AzMan Questions

I am putting this place holder out for Windows 2003 Authorization Manager ( AzMan) questions.

If you have them,  please ask them.

The AzMan (pronounced "A" "Z" "Man" ) update is included in the following:
Windows 2003 SP1 Admin Pak[^]

Windows 2000 Authorization Manager Runtime [^]

You will need to GAC the PIA. You should use the new interfaces for performance and all the benefits of the new interfaces such as the ability to create an emtpty client context and set the LDAPQueryDN supporting dynamic query groups in ADAM. This  update to azman facilitates ADAM and ADFS integration environments. AzMan acts as a claims transformation engine when used in conjunction with ADFS. In each case, it is possible to build an empty client context and load sids (typically in the case of an ADAM authentication environment) or load roles and groups based on ADFS group claim assertions.

[Update: There was a change in packaging. The PIA is not included in the Win2k3 admin pack for WinXP. It is possible to create an interop from the azroles.dll or use the PIA from Win2k3 under %windir%\Microsoft.Net\Authman\(version) ]

Comments (270)

  1. ISer says:

    Hi Dave,

    I’ve found very little material about the use IBF (Information Bridge Framework) makes of AzMan.

    Are you familiar with articles on the subject?

    Two particular questions which I couldn’t find an answer to are

    1. On publication of the IBF Metadata, are the IBF Operations automatically mapped to AzMan operations?(my guess is yes)

    2. Are IBF Actions mapped automatically to AzMan Roles (my guess is no)

    Thanks in advance

  2. Yes, operations are mapped to AzMan


    No, actions are not mapped to anything in AzMan

    IBF Groups are mapped to tasks in AzMan and they group operations for easier permission setting



  3. tont says:

    Does azman integrate with Sharepoint roles out of the box or is there a way to do it with code?

  4. AzMan works with sharepoint. If you are writing a custom webpart, you will identity the resources or UI that you want to protect as operations,set the tasks and roles accordlingly, assign your user or group to the role, in your web part initializeclientcontextfromtoken() passing in the WindowsIdentity token containing all your sids, call an accesscheck (likely once containing all ops in the webpart). You then check your results. If your operation result is TRUE then you set an item visable, or show a column from the database or etc… like any other app. Just remember that you need to set the SPS site roles as well and assign users to them as well.

  5. dc995 says:

    I should be clear that TRUE = 0 = NO_ERROR per COM origins… most .net people wrap azman and return a boolean or array of booleans per accesscheck – the actual return is – SAFEARRAY is a VARIANT of type VT_I4.

    If interested in more details…

  6. Hélio Sá Moreira says:


    I’m senior consultant for an Microsoft Gold Certified Partner in Brazil.

    Now I’m studying AzMan and I find a great How To article in MS Patterns & Practices web site. The article is: How To: Use Authorization Manager (AzMan) with ASP.NET – 2.0

    However this Enterprise currently use .Net Framework 1.1

    My Question is:

    . How I do this integration Between .Net Framework (ASP.Net pages) with AzMan?

    . In .Net 1.1 I’m forced to use AzMan API in my ASP.Net Web Application – code behind pages?


    Hélio Sá Moreira

  7. The Step 6. approach described in article referenced by the link that you provided is a valid approach for .NET 1.1 also. The ASP.NET 2.0 role provider is a wrapper to simplify the use of AzMan by offering a subset of the capabilities of the AzMan API and it also provides a common authorization approach within ASP.NET. Enterprise Library also contains a wrapper that provides additional functionality – exposing a simplified accesscheck. You would use the AzMan API directly when you want to take advantage of the full set of capabilities. It provides a simplified and common way with a robust api to address professional authorization. An interop can be created or use the pia found on a win2k3 system. People often create their own wrappers to fit a specific purpose. AzMan is very flexible and offers functionality that is applicable to a number of situations. If you would like to use in your code behind pages or web services… it’s really up to you. Does this answer your question? Regards, David

  8. David says:

    Hi David,

    We are using Azman operations to make UI components visible or invisible (i.e. a button, a text field, a menu entry), since "operations" should be mapped to business operations, which is not the case, I am wondering if we are using it in the right way.

    Has anybody use it in the same way? is that a valid approach?

    Additionally, could you please tell me where I can find a sample use of AzMan? I’ve read in a Microsoft chat session that they would provide a more complex sample in the SDK download, is that true?

    Thanks in advance,


  9. Absolutely!!! Some find it a great idea to perform the access check with one network call by loading all the operations into a single call, transform in a wrapper (check access OK becomes TRUE in return for op) to an array of boolean results and then for attributes such as visable, disabled, etc… have something like mytexbox.visible = opcheckresults[1]; // cooresponding to the result of operationIds[1]=op_constant. You could use the result for determining access to a function, build a wrapper so that your code is attribute/declarative driven, or even using a scope as data e.g. mynewsgroup and then have roles such as admin, reader, contributer, etc. Then when using SP1 return all the scopes assigned to a user to display all the news groups of which the user is assigned in at least one role.

    Since AzMan is part of the Windows 2003 OS the current SDK location is the Platform SDK. There are a few things planned for the Vista Platform SDK. I suspect that the managed sample from the PDC 2005 hands on lab will make it in regarding – a more complex sample. There are a few more goodies planned for the Vista SDK but I wouldn’t want to ruin the suprise 🙂 You will also want to keep an eye out for Active Directory Federation Services and potential AzMan use in the SDK. Check out the .NET show on AzMan with ADFS –



  10. Hi David,

    Is there any way to bind an ADAM principal to Azman through the user’s name ?. I found a way through the user’s SID, but the Azman Role provider in ASP.NET 2.0 uses user names instead of SIDs.


  11. Diego Gonzalez says:

    Hi David,

    AzMan uses XmlFile or ActiveDirectory (or ADAM) as a backing store for the authorization information, and Vista will add SqlServer, but

    is there any way to extend the backing store or authorization decission processing with a custom class? On the other hand defining custom authorization decission processing will allow using different semantics than Role Based Access Control, for example XACML based on functional access.


    Diego Gonzalez

  12. Hi David,

    Is there any way to bind an ADAM principal to Azman through the user’s name ?.

    DC>Not currently. The current approach for store administration using ADAM is the API. The client context may be created empty and sids added to it.

    I found a way through the user’s SID, but the Azman Role provider in ASP.NET 2.0 uses user names instead of SIDs.

    DC>You have a great approach listed on your blog.

    With Win2k3 SP 1, if you can get the user DN, you can set the ldapquerydn on the client context and make use of dynamic query groups.



  13. David Crawford says:

    See inline:

    Hi David,

    AzMan uses XmlFile or ActiveDirectory (or ADAM) as a backing store for the authorization information, and Vista will add SqlServer, but

    is there any way to extend the backing store or authorization decission processing with a custom class?


    DC>No, extension the policy store is not supported. We do however support business rules which allow you to call custom code (script or – .net class if in process) to determine access. You can also expose a web service wrapper.


    On the other hand defining custom authorization decission processing will allow using different semantics than Role Based Access Control, for example XACML based on functional access.


    DC> I saw some debate on this related to the sunxacml but I would like to hear more specifics on how you would like to implement.



    Diego Gonzalez


    I’ve heard a few requests for XACML usage but when I tried to dive into it, I couldn’t get any concrete requirements. If you would like to take this offline, submit your email on this site or call 610-240-7000 and provide your contact info.



  14. Bob Bradley says:


    I am having no joy with working with dynamic groups in AzMan, despite following the "bouncing ball" on articles such as this one:

    I am using the sample "workbench" app from this site to test my dynamic groups – but I can only get the basic groups to work, and only for AD-based users (not ADAM users).

    We are running with W2003SP1, with an AZMAN instance in an ADAM store (as well as one in AD for comparison).

    Firstly, is there some trick to getting dynamic groups working? Even basic queries such as (cn=*) don’t work for us.

    Secondly, will this work for ADAM users too? I was expecting a way to nominate a directory source somehow as a root node, but all the samples seem to assume that this is a given (i.e. the current domain).

    Can you perhaps direct me to some more examples/articles on this? There seems to be very little info on the dynamic groups feature.


    Bob Bradley

    Solutions Architect

    Unify Solutions Pty Ltd

    Suite 23, 213 Greenhill Road

    Eastwood, SA, AUSTRALIA, 5063

    MCP ID: 1956368

  15. You will require Win2k3 "SP 1" or the appropriate update for azman. Then create an empty client, use AddStringSids to copy the sids that you queried from tokengroups of the ADAM user that you authenticated, then set the ldapquerydn to that of the authenticated ADAM user. Note: from an infrastructure standpoint – the process will need to have rights to access the object that you specified in the ldapquerydn on the azman client context (IAzClientContext2). More info is available at the following link…

    An updated white paper targeted for MSDN including Win2k3 SP 1 aspects is pending release. I do not have a date for that at this time however…

  16. Koen Gullentops says:

    Hi David,

    Question about the dynamic business rules in AZMan roles and tasks.

    I was wondering if it is possible to create a business rule that uses an external store like a database or even the result of a webservice to validate an authorization request.



  17. This is possible. In addition, It is possible via ccw to call a .net function when azman is in the same process.  I would also recommend that business rules be short operations focused on authorization.

    From the mmc – azman.msc , look at the properties, then limits tab for additional settings related to business rules.



  18. Hi David. Great blog 🙂

    What about AzMan and WCF (aka "Indigo")? I understand WCF supports natively AzMan. Is this true / false? I mean, that would be *** damn*** cool!

    If it’s true, how doe that work? Is there any sample / code out there?



