domain B.  The web application has a simple Login page that uses asp.net login control, and a default page that authenticated users can see. In the web.config we are trying to access the policy store on Domain A from Domain B.  When we try to login we keep getting “The parameter is incorrect” (Exception from HRESULT: 0x80070057 (E_INVALIDARG)) error.  The point of error is Roles.IsUserInRole(“RoleNameInActiveDirectory”).  We cannot seem to find any help on this.  Do you have any suggestions as to what we could be doing wrong?  The web application works fine when we are on the same domain but using a different machine. We are using WS 2003 SP2, Forms Authentication, and separate Service Account with Admin privileges (same user name and password on both domains), separate Application pool with service account user, No impersonation, Service account is added to the Active directory (Administrators, Readers, Delegated user) roles. Thanks, Su

  • Anonymous
    April 09, 2008
    Great information on this page!  Very good. my goal: I want to create a console application that can run in any domain (Domain A) and use AzMan auth data in a network reachable Active Directory in a different domain (Domain B). The API for AzMan allows me to point to any AzMan repository via the MSLDAP:// URL, but does not have formal params for Username and Password.   How would you suggest I go about this? Thanks!

  • Anonymous
    April 09, 2008
    AzMan relies on the security provided by the OS.  Offhand, I think it uses sspi - signed sealed bind to AD or ADAM.  When using XML we require NTFS.  There must be a two way trust between domains to be able to query each.  This includes the concept of forests as well. Some have used constrained delegation and selective authentication to utilize the existing infrastructure but with greater granularity.  The sum of it is that with AzMan we utilize the existing infrastructure as much as possible to conform with the existing security model.  An evolution of that is the Federation story possible with Active Directory Federation Services (ADFS) and utilizing AzMan for custom claims generation or transformation (depending on which direction and functional requirements) This may also explain what is happening in the previous post to yours but I'd want to get some more details and do a little more research before jumping to conclusions. :) Regards, David

  • Anonymous
    May 05, 2008
    Hi David, Thank you so much for providing this! I'm currently working on bulk import xml file into sql store, do you also have any class or tool that support this operation as well? Thanks & Regards, Zheng

  • Anonymous
    May 05, 2008
    Zheng, There should be sample code to do that in the Windows 2008 SDK.   Check out the SDK sample code for the azman  migration tool. I believe the latest location for download is here: http://www.microsoft.com/downloads/details.aspx?FamilyID=E6E1C3DF-A74F-4207-8586-711EBE331CDC&displaylang=en

  • Anonymous
    May 07, 2008
    Hi David/Everyone, I was wondering if you could provide any new information on the issue regarding initializing the AzMan store from an XP machine as described in your "Wednesday, July 19, 2006 12:00 PM" post? I'm currently encountering "The parameter is incorrect" on XP SP2 when attempting to initialize the [Active Directory] store under an impersonated "service" account. Is this in fact due to the AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION flag being unsupported in XP (at least in connecting to an AD/ADAM store)? Is there a workaround? I'm looking to use AzMan in our existing client/server scenario until we scale out to a 3-tier architecture. Our workstations are XP SP2 and servers are Windows Server 2003 SP1. Thanks, Tony If you reply via email, please remember to delete the "-removetoreply-" string from the address below: davisam2@bellsouth-removetoreply-.net

  • Anonymous
    May 19, 2008
    David, I have a couple of questions regarding SQL Server and AzMan.

  1. AzMan on Vista supports MS SQL as a policy store, will/is it possible to access the store from an application running on XP ?.
  2. Is there an API for using AzMan in MS SQL TSQL stored proc, or would we have to wrap use C#/VB stored procedures (assuming we can still use the AzMan COM object from SQL Server) ?. Thanks and Regards Mark.
  • Anonymous
    May 19, 2008
    David, Sorry to follow on from my MS SQL, how can I create a store on MS SQL. I am running Vista with SQL Express but don't know how to go about setting the url and any steps required to prepare SQL for AzMan ?.. Is there a paper on this ? Many thanks Mark

  • Anonymous
    May 19, 2008
    Mark, Q: Will AzMan with SQL Store be supported on XP? A: Nope Q: Is the API for SQL the same as other stores only? A: There is only one API to use for AzMan regardless of AuthZ policy store chosen. Q: Sample of SQL connection? Format: mssql://Driver={SQL Server};server=yourservername(machine name where SQL is installed);/databasepartitionname/storename Example: mssql://Driver={SQL Server};server=lab-test-machine1;/azuidb/store1 This will create SQL store with store name “store1” in “azuidb” database partition. You may find this also in the help file from Vista - run azman.msc and Action menu - then Help (lookup SQL) Regards, David

  • Anonymous
    May 20, 2008
    David, Many thanks for your response, I managed to stumble upon this in the help link when I tried to connect to a SQL Store, but since I had to rush out to pick up the son and heir from nursery I didn't manage to post my findings. I am disappointed by the lack of SQL supprt for XP since this would make or deployment of an offline capable application much simpler. We would only need to push the information in SQL to SQLExpress on the client laptop and change their DSN for Offline mode. It looks like we will have to use ADAM and this means further information stores to manage and synchronise. Thanks and Regards Mark.

  • Anonymous
    May 22, 2008
    You say AzMan doesn't work properly on an XP client. I wrote a test application and it worked fine. What am I doing ... uh ... wrong?

