Search code examples
c#iisiis-7.5azman

AzMan gives different results to different servers

We have 2 web-servers which are theoretically identical, but are producing different results when performing an AzMan authorisation check.

We have the same web-site running on both machines (literally the same web-site - it's been XCOPYed from one to the other, and it runs under the same service account). All this web-site does is perform an authorisation check against an AzMan database (sitting on a separate SQL server).

However, on the working web-site (WebA) this check returns 0 (i.e. "user is authorised"), while on the broken web-site (WebB) this check returns 5 (i.e. "user is NOT authorised"). We are expecting 0 on both web-sites. The same user is accessing both web-sites, from the same PC.

Does anyone have any ideas for things we can check?

Environment details

  • Windows Server 2008 R2
  • Same AD domain
  • IIS 7.5
  • .NET 3.5
  • AzMan Database runs on SQL Server 2005/Windows Server 2008 R2.

Code

AzAuthorizationStoreClass authStore = new AzAuthorizationStoreClass();

// initialise the store
authStore.Initialize(0, "mssql://Driver={SQL Server};Server={OURDBSERVER};Trusted_Connection={Yes};/OURDATABASE/OURAPPLICATION", null);

// open the store
IAzApplication2 authApp = authStore.OpenApplication2("OURAPPLICATION", null);

// get the identity of the user NOT the service account
WindowsIdentity identity = Thread.CurrentPrincipal.Identity as WindowsIdentity;

// and from that derive the token
ulong userToken = (ulong)identity.Token.ToInt64();

// get the context based on the token
IAzClientContext3 clientContext = 
    (IAzClientContext3)authApp.InitializeClientContextFromToken(userToken, null);

// get the operation object based on the id
IAzOperation2 azManOperation = (IAzOperation2)authApp.OpenOperation(operationId, null);

// generate an audit identifier
string auditIdentifer = 
    string.Format("{0}{1} : O:{2}", "{the_correct_id}", identity.Name, operationId);

uint accessResult = clientContext.AccessCheck2(auditIdentifer, string.Empty, azManOperation.OperationID);

return accessResult.ToString();

Many thanks,

RB.

Solution

  • Thanks to David Hall for pointing me in the right direction.

    Investigation showed that both web-sites were enabled for both Windows authentication and anonymous access. However, on one web-site the user was being logged in correctly, while on the broken web-site it was falling back to anonymous mode.

    Disabling anonymous access fixed this problem by ensuring the user logs in to both web-sites.

    However, this leaves another question of why the browser logs in anonymously on one web-site but not the other - one for ServerFault I think.