WindowsTokenRoleProvider Catastrophic Failure

Question

I'm having a really frustrating error trying to secure an ASP.NET application using the WindowsTokenRoleProvider. For a particular user I'm seeing the following ProviderException thrown:

API failed due to error 'Catastrophic failure

As I said, this only seems to happen for a particuar user, I seem to be able to access the site fine and so have several colleagues. The only difference between us and the failing user is that they are not an administrator on the box where the site is being hosted.

From the call to GetRolesForUser. From the MSDN documentation it states that this can happen because of the following:

1. The currently executing user does not have an authenticated WindowsIdentity attached to Page.User. For non-HTTP scenarios, the currently executing user does not have an authenticated WindowsIdentity attached to Thread.CurrentPrincipal.
2. username does not match the Name of the current WindowsIdentity.
3. A failure occurred while retrieving the user's Windows group information.

I'm suspecting the issue may be related to point 3 as I've managed to use the .NET Framework debugging ability in Visual Studio 2008 to debug the code and it seems to be failing calling:

UnsafeNativeMethods.GetGroupsForUser

What I can't understand is why! And if the call is failing in a Framework library then I'm not entirely sure what I can do to resolve the issue.

Any help or suggestions on this would be grately received as I'm at a loss as to where I go from here, I'm seriously considering scrapping using the role provider in place of some other less elegant method.

Answer 1

Okay, after some very helpful input from a Microsoft ADC I've managed to resolve the issue.

The call to UnsafeNativeMethods.GetGroupsForUser should return a list of all AD groups which a particular user has access to (this is recursive, so will also include parent groups etc). It appears that sometimes when migrating AD profiles between domains a user can end up with an erroneous SID pointing to a group with no name associated with it. Because the call tries to grab all the SID names for a particular profile it will fail when it gets to the null entry resulting in the (rather unhelpful) "catastrophic failure" error above.

Just as a reference, the group was showing up in a dump from the whoami command line tool as follows (other groups, SIDs and domain name masked):

DOMAIN\   Deleted account   S-1-2-34-123456789-123456789-123456789-12345   Mandatory group, Enabled by default, Enabled group

As you can see, the domain name is present, but the group is not. The resolution was to get a domain administrator to remove the entry from the user's profile.

I truly hope this one helps others to resolve this issue because it had me completely flummoxed!