views:

682

answers:

1

I have a number of services that will be running under the security context of NT Authority\System as a Windows service (the services are NetTCP-based). There are six groups stored in Active Directory that will be allowed to access these services:

Users Agents Approvers Administrators (three levels of admins)

I know I can get the user who is connecting to the service using ServiceSecurityContext.Current.WindowsIdentity.Name.

What I need to do is validate in a business layer that the user context being passed in is able to access the particular service though, and I'd like it to follow an older application my company supports that uses PrincipalPermission passing it a role and using the Demand() method to ensure access.

I guess my initial question is, if I pass PrincipalPermission the ServiceSecurityContext username and the associated role (group), will it automatically know to hit Active Directory behind the scenes since the service is running under the context of an AD account on the same domain? Or is there something special I should do?

+2  A: 

Right, when you demand a role, it'll call IPrincipal.IsInRole. This will use whatever implementation the principal has. So, if it's set to Windows, it'll do all the work to hit AD.

MichaelGG
Perfect, I'll write my security layer accordingly. Thanks for such a quick response!
digitall