AzMan gives different results to different servers

Question

We have 2 web-servers which are theoretically identical, but are producing different results when performing an AzMan authorisation check.

We have the same web-site running on both machines (literally the same web-site - it's been XCOPYed from one to the other, and it runs under the same service account). All this web-site does is perform an authorisation check against an AzMan database (sitting on a separate SQL server).

However, on the working web-site (WebA) this check returns 0 (i.e. "user is authorised"), while on the broken web-site (WebB) this check returns 5 (i.e. "user is NOT authorised"). We are expecting 0 on both web-sites. The same user is accessing both web-sites, from the same PC.

Does anyone have any ideas for things we can check?

Environment details

• Windows Server 2008 R2
• Same AD domain
• IIS 7.5
• .NET 3.5
• AzMan Database runs on SQL Server 2005/Windows Server 2008 R2.

Code

AzAuthorizationStoreClass authStore = new AzAuthorizationStoreClass();

// initialise the store
authStore.Initialize(0, "mssql://Driver={SQL Server};Server={OURDBSERVER};Trusted_Connection={Yes};/OURDATABASE/OURAPPLICATION", null);

// open the store
IAzApplication2 authApp = authStore.OpenApplication2("OURAPPLICATION", null);

// get the identity of the user NOT the service account
WindowsIdentity identity = Thread.CurrentPrincipal.Identity as WindowsIdentity;

// and from that derive the token
ulong userToken = (ulong)identity.Token.ToInt64();

// get the context based on the token
IAzClientContext3 clientContext = 
    (IAzClientContext3)authApp.InitializeClientContextFromToken(userToken, null);

// get the operation object based on the id
IAzOperation2 azManOperation = (IAzOperation2)authApp.OpenOperation(operationId, null);

// generate an audit identifier
string auditIdentifer = 
    string.Format("{0}{1} : O:{2}", "{the_correct_id}", identity.Name, operationId);

uint accessResult = clientContext.AccessCheck2(auditIdentifer, string.Empty, azManOperation.OperationID);

return accessResult.ToString();

Many thanks,

RB.

Answer 1

Thanks to David Hall for pointing me in the right direction.

Investigation showed that both web-sites were enabled for both Windows authentication and anonymous access. However, on one web-site the user was being logged in correctly, while on the broken web-site it was falling back to anonymous mode.

Disabling anonymous access fixed this problem by ensuring the user logs in to both web-sites.

However, this leaves another question of why the browser logs in anonymously on one web-site but not the other - one for ServerFault I think.

Answer 2

In our case, we were using ASP.NET impersonation with Windows Authentication and not Anonymous. Tt was working on the Windows 7 Enterprise x64 Development machine and not on the Windows Server 2008 R2 x64 test server. Both Application Pools were set up exactly the same with the same domain account credentials.

It turns out that ASP.NET impersonation was the root cause of the issue. After disabling ASP.NET impersonation, the App Pool account was now being used as the credentials to connect to the AzMan store successfully. The same issue was occurring when connecting to an AzMan store in Active Directory or SQL Server.

For clarity, the error I was getting was: Value does not fall within the expected range. from AzAuthorizationStoreClass.Initialize()

My final connection string was:

<add name="AzPolicyStore" connectionString="mssql://Driver={SQL
  Server};Server=sqlserver\instance;/DatabaseName/AzStore" />