  19. Bill Craun says:


    I’m almost certain that I heard in an MSDN Webcast delivered by Kevin Ramsaur that W2K3 R2 would support binding ADAM principals to AzMan roles using the ADAM username instead of the current SID-only method. Is this a true statement?

    Thank you,


  20. Bill,

    Win2k3 R2 is equivalent to Win2k3 SP1 as far as AzMan.  I suppose that initializing an empty client context and using the ldapquerydn on the client context would give the appearence of using an ADAM name but it would do so with the expense of making ldap calls/queries using dynamic ldap query groups. There are performance advantages to populating the sids using AddStringSids 
    in the client context from a query to the adam user token groups
    The following is the location for the interface docs on msdn.  

    The ones with a (2) are available SP 1 update and the ones with a (3) are a few potentials for LH/Vista – the info on MSDN is early preview.  I would keep an eye out for the next Vista beta for some more AzMan enhancements but Vista does NOT have an initializeclientcontextfromAdamName planned.

    The upcoming AzMan white paper will go into some of the SP 1 enhancements.

    Look for an ADAM object picker in the MMC at Vista timeframe.  AzMan before then enables user assignment and authorization management via the API only.  Most people make the authorization part of their application.  There would be an admin web page for instance that could allow role assignment using the AzMan API.


  21. Simon,

    First of all – Thanks!

    I have seem some custom code implementations with Indigo/WCF and AzMan. So there are integration points with WCF but there is nothing built-in to the WCF OM per se.  AzMan remains a key API of the Operating System and has some exciting futures planned with Vista bringing some very cool features. AzMan has the PIA for .NET programability as you are probably aware.  I am sure that there will be more material on how Indigo/WCF works with AzMan as time goes on.  Keep an eye out for the upcoming AzMan white paper.  I do not have a release date yet but should be relatively soon.  



  22. Marcel says:


    I have used Azman on a few projects and am quite happy with the functionality, features and flexiblity.

    One item I am interested in seeing is a web front end for mananging the AzMan store. Are there such projects out there or any vendors that supply such functionality?

  23. There is a web ui sample which is likely to make it into Vista Platform SDK. This one would mimic the MMC to some degree but the important thing to focus on IMHO is that your administration may match certain features of your application that look nothing like the MMC.  For instance, if you were writing a newgroup application, you may chose each newsgroup to be a scope, and in each scope define roles Administrator, Contibuter, Reader.  When a user creates the new group, the API in the background would create the scope for that group matching the database entry for the newsgroup.  You would likely expose role assignment to the end user as you are controlling the constructs.  

    Another example where a custom UI may be used is for ADAM administration.  You would make the calls to ADAM and list the user names but on role assignment, you would submit the sids via the API for role assignment then display performing name lookups in adam based on the sids returned from the authorization policy store.



  24. Marcel,

    To your other question, aside from the Microsoft products utilizing azman there is a vendor that I believe is using AzMan at the core…



  25. Chris Pszeniczny says:

    Hi Dave,

    I am currently writing a utility to export an application’s operations, tasks, and role definitions to flat files and then import them into a new application in another policy store.  I am using the AzMan API to accomplish this.  I have no problems exporting the definitions but importing them is giving me a problem.  When I call the CreateApplication method of AzAuthorizationStoreClass, the application can be seen in the authorization store object while debugging and it exists in a separate IAzApplication also.  The problem is the application never gets created in the authorization store when viewing it with the MMC.  And later when I try to call the CreateOperation method on the IAzApplication object I get the following error:

    The operation could not be performed because the object’s parent is either uninstalled or deleted.

    Do you have any ideas what could be causing this?  The steps involved seem pretty obvious but I must be missing something.



  26. I would need some more information… it is hard to tell from what you wrote…

    Here is a simple vbscript… which you could drop in a file installreader.vbs and run from the command prompt > cscript installreader.vbs

    ‘— Initilaize the admin manager object
    Option Explicit

    Dim pAzManStore
    Set pAzManStore = CreateObject(“AzRoles.AzAuthorizationStore”)

    ‘— Create a new store for expense app

    pAzManStore.Initialize 1+2, “msxml://C:ReaderAzPolicyStore.xml”
    ‘— Uncomment the following line to use AD as the policy store
    ‘pAzManStore.Initialize 1+2, “msldap://CN=AzStore,CN=Program Data,DC=contoso,DC=com”

    ‘pAzManStore.Initialize 1+2, “msldap://ADAMServerName:389/CN=AzStore,CN=Program Data,DC=contoso,DC=com”

    ‘ SAMPLE – make everyone a reader


    Dim App1
    Set App1 = pAzManStore.CreateApplication(“Smart People”)

    ‘— create operations ———————–

    Dim Op1
    Set Op1=App1.CreateOperation(“Read”)
    Op1.OperationID = CLng(1)

    ‘— Create Tasks

    Dim aTask
    Set aTask = App1.CreateTask(“Read Stuff”)
    aTask.BizRuleLanguage = CStr(“VBScript”)
    aTask.AddOperation CStr(“Read”)
    ‘aTask.AddOperation CStr(“TheOp2”) ‘ if there were an operation called TheOp2

    ‘— Create Role definitions
    Dim aRoleDef
    Set aRoleDef = App1.CreateTask(“Reader”)
    aRoleDef.AddTask CStr(“Read Stuff”)
    aRoleDef.IsRoleDefinition = TRUE

    ‘— Create Initial Scopes and Roles
    ‘— only one scope in this app (we may instead choose to use no scope)
    Dim ARole
    Set ARole=App1.CreateRole(“Reader”)

    ‘— Create Application Group
    Dim Group1
    Set Group1 = pAzManStore.CreateApplicationGroup(“CoolReaders”)
    Group1.Type = 1
    Group1.LdapQuery = “(title=CoolReaderCapt)”

    ‘— demo – add ASmartAppuserName to a Reader Role

    wscript.echo “Done”

  27. Chris P. says:

    Thanks for the sample, Dave.

    After reading through the white paper again I found that I was not calling the Submit method after creating the application.  Your example above just validates the need to call Submit after creating each operation, task, etc.

  28. We are planning to include sample code in the Vista SDK for Beta 2 for a command line tool that performs migrations between stores.(Offhand, I think in C or C++) It is sample code and not a supported tool but since you mentioned that you were writing one. I thought it would be a nice to know this.  



  29. Guru Ranganathan says:

    David and all AzMan experts

    Was wondering, does anyone know of a good utility/tool to export out an AzMan xml store directly into the Active Directory?

    Our DEV environment runs based on AzMan xml store, but we are facing performance issues in the TEST environment. I was looking to create a task in my daily build to export the authorisation store to the AD everyday, so that the TEST can use the AD instead of xml store.

    Cheers, _Guru

  30. We are targeting Vista SDK beta 2 to include sample code in C++ that would demonstrate migrations…  Likely to be available, I think, June/July timeframe…



  31. Kut says:

    Hi David,

    A queston for you please.

    My environmet is W2K3 SP2 with .NET 2.0 and WCF beta 2. The client has requested that we do not create appication groups in the AD, but rather in ADAM and then assign the AD users to the groups in ADAM. I am using AzMan for authorization. Does it make sense to use ADAM to define the application groups, or would it be better to define the application groups as Basic groups in AzMan and then assigning the AD users to those groups, if the ONLY reason we would consider using ADAM is purely for creating the Application Groups ?



  32. Kurt says:

    Hi David,

    A queston for you please.

    My environmet is W2K3 SP2 with .NET 2.0 and WCF beta 2. The client has requested that we do not create appication groups in the AD, but rather in ADAM and then assign the AD users to the groups in ADAM. I am using AzMan for authorization. Does it make sense to use ADAM to define the application groups, or would it be better to define the application groups as Basic groups in AzMan and then assigning the AD users to those groups, if the ONLY reason we would consider using ADAM is purely for creating the Application Groups ?



  33. Hmmm…. "if the ONLY reason we would consider using ADAM is purely for creating the Application Groups"…

    Application Groups is an AzMan concept.  It doesnt really matter where the policy store resides e.g. ADAM or AD or XML in this case. I think that you are calling Active Directory Groups or ADAM object type groups basic groups.  The benefit that you get from using AD groups is that as far as the policy store is concerned when you perform an accesscheck there will be one SID to load into the client context and that same one would be assigned to a role.  If you had a thousand users and put each SID into an AzMan application group then the client context would have the user sid and compare to each in the store.  It could be pretty quick as it is represented as a hash but now think about the comparison if there was only one SID in the policy store e.g. "Everyone" group.  

    If I understand this correctly, to use an ADAM object group you would probably need to use a userProxy object to Authenticate in ADAM to bring in the use of group assignment in both AD and ADAM.  I haven’t tried this scenario myself yet but conceptually it would work. Before digging into this further – was the aspect of creating an application group utilizing any policy store what you were looking for?



  34. Kurt says:

    Thanks for the reply. I am not sure I understand your question though, " – was the aspect of creating an application group utilizing any policy store what you were looking for?"


  35. The question was a reference to the first line of my reply quoting your question…  "if the ONLY reason we would consider using ADAM is purely for creating the Application Groups"…

    as you can create AzMan application groups with AD, ADAM or XML and in Vista timeframe policy store support in MS SQL.

    There is a lot of confusion related to terminology hopefully some of this will clear up with an pending whitepaper release. In the meantime, I was trying to describe various environments aspects in a short post.  Let’s see if I can clarify the original solution concept.