  • Anonymous
    May 22, 2008
    Not exactly, what we say is that we only support AzMan for administration on XP.  The reason is that there are some scenarios at runtime that do not work properly or maybe better said,  incompatible,  with XP. See previous posts for an example. Vista and Win2k8 code base converged so it represents a better choice IMHO to use Vista for client side moving forward. Regards, David

  • Anonymous
    May 30, 2008
    Not to belabor a point, but is there a list of specific instances where XP AS A CLIENT does not work? Are there calls to avoid?? Objects to be left empty? Thanks.

  • Anonymous
    May 30, 2008
    There is no such list. Anything you can do with azman.msc can be replicated as far as direct api calls with the exception of impersonation scenarios related to AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION flag which is not supported on XP. The heart of the runtime is the clientcontext accesscheck. Regards, David

  • Anonymous
    June 25, 2008
    Hi I'm hopping you can give me some help on this problem I'm having with azman/adam:

  • The azman stops responding. When accessing the azman console, and trying to reconnect with the Active Directory it gives me an error "More data is available". This is the second time the problem occurs. The 1st solution was to reeinstall the azman and works fine. The problem is now back. Can you give me an help on this. Thank you very much Gonzalo
  • Anonymous
    July 03, 2008
    Mr. David I need HELP! i have an aplication in ASP 3.0 (not .NET) the issue is that i must use AzMan to manage the security of the website, (my dev machine is a XP and the production server is a 2000 Server) in my Dev enviroment (http://localhost/myapp) when i ran the page it goes Ok, but when i try to access from another pc (http://pcname/myapp) it throws and error like this: "The system cannot open the device or file specified". to manage azman from ASP 3, i built a DLL in C#.NET for Interop and i call a Server.CreateObject in my website. As You know ASP 3 doesnt have System.Security.Principal.WindowsIdentity, that way in my DLL i instanciate that class with a GetCurrent() and use it to call the AzMan CheckAccess and just have to pass by params the OperationID. The problem is that it throw me the error i gave you. I thought the problem was by permission accesing the DLL then i put the DLL that i built in C#.net inside a DLL built in VB6 that goes in COM PLUS and that way both have the same Identity. in this case the GetCurrent Method of the WindowsIdentity always return the User that i have in Com Plus. PLEASE send me an email if you can to jmpena@sii.com.do AND jmpena@shiftingtech.com PLEASE.. i can Lose my job :'(

  • Anonymous
    July 11, 2008
    Responded offline

  • Anonymous
    July 22, 2008
    The comment has been removed

  • Anonymous
    July 23, 2008
    Is it possible to use relative path or dynamically created file for xml store in Initialize method? Can we use store as embedded resource? We have a situation where we need to load xml store dynamically, not from physical path. Please help. Thanks.

  • Anonymous
    July 23, 2008
    Azeem, Sorry to say, it doesnt work that way. There is NO InitializeStoreFromStream method. With XML, it requires a file on an NTFS volume. Regards, David

  • Anonymous
    July 28, 2008
    Thanks David for your reply. Another question, can we load provider at runtime? Thanks.

  • Anonymous
    July 29, 2008
    The comment has been removed

  • Anonymous
    July 30, 2008
    How do we pass AD groups in IAzClientContext? It seems only user token, sid, and name are the only parameter option that can be use with the accesscheck to query operations. My purpose is to use AD groups to directly associate with Role Assignment without using Azman group.

  • Anonymous
    August 06, 2008
    Mark, I dont really understand what you are trying to accomplish but if you want to check AD group membership in string form just use the Windows Principal IsInRole().  http://msdn.microsoft.com/en-us/library/system.security.principal.windowsprincipal.isinrole.aspx With AzMan you can assign AD group membership or user membership to roles and the client context will be auto populated (the token has the user sid and groups sids) which we use to populate the client context (no need to pass groups)  The name or sid approach - we generate a token for you and perform the same. http://msdn.microsoft.com/en-us/library/aa377365(VS.85).aspx  We also have an empty client context and you can add sids, groups or roles to that - see the ADFS samples for the empty client context. We intro getting the sids from the client context as of Vista/Win2k8 http://msdn.microsoft.com/en-us/library/aa965814(VS.85).aspx HTH, David

  • Anonymous
    August 06, 2008
    Bogdan, The asp.net role provider for azman doesnt have the capability to use a SQL store on Win2k3.  It isnt until Vista/Win2k8 that the feature for SQL AuthZ store is introduced. The version of .net framework doesnt affect this capability.  AzMan is a COM API which is accessed via COM Interop.  The source code for the ASP.NET role provider is available in the Win2k8 SDK.   David

  • Anonymous
    August 06, 2008
    Azeem, AzMan is a COM DLL.  You control the whole life cycle.  An example of an enterprise application utilizing AzMan is establish NLB infront of a two or more ADAM/AD LDS instance, setup replication between those instance, and call from your applications.  They will lazy load the policy store until the working set size reaches the size of the store.  The largest real policy store size that I have personally seen is about 15MB. Regards, David

  • Anonymous
    August 08, 2008
    The comment has been removed

  • Anonymous
    August 22, 2008
    Derek, Yes, it is possible to automate AzMan deployment to 22,000 machines but I believe this is an unsupported usage and so you cannot expect assistance from Microsoft in this regard. If you can't figure out how to do it, your next option would be to just roll out the Win2003 admin pack via group policy msi deployment.

  • Anonymous
    September 11, 2008
    Hi David - Thanks for the response.  Thankfully, I think we've convinced our dev folks to move away from this approach.   Thanks again for your response, and for providing this great spot on the 'net.

