I am using Windows Authentication on a Win2000 system and Active Directory. IIS grabs the user's NT login and passes it in to ASP.Net. Then my IsInRole() method can be used to check if the user is part of a windows role or is in an Active Directory group. On our corporate intranet we use the company Departments as groups in Active Directory and add users for that department into the group. This allows me to use IsInRole to check at a departmental level successfully. However, I am having a problem when the department name is 2 or more words such as

If User.IsInRole("Information Systems") Then .....

In this case, the IsInRole fails. How can I change my syntax on the method call to read all of the words in the role/group? Or doesn't that work with IsInRole?

Thanks

I have been doing further digging into this problem and it appears that it might be related to how the Active Directory groups have been set up. I found some obscure groups that I am a member of which contain 2 or 3 words in the group name that DO work with the IsInRole( ) method, so it is conclusive evidence that the IsInRole( ) method works. I have been breaking down each of the roles I am a member of and listing them by their distinguishedName path (CN, OU, ...., DC, DC). I am seeing a pattern, but there is one role that breaks the pattern so I need further digging. Anyhow, I am convinced that the problem is not related to the Asp.Net classes. I'll have to get our network guys involved.

Are you sure that the group in question is a security group and not a distribution group?

That is a very good question. Our AD network admin guy is in San Diego for a security conference this week so I don't have access to an AD admin interface.... I can only access it through the .Net code. On Monday I will be able to get together with him to figure it out (hopefully). I'll repost here once I get some results with him.

Thanks

Well, it's been a long 4 weeks, but the resolution is that the network team had not properly configured the groups to be security groups and therefore the .Net IsInRole() method could not pick them up. Multi-word group names (ie. departments) are working fine for me.

Thanks for letting us know the solution. I have a somewhat similar problem. Is it possible that groups are not properly set up but still can be used to controll access to resources?

How did they solve the problem?