    There are multiple ways of establishing groups of users for autorization purposes. I was making a distinction between the authentication store and the authorization policy store.  A group object in ADAM may have a member/memberOf attribute relationship with a user object in ADAM. Active Directory also has this concept and it is my understanding that adding a security group is difficult in whatever environment you are in.  This often occurs when there is a concern about token bloat, political or organizational policy reasons, or just a desire to push access control/membership to the responsibility of the line of business application owners/users.

    The AzMan authorization policy store has a set of objects (Win2k3 Domain Functional Mode supports/has these objects by default) however the ADAM schema is extended with schema script that ships with the product.

    The next layer is the policy store. One or many policy stores may be created within various containers in AD/AM or multiple XML files. Then there is the policy store design which is made up of operations, a set of operations form a task, then a set of tasks make up a role called a roledefinition.

    Next there is the policy store management where users or groups may be assigned to roles or application groups and then to roles. This is where your post and question comes in from what I could make of "using ADAM purely for Application groups"

    AzMan application groups have a few flavors.  An AzMan application group may contain user and group SIDs from any authentication store providing the accepted format or the application group could specify an ldap query e.g. all those who have the attribue title=manager in the directory. When the policy store resides in ADAM some call this maintaining groups in ADAM but it is actually groups/roles in AzMan whose policy store just so happens to be currently residing in one of the three – soon to be four supported store types – AD, ADAM, XML and with Vista SQL.

    Where I was going with it is that as you add individual SIDs to an application group that there is a point where a group SID from the authentication store is desirable for speed.  Think about comparing one user SID in one bucket with 1000+ individual SIDs in the other bucket. Now picture that in the first bucket that there are two SIDs – the user SID and a group SID represting a group called AllExpenseReportUsers then the other bucket only contains the SID representing AllExpenseReportUsers.  The initialization or seek time would be comparing 2 SIDs with 1 SID versus comparing 1 SID with 1000+ SIDs.

    If this previous concept is clear then I could see under a certain circumstance that having a SID added to a clientcontext and policy store would be desirable.  

    Without going deeper into the multitude of optimizations and choices – I suspect that you are planning to use AD for Authentication, locate your policy store in AD or ADAM, assign AD users and groups to AzMan application groups and either one or both to AzMan roles.

    After all that 🙂 the main point that I have is that application groups are a concept of AzMan and not the type of store they reside in (AD/AM, XML). That brings us back full circle to the original –  "if the ONLY reason we would consider using ADAM is purely for creating the Application Groups"…

    If you post your contact information to this site – I would be happy to discuss further.  It would probably take less time to figure out the exact context and optimal solutions 🙂



  36. aashiru says:

    I need help please!!!

    I received ‘InvalidCastException’ using the code below:

    IAzAuthorizationStore2 _store = new AzAuthorizationStoreClass();



  37. Try this…

    AzAuthorizationStoreClass _store = new AzAuthorizationStoreClass();


    IAzApplication2 _azApp =




  38. Chris P. says:

    Hi Dave,

    I posted earlier (March 21) about creating a console application to export/import a policy store from/to AzMan via the API.

    The problem I am having now, after importing the policy store into AzMan, is that the role, task, and operation definitions and the role assignments are showing up in AzMan but when I call the AccessCheck() method on the API for a series of defined operations, the operations are not seen as assigned to the user/role.  The AccessCheck() call is returning 5 when it should be returning 0.  If I create a new application in AzMan and hand-key in all the definitions and role assignments and then call the AccessCheck() on the new application then the correct values are returned.  There is some small detail that I am missing during the import.

    Do you have any ideas?


  39. aashiru says:

    Thanks David for your prompt reply. However, we’re still getting an exception when we tried your suggestion.

    We’re using the Interop assembly i.e.


    The following code works fine:

    IAzAuthorizationStore _store = new AzAuthorizationStoreClass();


    IAzApplication _azApp =


    Whereas, the following produced an exception below:

    AzAuthorizationStoreClass _store = new AzAuthorizationStoreClass();


    IAzApplication2 _azApp =


    Unable to cast COM object of type ‘Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass’ to interface type ‘Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2’. This operation failed because the QueryInterface call on the COM component for the interface with IID ‘{B11E5584-D577-4273-B6C5-0973E0F8E80D}’ failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).

    We are upgrading our code to use IAzApplication2 instead of IAzApplication because I read an article that the former has more functionalities and better performance.



  40. Barry,

    What version of the PIA are you using?  Is it 1.2? (%windir%Microsoft.NETAuthMan1.2)



  41. Chris,

    Could be a few things potentially as simple as role assignment where SIDs do not match between environments.  Please send your contact info via the "Email" link on this page and I will take a look at your stores.



  42. aashiru says:


    That’s correct. We are using PIA 1.2




  43. Ankit says:

    Hi David

    I am a solution architect, and looking at (a line of business) accounts payable application. We have an inhouse implementation and I am thinking that we can integrate our users sitting on ADAM using Application Groups (ldap queries) with Azman for authorization.

    The application will eventually have external interfaces to other businesses, and  integration with ADFS could be the way forward in near future.

    The question I want to ask is: in such scenario how should we delegate roles to user/groups for our internal app, so in future we could add external clients to the application as well? Is there some information available on integrating ADFS and Azman and/or guidelines etc?

    I actually went through the talk show on ADFS, and now working on feasiblity of using that scenario (integration between Azman and ADFS) for our application. Any help would be highly appreciated.



  44. Mariya says:

    Dave, we are concidering using AzMaz for authorizing external users. I have a couple of questions:

    1.Is there a method in the AzMan API that will give me all tasks/operations a giver user have access to?

    2.Where can I find documentation on AzMan API?

    3.I read in one article that in order to use AzMan without using Windows accounts to represent users "you need to define custom security identifiers (SIDs) for each user", and that in this case "you won’t be able to use the AzMan snap-in to manage your stores".

    My question is does it mean that I won’t be able to use AzMan to assign these users to roles? What is the alternative?

    Thanks you,


  45. geykel says:

    Hello David,

    Is the Authorization Policy Store XML Schema public? in this case, where can I find it?

    best regards,


  46. The schema is not public.  The only supported way to work with the XML store is through the API.  It is possible for the underlying store schema to change and in fact does with Vista.



  47. varma says:

    Hi David,

    We have our existing applications where security objects like users,roles,groups,menu items is configured on the database.when an individual user opens the application his menu will be displayed dynamically in a tree view.

    Now we would like to explore on Azman since in our future applications we would like the users to be authenticated USING Active Directory.

    Now i would like to simulate the dynamic menu generation using AZMAN.Is it possible.If so how..

    iam trying to create menus as tasks and diffrent functionalities of a menu as operations.But when the user is authenticated i would like to display tasks dynamically…Is it possible…

    Please suggest.



  48. Maxime says:

    Hello David,

    I am currently building an access control solution for a client based around AzMan. We came across the following article on AzMan :

    "Be aware of concurrency issues if you share a store among multiple applications because stores do not yet support concurrent editing. If you think there’s a chance two administrators might be editing a single store at the same time, you need to provide some external locking to serialize access to the store; otherwise, it might become corrupted."

    Could you add a little bit on how exactly could the store become corrupted ? Specifically, does this issue only happen on XML stores or also on Active Directory ones ?

    Is there a better solution at this time to this issue then just using single-application stores ?

    Thanks for your help!

  49. The wording “corrupted” from our initial guidance is perhaps a bit strong. The issue is that last-in-wins.  In that scenario if two administrators make a change on the same item the one who performs that change last with an identical starting point will win.  Often people think that means the store will not load and a restore necessary. The issue with AD vs XML is that the XML store is fully loaded into memory and a change writes the whole policy store down to disk.

    Another case where a similar inconsistency is possible could be the same scenario as above but in a replicated scenario with AD or ADAM.  Each admin changes an identical item on a different server and the change creates an inconsistency.  This would not effect memberships or permission assignments which are done through multivalued attributes to which updates would get reconciled as distinct adds and removes however it possible that a description could become inconsistent.

    As an FYI – this strong wording from our guidance is also echoed with Keith Brown’s site

    The concurrency with the XML store is dependent on environment and probably a topic of its own.  If you are using .NET and the API you can put locks around access to the store and/or catch access errors and retry (XML DOM locks the file on load)

    The ASP.NET 2.0 authorization provider caches at a minimum of 1 minute so changes made via the MMC (AzMan.MSC) at the same time as programatic changes within the ASP.NET provider model would have the same issue.  Once again, not corruption but inconsistent if possible to load the store when it isn’t locked.

    A further mitigation to an inconsistency would be to wrap AzMan with a service to manage writes.  AzMan, to date, relies on the capability of the underlying store type.

    So to wrap it up… corruption would be better described as inconsistent.


  50. Varma,

    You can manage menus in a number of ways… one approach I mentioned in the comments of the following…

    Another approach is to specify an operation for each menu item and batch an accesscheck with all the operations and set the result of the visibility/readonly/enabled/etc property for each item in a list.  I could see why you would want tasks as they are collections of operations but tasks are only for administrative groupings.  A better approach for groupings would be utilizing scopes. See for more info…
    then utilize that scope within the menu item.

    The best approach depends on your situation and given that I don’t have all the information these are a couple ideas to get started with 🙂


  51. Maxime says:

    Hello David,

    First, thanks for your prompt reply on my first question. I have a second question on which i found little or no documentation.

    I’ve read that when you use the InitializeClientContextFromToken AzMan reads group sids from the PAC portion of the Kerberos token.

    My question is this : I know that windows security groups get added to the Kerberos token’s PAC, but does the PAC also carry AzMan information ?