  • Anonymous
    October 15, 2008
    I've been trying to find out if it's possible to use AzMan for policy management in a heterogeneous network.  AzMan definately fits what we'd like to have, but several of our services run on non-MS platforms and there is zero likelihood of getting them ported to Windows (for very good reasons).  What are the options for a mixed shop (where AD already is used for user and group management)?  Would the combination AzMan+AD storage be accessible through LDAP?

  • Anonymous
    October 30, 2008
    Hello, I'm attempting to use Authorization Manager to control authorization for a number of web sites. I think I've got a good handle on the AccessCheck() method as that all seems to be working, but I'm now interested in the authenticaion of users to the site as a whole. I understand (and can get it to work) that I can change the roleManager in the applications web.config to point at "RoleManagerAzManADAMProvider" and as a result I can use AzMan roles in the <authorization> section. However, I was hoping to create an application group into which I could add all users who have the basic permission to the application and use this group instead of roles in the <authorization>. So far i've drawn a blank on this aim. Do you know if it is possible to achieve this aim and if so how I would go about it? Thanks

  • Anonymous
    November 19, 2008
    Starting out from an article found at LeastPrivilege we have created a custom principal that merges roles from AD and Azman http://www.leastprivilege.com/CustomPrincipalsAndWCF.aspx Using IAzClientContext.GetRoles we can read roles for a user. But in Azman it's possible to create roles "Employee", "Manager" and then include Employee in Manager. If an AD account is assigned a Manager role a call to GetRoles will only return "Manager" not "Manager" and "Employee" as I had hoped! Is there a way to read "subroles" for a role?

  • Anonymous
    November 19, 2008
    If you would like to return both as role assignments then you could create a global scoped application group and assign to that.  Then you may return each role as assigned.  The role definition of a manager including employee would provide potentially a more efficient representation.  You could design your implementation accordingly that instead of just getting roles - you could follow that by returning role definitions.  You would probably want to cache those since the definitions would likely not change often. David

  • Anonymous
    November 25, 2008
    It's a bit confusing ... If I use AzAuthorizationStoreClass store=new AzAuthorizationStoreClass(); store.Initialize(...); IAzApplication app=store.OpenApplication(...); And the read Tasks (Note a task i a Role Definition in the mmc console) with foreach(IAzTask myTask in app.Tasks) It is possible to read sub tasks to myTask! BUT  the roles read for my user are not Role objects but String. I read them like this; Collection<string> roles = new Collection<string>(); IAzClientContext ctx = app.InitializeClientContextFromToken((ulong)clientIdentity.Token.ToInt64(), null); Object[] rls =(Object[]) ctx.GetRoles("");   for (int index = 0; index <= rls.GetUpperBound(0); index++)   {    roles.Add((string)rls[index]);   } To cast to AzRole will render "Unable to cast object of type 'System.String' to type 'AZROLESLib.IAzRole" And since the name property, "Role Assignment" read with getRoles above is a string without correlation to the underlying "Role Definition" in Azman I am lost...

  • Anonymous
    December 03, 2008
    The comment has been removed

  • Anonymous
    December 03, 2008
    Oh I'm sorry the Exception message is "The program issued a command but the command length is incorrect.(Exception from HRESULT: 0x80070018)"

  • Anonymous
    January 21, 2009
    The comment has been removed

  • Anonymous
    February 03, 2009
    Hi David I've managed to create my intranet application using AzMan and tested on W2k3 and everything works great. However, I have just bought the live server which will host the intranet app and it is W2k8. When I run the app on this server it contiuously crashes out when doing AccessCheck with the result Value does not fall within the expected range. Do you know why this might be happening. Any help would be greatly appreciated as I have spent 6 months working on this project and am pulling out what is left of my hair! Cheers Nick nwatt@hotmail.com

  • Anonymous
    February 19, 2009
    I'm trying to connect to a SQL Store through the AZMan MMC UI on Windows Server 2008 and justam  getting "Cannot open the authorization store. The following problem occurred: Access is denied." If I tell it to create a new store I get the same message although the DB does actually get created in SQL. What could be wrong?

  • Anonymous
    February 19, 2009
    What version of SQL are you running?  What protocols do you have enabled e.g. TCP/IP and is it configured to accept remote connections?  What account are you using to create the database and what role(s) is it in?  What does your connection string look like?  What is your DB coalation? Regards, David

  • Anonymous
    February 20, 2009
    Hi Jerald, Not sure if you're still looking, but I have a resolution for the issue you have and thought I should post it here so others could benefit as well :) We had the same problem as you, some users fine, some users "program issued ..." and then adding to groups made the error go away. It is a problem with the win64 subsystem and you will need to open up a PSS incident with MS to get hold of the hotfix identified in KB948931. HTH Cheers Dan

  • Anonymous
    February 20, 2009
    Thanks Dan. Regards, David

  • Anonymous
    February 20, 2009
    I'm using SQL Server 2005. Protocols enabled are: Shared Memory, Named Pipes and TCP/IP. Remote connections are enabled. The account I'm running the AZMan snapin as is a domain account and an administrator on the local machine. This account is a member of the sysadmin SQL role. Server collation is Latin1_General_CS_AS My connection string is: "mssql://Driver={SQL Server};Server={KHSVELOCITY09};/AZManDB/KHSWorkflow" I noticed that although it creates the DB OK. It does not add the application to the AzMan_AzApplication table.

  • Anonymous
    February 20, 2009
    I should've said: although it creates the DB OK, it does not add the policy store to the AzMan_AzAuthorizationStore table.

