SUMMARY

This article demonstrates how to use the classes in the System.Security.Principal namespace to check the user's Microsoft Windows user name and group memberships from a client application.

back to the top

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that you will need:

• Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, or Windows NT 4.0 Server
• Microsoft Visual Studio .NET

This article assumes that you are familiar with the following topics:

• Visual Studio .NET
• Windows security

back to the top

How to Check the Windows Identity in a Client Application

1. Open Visual Studio .NET.
2. Create a new Console Application in Visual Basic .NET.

3. Use the Imports statement on the System.Security.Principal namespace so that you are not required to qualify WindowsPrincipal and WindowsIdentity declarations later in your code. You must use the Imports statement prior to any other declarations.

   Imports System.Security.Principal
                       

4. Make a call to the SetPrincipalPolicy method of the CurrentDomain object, and set the WindowsPrincipal class so that it is attached to the thread. Without this call, the principal that is returned is a GenericPrincipal class that contains no user information. Add this code to the Main method of Module1.

   AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)
                           

   NOTE: The call to SetPrincipalPolicy requires the ControlPrincipal property SecurityPermission class, which is not normally given out to less than fully-trusted code. This prevents semi-trusted code (such as code that runs off the Internet) from gaining access to a user's account name.

5. Declare a WindowsPrincipal object, and use System.Threading.Thread.CurrentPrincipal to access the current principal from the Thread class. Because this method returns an IPrincipal interface, it must be cast as a WindowsPrincipal object before you can use it as one.

   Dim user As WindowsPrincipal = CType(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)
                       

6. Declare a WindowsIdentity object to hold the identity information of the user. Use the Identity property of the WindowsPrincipal object.

   Dim ident As WindowsIdentity = user.Identity
                       

7. Alternately, if you only want to get the user's identity, use the GetCurrent static method as a shortcut to steps 5 and 6. The principal's information can then be retrieved from the user's identity.

   Dim ident As WindowsIdentity = WindowsIdentity.GetCurrent()
   Dim user As New WindowsPrincipal(ident)
                       

8. Use the Name property to retrieve the user's name, and use the AuthenticationType property to display that to the console.

   Console.WriteLine("User name: {0}", ident.Name)
   Console.WriteLine("Authentication type: {0}", ident.AuthenticationType)
                       

9. Use the IsInRole method of the WindowsPrincipal object to see whether the user is in various, built-in groups (or others).

   Console.WriteLine("Is in Administrators group: {0}", user.IsInRole(WindowsBuiltInRole.Administrator))
   Console.WriteLine("Is in Guests group: {0}", user.IsInRole(WindowsBuiltInRole.Guest))
                           

   If you are checking role group membership to deny access to an application (and not to customize the user experience), an even simpler approach is to use the PrincipalPermission class to demand the required role.

10. Add Console.ReadLine to the end of the procedure to easily view the results.

    Console.ReadLine() 'Pause
                        

11. Run the project to test the results.
12. Save and close the project.

back to the top