    If it does, which info does it carry exactly ? Roles ? Scopes ? and what rules can i put in place to make sure i dont run out of space in my kerberos token ?

    Also, let me know if i am not clear 🙂


  52. Maxime,

    Q> I know that windows security groups get added to the Kerberos token’s PAC, but does the PAC also carry AzMan information ?


    The Kerberos Protocol, PAC or (Privilege Access Certificate) does not contain AzMan information per se however AzMan uses the security identifiers (SID)s to compare with  the SIDs that are asigned to a role in the policy store. Role assignment is a seperate aspect to the runtime.

    AzMan consumes the SIDs from the protocol to a client context however and the developer is abstracted from loading this information directly when calling initializeclientcontextfromtoken (a freebie if you will).  

    When using non-windows integrated security for authentication then you must do the SID gathering work yourself such as described in ADAM integration with AzMan on the team blog http:/  

    Some additional information on the Kerberos protocol and windows settings may be found here and the PAC specification from



  53. Mariya,

    Per your questions –

    We are concidering using AzMaz for authorizing external users.

    > Check out ADAM integration code posted on the AzMan team blog at

    Question list:

    1.Is there a method in the AzMan API that will give me all tasks/operations a giver user have access to?

    At runtime you have the ability to return roles and scopes.  Access to operations is determined through the accesscheck call. See the API docs referenced below.  Tasks or collections of operations are a store concept for eased administration. There is code on GotDotNet but IMHO, I would stick with the support directly on the API.  

    2.Where can I find documentation on AzMan API?

    3.I read in one article that in order to use AzMan without using Windows accounts to represent users "you need to define custom security identifiers (SIDs) for each user", and that in this case "you won’t be able to use the AzMan snap-in to manage your stores".

    My question is does it mean that I won’t be able to use AzMan to assign these users to roles? What is the alternative?

    As of Windows 2003 SP 1, you may add roles, azman appliction groups or SIDs to the client context.  I would recommend looking into ADFS for claims based applications and utilizing AzMan as the claims transformation engine (loading claims as AzMan roles or application groups depending on desired pivotability for roles).

    Role assignment with custom security may be performed using the AzMan API directly prior to Vista.  As of Vista Beta 2 (currently available) you have API support in the MMC/UI to write a custom object picker.  I believe sample code for an ADAM object picker will be in the Vista SDK –  scheduled this summer.



  54. aashiru says:

    Hi David,

    We have established AzMan/ADAM configuration setup on Windows 2003 and AzMan Admin console (MMC snap-in) on Window XP.

    The console launched successfully when a user with Administrator credentials on ADAM’s machine (Windows 2003) connects to AzMan store using the snap-in whereas any other domain user generates an error.

    My questions is, how can we get domain users without administrator privileges to successful connect to AzMan store using the snap-in from their local Windows XP machine? Is this the role of Delegated User? If so, how is this accomplished?

    Many thanks!


  55. Phillip Marino says:

    Hi David – I was wondering if there are any supported methods to installing the AzMan runtime on Windows XP as part of a client install without installing the W2k3 Admin Pack.



  56. The key to your question is "supported" and AzMan is only supported for policy store administration from XP via the W2k3 Admin Pack (SP 1) and hence only distributed that way.  Support is planned for all Vista versions as it is part of the OS moving forward from Win2k3.

    It is "unsupported" to only copy the  azman.msc,azroles.dll and

    azroleui.dll to %windir%system32 and register the COM DLLs using regsvr32.


  57. My questions is, how can we get domain users without administrator privileges to successful connect to AzMan store using the snap-in from their local Windows XP machine? Is this the role of Delegated User? If so, how is this accomplished?


    When you assign users to either the Administrator or Reader Authorization Manager administrative roles at the application or scope level you must also assign them to the Delegated Users role at the store and application levels. This will allow those principals to read the objects at the store and application levels (such as application groups) that can be used in definitions and membership assignments at the lower application and scope levels. When using ADAM, the user must also be in the administrator or readers role on the container of the policy store.  As a side note, a UPN should be set on all user accounts – offhand I believe this is the default behavior.



  58. Arturas says:


    In Autorization Management Console (azman.msc) I’ve defined a group and trying to assign members (W2003sp1). Assigning AD users from current domain works ok, but once I try to assign a user from other (trusted) domain, then I get the following error: "Cannot save one or more changes. The following problem occured: The system cannot find the file specified."

    Does that means that Azman supports users from one domain only?



  59. Sanjay Patel says:

    Hi David!

     This is an incredible resource.  I am looking for ideas to store string data in AD.

     I have an AzMan enabled outlook plugin to help with regulatory compliance.  We have rules provisioned as "Operations" in AzMan.  Am looking for ideas to store & retrieve rules specific data in AD. The data is in XML format.  I was thinking of using one AzOpObjectContainer attributes, but am looking for better options.

     Any help will be appreciated.



  60. Thanks Sanjay.  Actually, the ApplicationData property was designed to hold misc application data.  See the following link for more details:

    but help me understand what you mean by "ideas to store & retrieve rules specific data in AD" or what you are trying to accomplish.



  61. Arturas,

    Sounds like the following.  Please contact PSS.



  62. Sanjay Patel says:


     Thanks for the quick reply.  I did read about ApplicationData property.  Unfortunately, the xml data I was planning on storing could be more than 4K.

     Each operation is a rule which would have specific set of data associated with it. For example one of the rule would be to warn users if the email message contains an unprotected office document and is addressed to users in specific domains.  The list of those domains would be stored as xml.  Some of the rules have complex logic.  I was looking for options to store this information somewhere in AD.



  63. Sanjay,

    You have a few constructs that will support what you are looking for… you could use BizRules, you could drop the xml and use an LDAP query group and either replicate the valid domain data within an multivar attribute for each person Or set the ldapquerydn to shared object for all users and perform the same query as an ldap query group, Or you could make each domain a scope and check for access in each scope.  Since you said that you have complex logic, it may be that BizRules are your best option.  As for where to store your data, you may look for an existing attribute or extend the schema to support the construct you are looking for

    Stefan Schackow’s book, Chapter 12, "Professional ASP.NET 2.0 Security, Membership, and Role Management" has a brief section on extending AD to support password reset in AD using the role provider.  As with any AD schema change, you may want test with ADAM first or run a VPC environment matching your current and setup an appropriate test matrix. You would also want to take into consideration replication aspects and concurrent administrators for your list e.g. if you have a single attribute with only XML then you will have a single user administrative access model whereas if you load your data in a multi-var attribute then you can support distinct additions and removals.  Just something to keep in mind…



  64. Joe Langley says:

    I just released my import/export code to open source and it is being hosted on Dominick’s site…enjoy!

  65. Very Cool Joe!  Thanks for sharing!


  66. Jon says:


    I have an ASP.NET app connecting to an AD AzMan Store. When i test it from the host it worked fine but from a client machine, I get an error when it tries to initialize the AzManStore:

    "The system cannot open the device or file specified"

    The web site impersonate the user and that user has read access to the Azman store.

    any clues for me?

  67. aashiru says:


    I had similar experience as the one you described. Our policy store was located on ADAM. We resolved the problem by granting the user an Admin access to the AzMan store.

    Perhaps David may shed light on why simply granting a read access doesn’t seem to work.

    Good luck!


  68. Joe Langley says:


    If I understand correctly you can connect from the host box (a win2k3 box)…but from a developer XP box you can not connect to the AzMan Store? If this is the case I know how to solve it…if it is not the case, please elaborate…or send me an email:


  69. Just to let you know… we are in the lab attempting to repro your issue.  It doesn’t occur on Vista. We are trying on multiple operating systems.  Please provide all your system details. OS, AzMan version, and runtime env.  



  70. We (Sudheer) was able to reproduce an impersonation issue on XP. It’s happening while initilializing the AuthzResoucrceManager. Issues is with AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION flag which is not supported on XP and connecting to ADAM policy store.  (Which explains Admin support only for XP) However the symptom in this case looks to be IAzAuthorizationStore::Initialize fails with "the parameter is incorrect" or error code 87.  I think this one may explain Aby’s observation.

    The original post states the error – "The system cannot open the device or file specified" which could simply mean that the caller can not reach the policy store for any number of reasons.  We are going to need more information to repro this one.



  71. Joe Langley says:

    Did you guys get that email from me on how to repo this error and how to fix it?

  72. Phillip Marino says:

    Hi David – great blog by the way.

    Have you ever come across an implementation of using preferences with AzMan?  The two ways I can think of are using the application-specific storage, or storing them in a database.  If I store them in a database, would the SID be the appropriate foreign key?



  73. Joe Langley says:


    I tried something like that as a proof of concept…it was actually more of using ScopeID to store a database primaryID and then doing data authorization by making calls to the store….it was a killer in performance (and could only be done from sql 2005 bec. of .NET capability). What exactly do you want to do? If you mean user preferences…I suggest using the built in provider for .net 2.0, building your own provider, using one of the old application blocks which had a profile provider, or building your own.

    AzMan is really just an authorization tool…

    Let me know if I can be of help.


  74. Jon says:

    “The original post states the error – “The system cannot open the device or file specified” which could simply mean that the caller can not reach the policy store for any number of reasons. We are going to need more information to repro this one. ” web application host on win2k3.
    .net framework 1.1
    Azman store in active directory

    I get that error only if impersonate = true in web.config and if the web browser isn’t running on the host. The user account used to test is Domain admin.

    Could it be related to the network/server settings? (gpo, com+, trustedForDelegation etc…)

    thank you for your time.