  • Anonymous
    February 20, 2009
    Another data point: I previously had SQL Express edition installed. I can still open a store in a DB that I had created when SQL Express was installed.

  • Anonymous
    February 20, 2009
    But if I try to make any edits to that old store that I can open, I again am faced with "Access Denied". (wish comment editing was available here!)

  • Anonymous
    February 20, 2009
    Contact PSS for the SQL issue - Reference- 258310  Code Defect - WS 08 Regards, David

  • Anonymous
    March 02, 2009
    We're testing ADFS with Forms Auth on the front end, triggering Basic Auth via ADFS Agent on the back end, to implement system security (runs as the logged on user).  We understand it is also possible to use Azman in this context.  However, ADFS examples seem to be overloaded with options we don't need.  We have a Federation Service in place, and the app will run in the same domain.  Can you point us to a simple configuration script for setting up a W2003 R2 IIS6 web server with ADFS Agent to enable use of Azman on the back end?  

  • Anonymous
    March 02, 2009
    The comment has been removed

  • Anonymous
    March 03, 2009
    AzMan only performs authorization.  You can use it in claims generation modules in ADFS or as a claims transformation module within your ADFS enabled web app but it doesnt have anything directly to do with ADFS configuration. Regards, David

  • Anonymous
    March 04, 2009
    The comment has been removed

  • Anonymous
    March 04, 2009
    I forgot to put in my previous post that I can see in the Output window that the AzManHelper is working before the exception: it's called from the Program class before the Application.Run statement for the form with the BackgroundWorker.

  • Anonymous
    March 04, 2009
    Do the dynamic groups (ldap query groups) support querying the extensionAttributeX properties like this: (&(objectClass=User)(extensionAttribute2=300)) Thanks, Jim

  • Anonymous
    March 04, 2009
    I think I've solved the HRESULT: 0x80004002 (E_NOINTERFACE) problem.  More searches revealed thd KB article http://support.microsoft.com/kb/912572 which I didn't think was quite the right symptom as my app main was running as STAThread and I'd recreated the problem rolling my own background thread using the Thread class with it set to STA.  But it reminded me that I was running the 2003 SP1 AdminPak on my XP machine. I uninstalled it and installed the SP2 AdminPak from http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en and it's now passing the point where the exception occurred.  I've still got problems but they don't seem to be AzMan related.

  • Anonymous
    March 18, 2009
    David, reading through the comments and responses has been hugely beneficial in better grasping some of the advanced use of AzMan.  I have a question, however, on the custom object picker sample identified multiple times that was targeted at the Vista SDK (and since then I've found a reference to it being in the Windows 2008 SDK).  I am unable to find any such sample in either SDK or anywhere else on the web (except for a Channel9 PluralSight video).  Is this available anywhere? Thank you, Jason

  • Anonymous
    March 31, 2009
    Insufficient access rights to perform the operation. (Exception from HRESULT: 0x80072098) Hi David, I got the error above when trying to login/access AzMan store using network service account. I already added the account as reader under AzMan store security properties. I am using Windows 2003 R2 on both Active Directory and Application server. In the IIS I am using Network Service account in the application pool identity. I did a lot of experiments but I did have any luck so far. Please help.

  • Anonymous
    April 01, 2009
    The network service account translates to COMPUTERNAME$  - network service uses the computer/machine account and requires permission accordingly. Regards, David

  • Anonymous
    April 01, 2009
    Hi David, Thank you for you prompt response. Can you add a little details on what you mean about "The network service account translates to COMPUTERNAME$  - network service uses the computer/machine account and requires permission accordingly." Does this mean AzMan only uses user accounts and not machine?

  • Anonymous
    April 02, 2009
    The comment has been removed

  • Anonymous
    April 09, 2009
    I am calling IAzAuthorizationStore2.Initialize from an ASPNET web app on win2k3.  My profile is stored in an XML file local to the web app.  When the AppPool identity is an administrator, all is fine.  But if not, I get access denied COM error.  Giving the user full rights to all files didn't help, so it's not a file access thing.   What rights does the app pool user need to access AzMan? Thanks, Riley

  • Anonymous
    April 13, 2009
    I am also getting the "parameter is incorrect" error when trying to perform a role check. I am using Forms authentication, AD Membership, and AzMan for roles. I can get the manual call to work by appending the "@domain.com&quot; to the end of User.Identity.Name in the call to Roles.IsUserInRole and that is all well and good but this is not possible to do when trying to use security trimming with the SiteMap Provider - which appears to always use User.Identity.Name and not have the ability to append the "@mydomain.com&quot; to the end so that the call works. How can I get SecurityTrimming to work with a SiteMapProvider when using Forms Authentication with ActiveDirectory membership and AzMan roles? Thank you so much for this great post!