  75. Jon says:

    Ok i found my problem. It was a misconfiguration of Kerberos/delegation. Now everything is working fine except the function getRoles. That function return an empty array if i want to get the roles from a scope.

    Is there any know problems with that function?

  76. Phillip Marino says:

    Hi Joe – sorry I haven’t replied until now…this might not directly apply to AzMan, even. Anyway, what I’m trying to do is have my ‘users’ stored in something other than the database (AD, AzMan) but allow some information to be stored in a database on a per-user basis. I was looking for a good way to tie the two stores together – and the piece of information that I was thinking of using was the SID. The SID is the external ‘unique identifier’ for users, right? And doesn’t AzMan use a SID for both AD and non-AD users?


  77. Chad says:

    I also have a ASP.NET page that needs to connect to AD Azman but getting the error “The system cannot open the device or file specified” . It works when I run the page on the localhost but not from a client.

    What was the solution for this issue? I noticed that Jon indicated that this was an Kerberos/delegation configuration issue? What did you have to do to resolve this?

  78. Are you running the site with impersonation?

  79. Chad says:

    Impersonation = false
    Site (IIS) is using Integrating Windows Authentication. Site is in an application Pool that has a domain account as the identity. The domain account has an SPN added to it and is trusted for Kerberos delegation.

    Site works fine locally but I get the error from client.


  80. Chad says:

    I tried setting Impersonation = true and get the same results.

  81. I would expect that the site run as impersonation=false and that the process owner has access to the policy store.

    There are two scenarios that I have seen as problematic but first:
    Assumption is that you are running IIS 6 and Win2k3 SP 1, utilizing the latest PIA.

    1) What is your domain structure?

    2) Are these machines load balanced?

    3)Are you authenticating using Windows Integrated Security sucessfully in another directory and fail on initializing the client context?
    4) How are you initializing the client context(fromtoken, fromName, from stringsid)?

    5) What policy store are you using AD, ADAM or XML?


  82. Sanjay Patel says:

    We have been using AzMan for some time now and all of a sudden ctx.AccessCheck started throwing exceptions “Value does not fall within expected range”. Not sure why.. It only happens for Operation-ID 913. I dropped the operation and recreated it. It then worked for a little bit but then AccessCheck started throwing the “Value does not fall within expected range” error.

    Please Help,

  83. if u get this error:

    Unable to cast COM object of type ‘Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass’ to interface type ‘Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2’. This operation failed because the QueryInterface call on the COM component for the interface with IID ‘{B11E5584-D577-4273-B6C5-0973E0F8E80D}’ failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).

    Then u must reregister azroles.dll in system32

    Somehow the compoenet wasnt registered properly.

  84. Jonas Rosqvist says:

    Chris wrote:The problem I am having now, after importing the policy store into AzMan, is that the role, task, and operation definitions and the role assignments are showing up in AzMan but when I call the AccessCheck() method on the API for a series of defined operations, the operations are not seen as assigned to the user/role.  The AccessCheck() call is returning 5 when it should be returning 0.  If I create a new application in AzMan and hand-key in all the definitions and role assignments and then call the AccessCheck() on the new application then the correct values are returned.  There is some small detail that I am missing during the import.

    If u are having this problem use OpenApplication2 and get IAzApplication2 instead of the ordinary interface. U might get the interface not registered problem, and after u fix that it will work just fine

  85. Paul L says:


    Was there an answer to Barry’s question about the InvalidCastException being generated when opening the application? I am also using the 1.2 pia and am running into the exact same problem.



  86. Sreenivas Mandava says:

    I want to add a user (or member) to a role. I am using the following code:

    iAzRole.AddMemberName(strMemberName, null);

    It is working fine. But before this, I want to check that the user is valid member in active directory. How to do this?

    thank you,


  87. Ivan says:

    Hi David,

    We are using the AzMan API (W2003 SP1) to import / export an ADAM store and we are getting some problems…

    Apparently it works fine and we replicate the original store in the destination machine. If we look at the console, all the operation, roles and groups are created, but if we ask for a certain operation, the Accesscheck return access denied. If we do by hand, all works correctly (this problem is also reported in this blog on 5/2/2006). it seems the problem is on the link between groups and roles.

    My code…

    azRole = azApp.OpenRole("RoleName", null);

    azRole.AddAppMember("GroupName", null);

    azRole.Sobmit(o, null);

    Any idea?

    Thanks in advance.

  88. Prashant Kurapati says:


    I want to add non-windows user to Azman role. But it is giving following error

    Code –


    IAzRole newRole = azApp.OpenRole("MerchantAdmin", null);

    newRole.AddMember(user.ProviderUserKey.ToString(), null);

    Error –

    "The security ID structure is invalid"

    Code –


           IAzRole newRole = azApp.OpenRole("MerchantAdmin", null);

    newRole.AddMemberName("vinay100", null);

    Error –

    The trust relationship between the primary domain and the trusted domain failed

    I am using windows 2k3 with SP1.



  89. A.Hadi says:

    Hi Dave

    I installed AzMan on windows XP machine.I try to create new xml authorization store. but it display the following error :

    "Cannot create a authorization store.The following problem occured: The request is not supported"

    Can I create xml store on windows xp machine ?

    Thanks in advance


  90. Yes, you can create a store on XP and that is fully supported.  Ensure that you are creating your store in a directory that you have permissions in.  You are doing this through the UI, correct?



  91. Sean says:

    Instead of getting the task names, when I call IAzRole.Tasks all I get is the name of the role.  Thus for the following code, I get the the output Role(Clerk) Task(Clerk)

         AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();

         store.Initialize(0, @"msxml://E:adminpakstoretest.xml", null);

         app = store.OpenApplication("Corporate Library Application", null);

         identity = WindowsIdentity.GetCurrent();

         ctx = app.InitializeClientContextFromToken((ulong)identity.Token.ToInt64(), null);

         object[] roles = (object[])ctx.GetRoles("");

         foreach (string str in roles)


           Console.WriteLine("Role({0})", str);

           IAzRole role = app.OpenRole(str, null);

           foreach (string tsk in (object[])role.Tasks)


             Console.WriteLine("Task({0})", tsk);



  92. Hossein says:

    I found why sometimes AzMan gets the "Reauest is not supported" error because the XML store file should be in an NTFS drive.!!!!

  93. Andy Visser says:

    Hi Dave,

    First, my problem.  I have a requirement to support groups based on LDAP queries that will be resolved at a Lotus Domino server.  I don’t believe that AzMan will support this configuration (please correct me if this is an incorrect assumption).  My solution is to resolve the LDAP groups manually, interpret the results, and dynamically add ApplicationGroups to the ClientContext.

    However, I can’t get context.AddApplicationGroups to succeed.  I always get an InvalidArgumentException.  Here is a code snip.



    public IAzAuthorizationStore2 _store;

    public IAzApplication2        _app;

    public IAzClientContext2      _ctx;

    public void run()


    _store = new AzAuthorizationStoreClass();

    String store = "msldap://localhost:50000/CN=AzManADAMStore,OU=tester2,O=JanusSearch";

    _store.Initialize(0, store, null);

    String app = "notesGroup";

    _app = (IAzApplication2)_store.OpenApplication(app, null);

    //end setup

    //get context

    string user = "avisser";

    string domain = "otg";

    _ctx = (IAzClientContext2)_app.InitializeClientContextFromName(user, domain, null);

    //end get context

    //add groups to context

    IAzApplicationGroup group = _app.OpenApplicationGroup("just me", null);

    object[] oArr = new object[1];

    oArr[0] = group;

    //setting up the array this way also fails

    // IAzApplicationGroup[] oArr = new IAzApplicationGroup[1];

    // oArr[0] = group;

    _ctx.AddApplicationGroups(oArr); //throws InvalidArgumentException


  94. Andy Visser says:

    I figured it out.  You need to pass in an IAzApplicationGroups object, not an array of objects.

    If my assumption that AzMan and Lotus Domino won’t play together is still false, please let me know.



  95. We support ldap query groups on AD prior to Win2k3 SP1 and ADAM after e.g.  (those queries are set on application groups)

    You have three ways to interact with other ldap stores:

    1) Claims based or variation on that theme

    2) BizRules – calling ldap store with custom code

    3) Use MIIS to sync ldap store data between Domino and AD/AM



  96. janantha says:


    I’m currently developing a RBAC enabled application using Visual I have the Windows Server 2003 installed on a seperate machine(which has the azman) which is connected to a client via a HUB.

    If i execute the app i have created on the client it should grab the current user’s logon token and pass it to server for authentication. Currently i have included reference to Azroles DLL in my C# app.

    Do i need a network related library as well to make the token exchange over the network to work or is it taken care of automatically?


  97. You cannot pass the token over the network per se however you can use kerberos delegation.  

    If you are calling an authorization web service then you could pass the dom/userid and initialize your client context from a string.  If your policy store resides on another machine then you can configure your azman store connection accordingly and utilize initializeclientcontextfromtoken and the azman api will hydrate your context based on that information.

    Check out the azman white paper and also



  98. janantha says:

    Hi David,

    Yes my policy store resides on the Windows Server 2003 machine which is connected to the actual client’s machine via a hub (LAN). I have implemented a DC on the Server and have added the user’s for the experiment on to the Active Directory. I’m hoping to run the Visual C#.NET application on the client’s machine and it should pass on the client’s credentials to the WinServer2003. So if i adjust the initializeclientcontextfromtoken i should be able to run the app from client . Am i correct?



  99. dc995 says:

    Using integrated authN to web svc wouldn’t require passing anything… run  init context and access check from a/the server.


  100. janantha says:

    Hi david,

    I’ll give it a go..thanks for the info..



  101. Scott Williams says:

    I’ve seen it referenced that in Vista there will be the option for a SQL Policy Store location.  I have been unable to find anything about this other than that it will be an option in Vista.  Can you provide a link talking about this more?

  102. If you are like me (running Vista 🙂 ) then fire up azman.msc and action->help search for sql in that help file.

    Connect to an SQL-based Authorization Store

    You can use a Microsoft SQL Server database as the repository for your authorization store. In order to connect to a SQL server store, use the following procedure.

    You must be a member of the Authorization Manager Administrator role to complete this procedure. By default, Administrators is the Windows group membership required to do so. Review the details in "Additional considerations" in this topic.

    Connecting to an SQL-based authorization store

    When creating or opening an authorization store, type a URL beginning with the protocol prefix MSSQL://.

    The syntax for the URL is:

    mssql://<connection string>/<database name>/<policy store name>


    <connection string> is any valid SQL Server connection string,

    <database name> is the name of the database where the store will be saved, and

    <policy store name> is the name of the particular store.



    mssql://Driver={SQL Server};Server={server1-test};/TestDelete/BugRepros

    Additional considerations

    If the SQL server instance doesn’t have the named Authorization Manager database, Authorization Manager will create a new database of this name.

  103. janantha says:

    Hi David,

    As previously mentioned I have a client (WinXP Prof) and a server (windows server 2003 SE) connected via  a hub. I have written a simple application using Visual C#.NET to demonstrate RBAC. As i’m running the application on the client’s machine what is the path im required to put for store.Initialize ()? that is the path to the auth store.. please help!

  104. janantha says:

    When I launch the app i built using Visual on my client’s machine but i get this error code, I installed the azroles assembly onto the GAC of the client using the .NET SDK 2.0 ‘s admin tools.. the client currently has .NET version and is a windows XP professional with SP2.. I tried every thing possible within my knowledge but couldn’t solve it. For store location i have used

    msxml://\servershare constructionapp.xml

    Running a file server on Windows Server 2003 over the LAN

    EventType : clr20r3     P1 : constructionapp.exe     P2 :    

    P3 : 45f6bb1b     P4 : constructionapp     P5 :     P6 : 45f6bb1b    

    P7 : 3     P8 : c     P9 :  

  105. Runtime use of AzMan is not supported in XP having to due with underlying OS API differences.  It is supported for Administration however.  To use with a client application you must call the API from the server side.  To extend that to the client you would need to use a web service and return the results (as one of many possible architectures).

    Vista however has full support for all versions.



  106. janantha says:


    Thanks for the reply. But can’t i simply install the win23k admin pack on win XP ? as it consists of the runtime.



  107. As said before, you may use AzMan for "Administration" by installing the Win2k3 "Admin" tools for XP however the runtime side – initializing your client content and performing accesschecks is not supported due to differences with the OS APIs that support runtime AzMan calls. Those OS level API’s that AzMan uses are in sync when you get to Vista.



  108. janantha says:

    Hi david,

    I manage to run my application successfully on Win XP machine after installing the Azman Runtime! After installation it was able to load the XML file over the network using a shared server path!..So if anyone is out there stuck like me ..simply install the run time!

  109. Zia says:

    Hi david,

    I have an application that spawns 10 STA threads (as it uses a STA COM component) and each thread loads its own copy of Azman (PIA-1.2) which then initializes the store kept in AD. The environment is a multi domain environment with 100K+ users in AD. I have noticed that after a system restart when the app is loaded 1 thread gets hung up initializing the store while other 9 threads are able to load the store successfully in a few seconds. On application restart, all the threads seem to initialize the store properly.

    Any idea what the initialize store might be doing that could cause this?

  110. Hello David,

    Could you provide some pointers on connecting to the AzManAdamStore that i built per

    I am attempting to use Softerra’s LDAPBrowser and can not get the User DN and Password correct.  I am trying this because when I built and ran the default web app, i am getting an error when attempting to do the Roles.IsUserInRole("TestRole") request.  I added a button to the default.aspx form to do only that function.  I get an error "Insufficient access rights to perform the operation".

    I have added "Everyone" to the WAA and PreWin 2k Compatible Access groups also.

    My connection string is: msldap://w2k3std-adtest:50000/CN=AzManADAMStore,OU=SecNetPartition,O=SecNet,C=US for the RoleManagerAzManAdamProvider from the test described in the article.

    My MembershipAuth portion for the login, using the AD, is working fine…

    And then, after I get Roles working, I will need to put the std Profile info into the AD too…



  111. chripk says:

    Hi David,

      I created a authorization manager web UI i got a problem adding a new role definition. I use application.createrole but it goes to role assignment. how can i add new role definition. Please help.



  112. altunbay says:

    Hi everybody,

    I have a problem with Azman+Adam role management. I am using membership provider as Active Directory and role manager as azman which uses store as adam. Adam is installed windows server 2003. I’m making some changes in azman.(Assigning users to roles etc.) But application doesn’t get the changes until web application republihed or web server restarted. Also I tried storing roles data in xml file. There is no delay in getting changes in that method.

  113. haina says:

    hi David,

    I build a website using AZMAN on XP successfully. However, when I try to move stuff to liveserver which is 2003. I always get error as below:

    Configuration Error

    Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

    Parser Error Message: The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)

    Source Error:

    Line 27:    <providers>

    Line 28:     <add connectionStringName="LDMMSRPolicyStore" applicationName="LDMMailSummaryReport"

    Line 29:      name="RoleManagerAzManProvider" type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=; Culture=neutral, publicKeyToken=b03f5f7f11d50a3a" />

    Line 30:    </providers>

    Line 31:   </roleManager>

    Do you have any ideas.


  114. prab says:

    Hi David,

    I have got one requirement in which i have to add ad group,roles,task and operation to the azman file at run time. I mean I don’t have to go and type azman.msc to create all these, directly I want to add all these from code behind.I want to provide one interface where user can select all these.

    Is that possible?? if possible then please reply its very urgent.

    Thanks in advance


  115. Prabhat,

    The store may be modified and fully administered via the api.


  116. prab says:

    Hi David,

    Thanks a lot for your speedy reply,can u please tell me more about this api. it would be great help if you can provide me some sample code for this i mean adding ad group to azman.xml using c# code.



  117. Brian says:

    I’m trying to use scopes to authorize access to different application domains (different views into application data).  The Domain/Scope is provided by the client when he attempts to access the data.

    When I pass an application domain in as a scope which doesn’t exist, I get a "NO SUCH SCOPE error, as you would expect.  However, once I create the scope, even with no definitions nor role assignments, AccessCheck ALWAYS passes!  

    What am I doing wrong here?  I’d like to have each scope have use the same role, defined in the application, but with different assignments.  Even with no assignments for that role anywhere, even at the application level, the AccessCheck still passes.

    Any help is most appreciated!  If there is another suggestion on how to model application domains (other than AzMan Scopes), I’d love to hear them.


  118. Brian Atkins says:

    I’ve had no problems accessing the AzRole.AzAuthorizationStore object from service (SYSTEM) and user account.  I created a domain account (no admin rights),  and now I get CreateObject 80070005 on AzRole.AzAuthorizationStore when I run as that user.  What as a domain admin, and SYSTEM have that this user doesn’t?


  119. Martin says:


    How can I copy the AzMan store one AD domain to another AD domain? The another AD domain users same as original domain, but the user’s sid different.


  120. Rajesh says:

    Hi David,

    I know that AZMan is not available on Windows XP. Does it mean I can’t even program on XP. How do people develop AZMan apps? Do they install Visual Studio on Windows 2003 or they first build it on XP and then test on 2003.

    Thank U

  121. You need to download the Win2k3 SP1 Admin Pack for XP to get the bits installed on XP.

    You may code against the store operations or said another way administrative operations.  In many cases development will work just fine with XP but there are certain scenarios that do not work due to underlying OS APIs.  That is why the runtime (accesscheck and related) isnt supported on XP.

    Not supported doesnt mean that you couldnt get something working. It just means that there is are a few discrete scenarios that will not work properly.

    Vista and Windows 2008 are fully supported (and are also more feature rich – introducing new/convenient APIs and adding a SQL AuthZ store)


  122. Q:

    How can I copy the AzMan store one AD domain to another AD domain? The another AD domain users same as original domain, but the user’s sid different.

    A: Check out the SDK sample – azman  migration tool.

  123. Matt Waples says:

    Declarative security using AzMan:

    Am I missing something?  There seems to be no support declarative security with AzMan API.  The AzMan store provides that missing extra layer of abstraction that maps roles to operations – so technically I shouldn’t need to worry about roles at all from my application code…

    Is there a way to mark methods (that map to your operations) with an attribute such as  [AuthorizedAccessOnly()] that uses the name of the method it’s decorating (or perhaps you’d need to supply the corresponding operation id) to perform an access check with AzMan?

    I’ve been scouring the web all afternoon for info on this…  There’s concepts like code interception or injection but these seem a touch… Extreme?  Is there anything in the application blocks that does this?  Or has anyone rolled their own?


  124. Richard Ruben says:

    I am trying to use ADAM principals with dynamic query groups, but I do not seem to get it working. As soon as I specify the LDAPqueryDN attribute and call the AccesCheck method I get this exception:

    HRESULT 0x800704EA “The security identifier provided does not have a domain component.”

    The SIDs and the LDAPqueryDN I am passing are valid. Tried installing it various times with different operating systems but all with the same result.