  • Anonymous
    April 16, 2009
    In response to Craig Fisher's question, I had this problem as well. In our case, we were running AZMAN on a Windows Server 2008 32 bit server. It was trying to connect to our Windows Server 2003 64 bit, SQL Server 2005 server to create the AZMAN store. We got the exact message "Cannot open the authorization store. The following problem occurred: Access is denied.". The database had been created, the Extended Stored Procedures had been created in the Master database, but no records had been created in the AZMAN database. I Used SQL Profiler to see what calls were being executed against SQL Server. I grabbed the last one that was executed, and tried running it in SQL Server Management Studio with a Begin Transaction. It failed with an error stating that it could not find "AzSqlExt.dll". I looked in the Master database Extended Stored Procedures created by Azman, and indeed, they used this DLL. It turns out that Windoes Server 2003 does not have this dll. After some research, and talking to someone from Microsoft, I was told to grab this AzSqlExt from a Windows Server 2008 server, and place it in the System32 folder. Make SURE you get the 32 bit or 64 bit version as needed... It comes with the Operating System, not SQL server... HTH [Original Msg from Craig Fisher: I'm trying to connect to a SQL Store through the AZMan MMC UI on Windows Server 2008 and justam  getting "Cannot open the authorization store. The following problem occurred: Access is denied." If I tell it to create a new store I get the same message although the DB does actually get created in SQL. What could be wrong? ]

  • Anonymous
    April 16, 2009
    Does anyone know of a good tool to migrate an AZMAN XML store to an AZMAN SQL store? I am told there is one in the "Windows SDK for Windows Server 2008 and .NET Framework 3.5" at http://www.microsoft.com/downloads/details.aspx?FamilyID=E6E1C3DF-A74F-4207-8586-711EBE331CDC&displaylang=en which I am about to look at, but was hoping there was one that did not require such a huge install. Thanks David

  • Anonymous
    May 11, 2009
    I need to be able to show a list of users who have are authorized to perform a particular AzMan operation. I don't think there's any simple way to do this. Options I'm considering:

  1. create an AD group for these users and write code to enumerate the members of that group
  2. store a list of the users in SQL. In each of these cases it means managing these users in two places (in AzMan and in AD or SQL), although with the AD group I can just use that group to grant the operation permission to. The problem with using AD though is that I'd need to grant my ASP.Net app additional permissions to interact with the directory. Do you have any guidance around the best way to achieve this? (The reason I want to do this is that one user of the app needs to be able to assign a unit of work to another user. That second user needs to be someone who is authorized to perform the next operation on the unit of work.)
  • Anonymous
    May 11, 2009
    Get Ops method if running Vista/Win2k8 http://msdn.microsoft.com/en-us/library/aa377877(VS.85).aspx IAzClientContext3::GetOperations Method The GetOperations method returns a collection of the operations, within the specified scope, that the principal represented by the current client context has permission to perform. Syntax C++ HRESULT GetOperations(  [in]   BSTR bstrScopeName,  [out]  IAzOperations **ppOperationCollection ); Parameters bstrScopeName [in] The name of the scope to check. ppOperationCollection [out] The address of a pointer to the collection of operations that the principal represented by the current client context has permission to perform. Return Value If the method succeeds, it returns S_OK. If the method fails, it returns an error code. For a list of common error codes, see Common HRESULT Values. Prior to that you need to determine whether sending a bunch of ops in and performing an accesscheck on them in a single call will do or whether you need to go to the store. Regards, David

  • Anonymous
    May 11, 2009
    GetOperations isn't what I want. I want to find the list of users who have permission to perform a particular operation.

  • Anonymous
    May 11, 2009
    Sorry - sounds like you may need to perform a store operation or a version of what I said previously.  Since a role to role assignment is where the membership is set then you would need to spin through the role defs/(tasks).  The problem comes in when you have something like ldap query groups, bizrules or adfs claims that you have no direct user assignement set (which the accesscheck method would address a subset).  In the grand scheme of things, instead of writing the code to spin through the store, I would load up my users (either from the membership assignment or AD/ADAM if using LDAP Query groups), init client context by name and perform an accesscheck for each sending in an array of ops to check per user then spin through the accesscheck result array.   David

  • Anonymous
    May 29, 2009
    I'd like to get a clearer defintion of: The GetOperations method returns a collection of the operations, within the specified scope, that the principal represented by the current client context has permission to perform Also, GetTasks() is defined the same. What does 'has permission to perform' mean with respect to BizRule processing. Are BizRules taken into account for the permission check? And if so, how are the BizRule Parameters defined before GetOperations or GetTasks is invoked?

  • Anonymous
    May 29, 2009
    In this context operations are essentially permissions identified as integers in your code and also in your policy store coorespondingly. The overall concepts are explained in detail here however the new API addresses questions from the runtime (as oposed to the store operations) http://msdn.microsoft.com/en-us/library/aa480244.aspx An accesscheck with an operation or array of operations passed in would result in a result list returned determining permission.Having to do with COM roots the convention was OK=0 and anything else false(.NET implementors process the result accordingly) The question of what operations or tasks do I have access to is the inverse question of an accesscheck at runtime.  Instead of seeding the code with an operation or set of ops and checking each as a set in one call you are returning the list up front.  Then you can make your AuthZ decisions from there. There are a number of reasons why you may choose this approach and that is why the OM was enhanced to include.   On to BizRules, as written in the paper, an accesscheck will resolve a result of a bizrule into success or failure (which is the permission check).  Operations are the lowest level and are esentially permissions.  Another type of permission is an ldap query group and another is a bizrule.   Offhand, I do not believe that GetTasks resolves bizrules and couldn't see how it would do it for operations.  BizRule parameters are defined on the accesscheck base. The IAzClientContext3 permits viewing their state.  I'll have to test to be 100% sure. I would also have to include the test case of a previous accesscheck resolving permission to a task and then caching the result.  From memory, direct assignment would take priority over a more expensive function call if I remember the internals correctly. Regards, David

  • Anonymous
    June 22, 2009
    The comment has been removed

  • Anonymous
    July 10, 2009
    David,    First i wanna thank you for your time and this wonderful product. I developed A Service to exposes AzMan in a easy way. This is in Codeplex http://www.codeplex.com/authorizationservices as open source. Here in my company we are using AzMan with this service for all our new System and products and migrating the old ones. (More then 100 webapps). But i had a doubt,  we have 2 types of users here, one using AD. This is OK for us now. But the second type of user are external users, and we are using SQL Server (MemberShipProvider) to stores them. But we want to uses AzMan too. What we can do? I'm searching for the the Custom Object Picker examples in the Windows SDK and not found. This is very important, and we need to put this working in 1 week for the new projects and portal.