    Currently I am using Windows 2003 SP2 and ADAM SP1.

    What am I doing wrong?

    Richard Ruben.

  125. We are working on a PSS case of the same issue currently. I will let you know asap.  The subdomains are not checked or validated against anything.  


  126. Andries den Haan says:

    We are reviewing solutions for implementing rolebased access to SharePoint 2007 sites using Azman and Windows authentication. Based upon the ASP.NET descriptions this should work. The following was added in the web.config on the appropriate places.


    <add connectionString="msxml://C:/SharePoint2007/IIS/Azman/bin/sampleazmanstore.xml" name="AzMan" />















     <add name="RoleManagerAzManProvider"

      type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a"






    However, after configuring this, I am not able to retrieve the roles from Azman and the SharePoint logging shows the following:

    Error in searching user ‘azmanrole1’ : System.Configuration.ConfigurationErrorsException: Provider must implement the class ‘System.Web.Security.MembershipProvider’. (C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Configweb.config line 36)

    Any ideas?

    Best regards,


  127. Timo says:


    I posted the following question ( about windows groups and Azman to MSDN forums.

    Do you have some information why do I need to boot my development machine each time I make changes to the windows group if I want those changes to take effect in Azman. What kind of cache is it having on my develoment machine?

    Second question is that is it possible to get windows groups based authorization to work with sids? We have a layered application and we’re not able to pass windows identies between layers. The scenario here is that our web application passes user’s sid as string to the service layer and we should be able to authorize this user against Azman where our roles are assigned to windows groups.


  128. Timo says:


    I found this posting ( that pretty much answers my first question in my previous posting.

    To the second question I found answer from the excellent article "Developing Applications Using Windows Authorization Manager"

    ( where it says:

    "The AzInitializeClientContextFromStringSID method creates an Authorization Manager context from a given SID in textual form. This behaves in a similar manner as the InitializeClientContextFromName method. When the AZ_CLIENT_CONTEXT_SKIP_GROUP flag is used, the AzInitializeClientContextFromStringSID method does not attempt to determine the group memberships of the given SID. The resulting client context only contains the specified SID. If the IAzAccessCheck method is called from this client context instance, role membership is only granted if the specified SID is used as a member of a role or group assigned to a role."


  129. You should be able to use the empty client context as of Win2k SP1 and IAzClientContext2::AddStringSids and


    Adds an array of string representations of security identifiers (SIDs) to the client context.



  130. ArchanaGhag says:

    I am having Administartive Previlage on my machine.

    I want to generate AzMan Authorization store based on XML file.

    I used Azman.msc and running in it developer mode to create Authorization Store based on Xml file


    I am giving proper inputs but it is giving error

    "Cannot create authorization store.The request is not supported. "

    Please help me.

  131. One possibility is that you are not creating the store on an NTFS volume – that is required.

    There is a sample script in one of these posts that I put up that you can attempt to run that programatically creates a store (using vbs) that you can use as a self check also.

    What OS are you running?  If running Vista or testing Win2k8 check out the following regarding UAC



  132. ArchanaGhag says:

    Hi David

    I tried to save it in C drive and it worked. It was NTFS issues only as I was trying in D drive earlier.

    Thanks for suggestion.

    I have one more Query

    I want show use list of all XML file based Authorization Stores on my machine. Can I get it? I tried exploring "Microsoft.Interop.Security.AzRoles" but no clue to get list of Authorization Stores.

    I can get List of Roles, Application Groups and all but I Need to show list of Authorizations stores before this. Is it possible?

    Will appreciate your help.


  133. There is no way to determine where your stores are programtically e.g. list all stores I am interested in.  You could have multiple stores across servers, adam, ad, xml, or sql (vista/win2k8 only) and there would be no way of knowing ahead of time which one would contain either a store or your stores in particular.  You will need to store that list somewhere and populate it accordingly.



  134. Smitha M says:

    Hi David

    Your blog has been very helpful in understanding the working of azman. However, I have a query which has not been addressed in any documentation.

    Is it possible to intercept the accesscheck call to azman from a .NET application? I need to implement custom authorization in AzMan. If I implement a custom HTTP module, I can extract only the URI of the resource being requested, which can not be mapped to operations defined in AzMan. So, how can I implement custom authorization?

    Thanks in advance


  135. Tom Jenkins says:

    I am trying to manually add Azman PIA v1.2 to the GAC (instead of installing Win 2003 administrative tools pack).

    I have GACutil for .NET 2.0 which I run as follows:

    gacutil.exe -i

    It says it successfully added the assembly, however, this doesnt work for me as when I run our application it throws an error.

    Is there something I am missing as far as configuration?  When I install windows 2003 admin pack, it works fine.

    Appreciate any suggestions.

  136. The assembly is a PIA or Primary Interop Assembly that supports the COM object installed with Win2k3 SP1 Admin Pack.

    The supported way is listed here



  137. Tom Jenkins says:

    Thanks David. That offers some good information and helped me resolve my issue.

    Thank you for the hint 😉

  138. NS says:

    Hi David,

    I am trying to port an AZMAN store from one server to another and the servers cannot talk to each other.  The only way I can think of doing this is to export one store out to xml format and then import it into the other.

    Do you know of a better way and do you know where I can find the published xml schema so I know how to create it?  I tried creating one in xml format from scratch and looking at it, but the hierarchy is not clear to me and also it is using id’s that i do not see exposed in the object.



  139. That is exactly what I would do using the Win SDK sample code for store migration.  There should be a switch to dump w/o assignments.

    Dump to XML and load to your target.  You should avoid working with the XML schema directly as it is subject to change.  Using API is the best approach.  


  140. Arnulf Perez says:

    I am trying to follow the HelloAzMan example from a vide on channel 9.

    I get an exception on business rules disabled

    because i am using a Vista box

    I tried the script on the documentation to enable scripts

    The script reports succes on changing the status

    but i still get the exception.

    What is the procedure to enable rules?

    is it necesaary to run as adminstrator the script or the cliente code?

  141. This is from the Windows SDK…

    C:Program FilesMicrosoft SDKsWindowsv6.1SamplesSecurityAuthorizationAzManWebExpense

    What is the exception?

    ‘  Enabling or disabling BizRules for an application

    ‘  This script uses Authorization Manager Administrative interfaces to enable or disable

    ‘  BizRules for a specified AzMan application in a specified AzMan policy store

    On Error Resume Next

    Set objArgs = WScript.Arguments

    If objArgs.count <> 3 then

     wscript.echo "Usage: SetBizRule ""AzManStoreURL"" ""AzApplicaitonName"" True/False"

     wscript.echo "Example: SetBizRule ""msxml://d:inetpubwwwrootAzStore.xml"" ""MyApp"" True"

     wscript.echo "Run with ‘cscript’ command in cmd.exe to avoid msg boxes"



     ‘ VBScript source code

     Dim AzStoreObj

     Dim AzManStoreURL : AzManStoreURL = objArgs(0)

     Dim AzManAppName : AzManAppName = objArgs(1)

     Dim BizRulesEnabled : BizRulesEnabled = objArgs(2)

     ‘ create azman object

     Set AzStoreObj = CreateObject("AzRoles.AzAuthorizationStore")

     If Err.Number > 0 Then

       WScript.Echo "Can not create AzRoles.AzAuthorizationStore. Check AzMan installation"


     End If

     ‘ initialize store for Administration

     ‘ assumes store exists – if store is being created (e.g. an installing applicaion)

     ‘ use the value 3 instead of 2 in the call to IAzAuthorizationStore::initialize


     AzStoreObj.Initialize 2, AzManStoreURL

     If Err.Number <> 0 Then

       WScript.Echo "AzRoles.AzAuthorizationStore failed to initialize. Check store URL"


     End If

     ‘ open applicaion

     set AzApp = AzStoreObj.OpenApplication(AzManAppName)

     If Err.Number <> 0 Then

       WScript.Echo "AzRoles.AzAuthorizationStore failed to open application: " + AzManAppName + ". Check application Name."


     End If

     ‘ set BizRulesEnabled property

     WSCript.Echo "App BizRule Before:" & AzApp.BizRulesEnabled

     AzApp.BizRulesEnabled = BizRulesEnabled

     WSCript.Echo "App BizRule After:" & AzApp.BizRulesEnabled

     If Err.Number = 0 Then

       WScript.Echo "BizRulesEnabled is updated successfully ."


       WScript.Echo "BizRulesEnabled is NOT updated successfully."

     End If

    End if

  142. Peter Beams says:

    Hi David,

    I’m having the same problem as Richard Ruben posted about in November, when I’m doing an access check on a scope that has a dynamic group in it I’m gettin the following error:

    The security identifier provided does not have a domain component. (Exception from HRESULT: 0x800704EA)

    I’ve followed the example at posted by  Sudheer Mamidipaka ( for connecting and using ADAM principles with dynamic groups.

    I would expect that the SIDs I’m passing in wouldn’t have a DC part to them because they’re coming from ADAM rather than a domain AD.  Do you have a pointers on where I should look for the cause of the problem?