  • Anonymous
    July 23, 2009
    The comment has been removed

  • Anonymous
    July 23, 2009
    Did you run your ADAM instance from a DC?  I remember that there was an incident/bug a while ago but havent followed the status.   Incredibly busy at the moment... on project.  (I'll see if I can ping some others for status - in the mean time, try running from ADAM from a DC machine in your test (or test VHD if possible to rule out)  Check support for patches too. It should have been gone by Vista/Win2k8 and forward if it is what I think it is) David

  • Anonymous
    July 27, 2009
    Hi all! I've this situation: I'm required to use Azman, with SQL Server store, but my AzMan needs to be executed in a Windows 2003 server. Is this possible? Can I "upgrade" the AzMan version in the 2003 server to the new one that comes with 2008 server? Thanks a lot! Best, Aldo

  • Anonymous
    July 27, 2009
    We have AzMan configured with SQL Server Store, which contains Operations, Tasks, Roles, BizRules. I have opened the store in AzMan.Msc SnapIn, I am able to see Operations, Tasks, Bizrules, Roles, Groups. I have added more Operations, Tasks, Bizrules, Roles. After adding these, i have closed the AzMan.Msc and try to re-open the same store again, i got the following error. "Cannot enumerate child objects. The following problem occured: Access id denied." I am not able to open the store now, could someone help me out in understanding the problem. I have an application, which is running pretty fine, but after adding more Operations, Tasks, Bizrules, Roles. Now my application is throwing below error, System.Unauthorized.AccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED). at AZROLESLib.AzAuthorizationStoreClass.OpenApplication(String bstrApplicationName, Object varReserved). If this is not the right place to post this, could you please redirect me to the right place.

  • Anonymous
    July 27, 2009
    Aldo, Sorry not directly, Windows 2008 or Vista can access SQL as a policy store only. You may however access a web service residing on a Win2k8 or Vista machine from your Win2k3 machine. Regards, David

  • Anonymous
    August 03, 2009
    I am trying to use xml as an authorization store on my Windows XP SP3 computer (I have installed AzMan through the Admin server pack). When I try to initialise the AzMan client (using call - AzAuthorizationStore.Initialize(0, storePath, null), I get an argument exception - Value does not fall in range. the sample store path is as following - "msxml://C:\RedcloudLive\TestData\SecurityStore\AuthorizationStore.xml"

  • Anonymous
    August 03, 2009
    post2ankit - Are you able to use the UI to open the policy store? David

  • Anonymous
    August 03, 2009
    Sridhar Yernagula  - what environment are you calling from... is everything  Win2k8?  What is your SQL policy store coalation? thanks, David

  • Anonymous
    August 03, 2009
    I am able to use UI for opening policy store. I am using xml stored on the local computer as policy store. I just found that my local account is able to initialise the Authorization Store but the domain service account is unable to do so.

  • Anonymous
    December 09, 2009
    I am using C++ for implementing authorization manager. But I am stuck at InitializeClientContextFromToken function as the hToken I am passing to it is of type HANDLE and this funtion required the Type to be ULONGLONG.How to convert this token?

  • Anonymous
    January 11, 2010
    The comment has been removed

  • Anonymous
    February 09, 2010
    Hi, I have an Win server 2008 AD environment that has some unix machines integrated. If I use Azman to manage groups and roles for the domain users I just want to confirm whether Java or C++ apps running in the unix environment could also access azman data via LDAP.   From earlier comments that appears to be the case, I just wanted to double-check this. I assume that we might have to manually perform more queries to enumerate the groups and roles, but I'm hoping this can still be done? thanks.

  • Anonymous
    February 10, 2010
    @Bob - this api is utilized in custom applications.  It is not used for managing domain roles/groups.  This api however will utilize domain groups/etc for membership assignment in AzMan applications of which the policy store may also reside in AD.  The concept is that these are essentially SID buckets and in your applications you use the API to call these and resolve.  Check out the white paper for greater detail... http://msdn.microsoft.com/en-us/library/aa480244.aspx

  • Anonymous
    February 10, 2010
    @Manjari - check out the Vista sdk for sample code to migrate policy store data.  Usually I migrate to xml then import to X target in the next environment.  (xml because I can copy the file/email the file/etc to the next environment w/o needed connectivity to both environments at the same time.) Regards, David

  • Anonymous
    February 11, 2010
    David, Thanks for your reply. I didn't mean that I was looking for a particular way to manage groups/roles. I just meant that we have a custom application that we need to develop and I was looking into Azman as a possible tool to create custom roles for that application (as opposed to coding up knowledge of roles in a database or something). However my real question is: if we use Azman to specify roles for this application in AD, can the parts of this application that will run on unix also be able to access this Azman-specified user/role data via LDAP? It seems like that is the case, but I just wanted to understand if there were any pitfalls there to know about. I realize that if my app were windows-only then there is some additional role-checking and other behaviors that we could leverage, eg bizrules, etc. that I don't quite understand yet, but I think if we can query a user's groups/roles via LDAP will be good enough.

  • Anonymous
    February 11, 2010
    The comment has been removed

  • Anonymous
    February 15, 2010
    David, many thanks. It's very helpful to be able to ask questions about this. After looking over the white papers your mentioned and viewing some Azman introductory videos by Keith Brown that I found, I think I've gotten an OK handle on this. As far as accessing Azman from unix Java/C++ clients, I think that either LDAP queries of the store data or a webservice that wraps some of the Azman API should do the trick. One final question: I noticed when playing with Azman on Win server 2008 that I have a choice between schema 1.0 and 2.0. Is there any particular reason to choose one over the other? This will be a Win server 2008 with Windows 7 clients.

  • Anonymous
    February 15, 2010
    The comment has been removed

  • Anonymous
    February 16, 2010
    @Bob - granting network service (the service account) is granting mymachine$ to whatever access it requires on the policy store.  If only accesschecks then you can give it read access to the containing node of the authz policy store.  I think you can give the computer object administrative rights in the azman.msc as well... if not your admin has to grant rights to the computer account for that container. Regards, David

  • Anonymous
    February 16, 2010
    @Bob - as far as the two schemas, offhand, I think the new is needed if you plan to use new functionality such as bizrule groups... etc

  • Anonymous
    February 18, 2010
    @Bob - check this out http://blogs.msdn.com/donovanf/archive/2007/04/05/azman-in-windows-vista-you-bet-and-longhorn-too.aspx Regards, David

  • Anonymous
    February 22, 2010
    Thanks. I'll give those links a read... Here's is hopefully a quick question. I just want a sanity check: Say I have three groups of users and I want to assign three different sets of Operations that those  users can perform in my application. However, in AD there are also various different network resources that I want to grant to those same groups. What seems to make sense to me is that I want to create three role definitions representing the operations those groups will have in Azman. However also I would create three AD security groups representing those same three groups of users in AD. Then, in Azman role mapping, I would simply map those security groups to their respective roles. This all seems pretty straight-forward. The only thing that bothered me was the redundancy of creating this set of groups both as AD security groups as well as Azman roles. Does this make sense? thanks, Bob

  • Anonymous
    March 12, 2010
    The comment has been removed

  • Anonymous
    March 22, 2010
    I don't understand the point of having both Role Definitions and Role Assignments.   Why isn't there just the concept of 'Role' which contains both the definition of what tasks/ops it gives access to AND the assignments of who belongs to that role?

  • Anonymous
    March 22, 2010
    Here is the short of it from posting... How come when I create a Role Definition in the UI it doesn't show up when I enum Roles? http://blogs.msdn.com/azman/archive/2006/07/13/663890.aspx We continue to enhance the OM for better productivity (see "2" and "3" interfaces) but this is a bit of legacy described.

  • Anonymous
    June 18, 2010
    For those having "Cannot open the authorization store. The following problem occurred: Access is denied." or "Cannot create a new authorization store. The following problem occurred: Access is denied." with SQL Server store type, try creating a database with collation Latin1_General_CI_AS and set store name something like: mssql://Driver={SQL Server};Server={.SQLEXPRESS};/AzManDB/AzManStore

  • Anonymous
    June 18, 2010
    (contd.) This worked for me on my Windows 7 RTM x64 machine. Hope this helps. P.S. I've also installed support.microsoft.com/.../975332 hotfix just before trying this, maybe this also helps.

  • Anonymous
    September 12, 2010
    Hi David, Under what circumstances will Azman AccessCheck (running under an xml store) return 5 instead of 0 or 1? I have setup an azman store on the local machine (win2003 std sp2) which is accessed via a webservice. Using either ClientContext orClientContext2 when I make an AccessCheck call, the results come back as 5 where I would expect 1. Azman is behaving as I would expect in all other scenarios, for example if I pass operations that do not exist in the store it throws a COM Exception, getting lists of Roles and Operations from the Application object works as expected. I have tried running the code (currently hosted in VS2010) as the local administrator on the machine and as a domain user. Same result each time. The context is being created around a defined AD user that has been added to the Role within Azman. Rather typically this is the only thing standing between us and a completely working Azman implementation. Any help appreciated!

  • Anonymous
    September 18, 2010
    I am new to AzMan but I have one basic question before I take a deep dive into this: We are building a rather large GRC application and the client strores the AD users in multiple OUs It seems that the store of roles can be set up in many other locations as well. This I find attactive... Can an AzMan store access multiple OUs to get the users for it's store in AD?

  • Anonymous
    September 25, 2013
    What is status of Azman?

  • Anonymous
    September 25, 2013
    The comment has been removed

  • Anonymous
    November 20, 2013
    Hi Dave, I am trying to get list of operations based on user id and not current context. Is there a way I can get that?

  • Anonymous
    November 20, 2013
    Could you help me understand what you are doing?  I think you looked at this msdn.microsoft.com/.../aa377877(v=vs.85).aspx     "The GetOperations method returns a collection of the operations, within the specified scope, that the principal represented by the current client context has permission to perform."  and iterate through your account store producing these.  You could also query your policy store and roll your way back.

  • Anonymous
    November 21, 2013
    Thank you David for prompt response. What I am trying to do is, on my web application, I am trying to show list of roles, tasks and operations based on the user id. So administrator of the application can select a user id from the dropdown and I pass that to some function which will return me roles, tasks and operation for the selected user. That user id may not be the current user logged in, but can be any user. I hope I am clear and not confused.

  • Anonymous
    November 21, 2013
    Hi David, I found the way the get all roles, tasks and operation from user. Below is my code for anyone else who may use or suggest any other better way.: _clientContext2 = _azApplication3.InitializeClientContextFromName(userId, "domain", null);                roles = (object[])_clientContext2.GetRoles();                bool found = false;                foreach (object currRoleDef in roles)                {                    found = false;                    foreach (IAzRoleDefinition currentRoleDefinition in _azApplication3.RoleDefinitions)                    {                        if (currRoleDef.ToString().Equals(currentRoleDefinition.Name))                        {                            found = true;                            Array roleTasks = (Array)currentRoleDefinition.Tasks;                            foreach (string taskId in roleTasks)                            {                                IAzTask currentTask = _azApplication3.OpenTask(taskId, null);                                Array taskOperations = (Array)currentTask.Operations;                                foreach (string operationId in taskOperations)                                {                                    IAzOperation currentOperation = _azApplication3.OpenOperation(operationId, null);                                    perm = new Permission(); // my own created object with 3 properties                                    perm.Role = currentRoleDefinition.Name;                                    perm.Task = currentTask.Name;                                    perm.Operation = currentOperation.Name;                                    lst.Add(perm); // List<Permission> object                                }                            }                        }                        if (found) break;                    }                }                return lst; Thank you again David for your help.

  • Anonymous
    November 21, 2013
    Just want to make sure that you are aware that authorization manager API will be obsoleted in the next OS after WS2012R2 and Win8.x.  It will continue to be supported for the length of the OS in which it resides (which still gives you a good long time) but still it's something to keep in mind.  

  • Anonymous
    December 03, 2013
    When you say WS2012R2, do you mean that we cannot upgrade our server WS2012 after R2? As we are not planning to upgrade to WS2013 in near future for sure, but if 2012 come out with R3, will AzMan api be supported?

  • Anonymous
    December 03, 2013
    The comment has been removed

  • Anonymous
    December 03, 2013
    Thank you very much Davind for an insight. I will keep this under my radar. Also, this page is one of the most useful page I have found on web regarding AzMan. I really appreciate your prompt response everytime.

  • Anonymous
    January 22, 2014
    technet.microsoft.com/.../dn303411.aspx Features Removed or Deprecated in Windows Server 2012 R2

  • Anonymous
    February 10, 2015
    I am using AzMan (Sql Server 2014 store) to manage role assignment of users from SqlMembership store in the same database as the Azman store. I am trying to create membership user and assign the user to role (in Azman) in the same transaction. How can I enlist the AzMan connection in the same transaction scope as the SqlMembership provider? The goal is to ensure that both operations succeed or fail. I don't even know how to get the AzMan connection handle. Any suggestion will be appreciated.

  • Anonymous
    March 12, 2015
    Hi David, Is there a way to get all users from Rolename and/or Groupname?

  • Anonymous
    March 12, 2015
    Client context or store operations?  You can always enumerate everything in the store. msdn.microsoft.com/.../aa965803(v=vs.85).aspx    getgroups msdn.microsoft.com/.../aa377879(v=vs.85).aspx  isinrole msdn.microsoft.com/.../aa377030(v=vs.85).aspx msdn.microsoft.com/.../aa377919(v=vs.85).aspx msdn.microsoft.com/.../aa377304(v=vs.85).aspx David

  • Anonymous
    March 12, 2015
    Curious - For those still utilizing AzMan, what context or types of applications are you leveraging it in?  What is the general user base size?  Anonymous posting, nothing too specific would be great.  I'm just curious :) David

  • Anonymous
    March 12, 2015
    The comment has been removed

  • Anonymous
    April 20, 2015
    At a customer's site, they're using AzMan for fine-grained permissions in their BizTalk. Role assignments from AD groups, to control operations permissions (for example, allow GetCustomer but not UpdateCustomer). The customer is a bank and BizTalk is their middleware between their CRM, Internet Bank, etc.

  • Anonymous
    April 21, 2015
    Thanks for the update Peter!

  • Anonymous
    April 21, 2015
    I got here when I was troubleshooting a problem. It turned out their problem was that there was a duplicate in OperationID's. It's easy to reproduce, just start two consoles and add a new operation with identical (and previously unused) OperationID's in each console. Close both consoles and start a new one. Both new operations have the same OperationID. This is tested with the Authorization store in AD. It's sad that the console doesn't show the OperationID in any column, if that had been available the troubleshooting would have been easier. I made a script that looks for OperationID duplicates and then lists the operations in numerical order.

  • Anonymous
    May 13, 2015
    Hi David, When i call updatecache method to refresh policies the accessCheck method does not respond till updatecache is finished. is there any way to keep accesscheck responsive with the previous state of store till the updatecache is finished.

  • Anonymous
    May 13, 2015
    Sorry to say, I am unaware of any way to make that more responsive.  A next step would be to contact our support organization. Once a trace is performed, they can identify if there are any further options for your code.

  • Anonymous
    July 28, 2015
    The comment has been removed

  • Anonymous
    July 28, 2015
    It's hard to tell without doing some tracing.  I would look at the CPU on ADLDS side in combination with your connection from a good performing machine and a bad one.  I'd look at the ldap connection and test a couple queries as well, just to rule out anything there.  I'd try also running similar operations from multiple machines (if that is what you are doing to determine if concurrency is presenting a challenge. Fast path would be contacting our support org. HTH

  • Anonymous
    July 30, 2015
    Hi David,   Need support from you, I want to know on which port a particular azman instance is installed? how do I get this info ? Thanks in advance