  143. Alireza says:

    hello David

    I’m tired to working on AzMan BizRule in .Net2.0, becauese I encountered an unexpected error;

    Exception from HRESULT: 0x800A0005 (CTL_E_ILLEGALFUNCTIONCALL)


    public class DotNetBizRuleClass


    private string _amount;

    public DotNetBizRuleClass(string amount)




    public void SetAmount(string amount)


    _amount = amount;


    public string GetParameter(string paramName)


    return _amount;




    DotNetBizRuleClass m_DotNetBizRuleClass = new DotNetBizRuleClass("200");


               object[] oScopes = new Object[1];

               oScopes[0] = null;

               object[] oOperations = new Object[1];

               oOperations[0] = 1;

               object[] oInterfaceName     = new Object[1];

               object[] oInterfaceFlags    = new Object[1];

               object[] oInterfaces        = new Object[1];

               oInterfaceName[0]   = "DotNetBizRuleClass";

               oInterfaceFlags[0]  = 0;

               oInterfaces[0] = m_DotNetBizRuleClass;

               object[] results =

                                           (object[])clientContext.AccessCheck (









    please help me.

  144. I do not have enough info to help you e.g. OS, store type, application type, assembly version, etc.  

    Please use the contact form on this site and I will respond to you.  If you are running Vista or Win2k8 then you will need to enable bizrules.  Check out the script at for that purpose or in the Win SDK.



  145. Su says:

    Hi David,

    We are trying to setup a test application for AzMan using Active Directory.  We have our Active Directory and policy store on Domain A and Machine A. We have a sample web application on Machine B, Domain B.  The web application has a simple Login page that uses login control, and a default page that authenticated users can see.

    In the web.config we are trying to access the policy store on Domain A from Domain B.  When we try to login we keep getting “The parameter is incorrect” (Exception from HRESULT: 0x80070057 (E_INVALIDARG)) error.  The point of error is Roles.IsUserInRole(“RoleNameInActiveDirectory”).  We cannot seem to find any help on this.  Do you have any suggestions as to what we could be doing wrong?  The web application works fine when we are on the same domain but using a different machine.

    We are using WS 2003 SP2, Forms Authentication, and separate Service Account with Admin privileges (same user name and password on both domains), separate Application pool with service account user, No impersonation, Service account is added to the Active directory (Administrators, Readers, Delegated user) roles.



  146. Su says:

    Hi David,

    We are trying to setup a test application for AzMan using Active Directory.  We have our Active Directory and policy store on Domain A and Machine A. We have a sample web application on Machine B, Domain B.  The web application has a simple Login page that uses login control, and a default page that authenticated users can see.

    In the web.config we are trying to access the policy store on Domain A from Domain B.  When we try to login we keep getting “The parameter is incorrect” (Exception from HRESULT: 0x80070057 (E_INVALIDARG)) error.  The point of error is Roles.IsUserInRole(“RoleNameInActiveDirectory”).  We cannot seem to find any help on this.  Do you have any suggestions as to what we could be doing wrong?  The web application works fine when we are on the same domain but using a different machine.

    We are using WS 2003 SP2, Forms Authentication, and separate Service Account with Admin privileges (same user name and password on both domains), separate Application pool with service account user, No impersonation, Service account is added to the Active directory (Administrators, Readers, Delegated user) roles.



  147. adcomjbrown says:

    Great information on this page!  Very good.

    my goal: I want to create a console application that can run in any domain (Domain A) and use AzMan auth data in a network reachable Active Directory in a different domain (Domain B).

    The API for AzMan allows me to point to any AzMan repository via the MSLDAP:// URL, but does not have formal params for Username and Password.  

    How would you suggest I go about this?


  148. AzMan relies on the security provided by the OS.  Offhand, I think it uses sspi – signed sealed bind to AD or ADAM.  When using XML we require NTFS.  There must be a two way trust between domains to be able to query each.  This includes the concept of forests as well.

    Some have used constrained delegation and selective authentication to utilize the existing infrastructure but with greater granularity.  The sum of it is that with AzMan we utilize the existing infrastructure as much as possible to conform with the existing security model.  An evolution of that is the Federation story possible with Active Directory Federation Services (ADFS) and utilizing AzMan for custom claims generation or transformation (depending on which direction and functional requirements)

    This may also explain what is happening in the previous post to yours but I’d want to get some more details and do a little more research before jumping to conclusions. 🙂



  149. helloyou says:

    Hi David,

    Thank you so much for providing this! I’m currently working on bulk import xml file into sql store, do you also have any class or tool that support this operation as well?

    Thanks & Regards,


  150. Zheng,

    There should be sample code to do that in the Windows 2008 SDK.  

    Check out the SDK sample code for the azman  migration tool. I believe the latest location for download is here:

  151. Anthony Davis says:

    Hi David/Everyone,

    I was wondering if you could provide any new information on the issue regarding initializing the AzMan store from an XP machine as described in your "Wednesday, July 19, 2006 12:00 PM" post? I’m currently encountering "The parameter is incorrect" on XP SP2 when attempting to initialize the [Active Directory] store under an impersonated "service" account.

    Is this in fact due to the AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION flag being unsupported in XP (at least in connecting to an AD/ADAM store)? Is there a workaround?

    I’m looking to use AzMan in our existing client/server scenario until we scale out to a 3-tier architecture. Our workstations are XP SP2 and servers are Windows Server 2003 SP1.



    If you reply via email, please remember to delete the "-removetoreply-" string from the address below:

  152. Mark says:


    I have a couple of questions regarding SQL Server and AzMan.

    1. AzMan on Vista supports MS SQL as a policy store, will/is it possible to access the store from an application running on XP ?.

    2. Is there an API for using AzMan in MS SQL TSQL stored proc, or would we have to wrap use C#/VB stored procedures (assuming we can still use the AzMan COM object from SQL Server) ?.

    Thanks and Regards


  153. Mark says:


    Sorry to follow on from my MS SQL, how can I create a store on MS SQL.

    I am running Vista with SQL Express but don’t know how to go about setting the url and any steps required to prepare SQL for AzMan ?..

    Is there a paper on this ?

    Many thanks


  154. Mark,

    Q: Will AzMan with SQL Store be supported on XP?

    A: Nope

    Q: Is the API for SQL the same as other stores only?

    A: There is only one API to use for AzMan regardless of AuthZ policy store chosen.

    Q: Sample of SQL connection?

    Format: mssql://Driver={SQL Server};server=yourservername(machine name where SQL is installed);/databasepartitionname/storename

    Example: mssql://Driver={SQL Server};server=lab-test-machine1;/azuidb/store1

    This will create SQL store with store name “store1” in “azuidb” database partition.

    You may find this also in the help file from Vista – run azman.msc and Action menu – then Help (lookup SQL)



  155. Mark says:


    Many thanks for your response, I managed to stumble upon this in the help link when I tried to connect to a SQL Store, but since I had to rush out to pick up the son and heir from nursery I didn’t manage to post my findings.

    I am disappointed by the lack of SQL supprt for XP since this would make or deployment of an offline capable application much simpler.

    We would only need to push the information in SQL to SQLExpress on the client laptop and change their DSN for Offline mode.

    It looks like we will have to use ADAM and this means further information stores to manage and synchronise.

    Thanks and Regards


  156. Don Schenck says:

    You say AzMan doesn’t work properly on an XP client. I wrote a test application and it worked fine.

    What am I doing … uh … wrong?

  157. Not exactly, what we say is that we only support AzMan for administration on XP.  The reason is that there are some scenarios at runtime that do not work properly or maybe better said,  incompatible,  with XP. See previous posts for an example.

    Vista and Win2k8 code base converged so it represents a better choice IMHO to use Vista for client side moving forward.



  158. Don Schenck says:

    Not to belabor a point, but is there a list of specific instances where XP AS A CLIENT does not work?

    Are there calls to avoid?? Objects to be left empty?


  159. There is no such list. Anything you can do with azman.msc can be replicated as far as direct api calls with the exception of impersonation scenarios related to AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION flag which is not supported on XP.

    The heart of the runtime is the clientcontext accesscheck.



  160. GDF says:


    I’m hopping you can give me some help on this problem I’m having with azman/adam:

    – The azman stops responding. When accessing the azman console, and trying to reconnect with the Active Directory it gives me an error "More data is available".

    This is the second time the problem occurs.

    The 1st solution was to reeinstall the azman and works fine.

    The problem is now back.

    Can you give me an help on this.

    Thank you very much


  161. jmpena says:

    Mr. David

    I need HELP!

    i have an aplication in ASP 3.0 (not .NET) the issue is that i must use AzMan to manage the security of the website, (my dev machine is a XP and the production server is a 2000 Server) in my Dev enviroment (http://localhost/myapp) when i ran the page it goes Ok, but when i try to access from another pc (http://pcname/myapp) it throws and error like this: "The system cannot open the device or file specified".

    to manage azman from ASP 3, i built a DLL in C#.NET for Interop and i call a Server.CreateObject in my website.

    As You know ASP 3 doesnt have System.Security.Principal.WindowsIdentity, that way in my DLL i instanciate that class with a GetCurrent() and use it to call the AzMan CheckAccess and just have to pass by params the OperationID.

    The problem is that it throw me the error i gave you.

    I thought the problem was by permission accesing the DLL then i put the DLL that i built in inside a DLL built in VB6 that goes in COM PLUS and that way both have the same Identity.

    in this case the GetCurrent Method of the WindowsIdentity always return the User that i have in Com Plus.

    PLEASE send me an email if you can to AND


    i can Lose my job :'(

  162. Jose Pena says:

    hello again.

    well firts time i wrote you, about a problem using azman with asp 3.0, you sent me a link with a script and it worked great, but now im getting this error with no reason and with no changes in the program.

    "Value does not fall within expected range"

    when i run this line:

    AZROLESLib.AzAuthorizationStore AzManStore = new AZROLESLib.AzAuthorizationStore();

    AzManStore.Initialize(0, this.storeLocation, null);

    can you help me please ?

    Thanks so much.

    *sorry about my english.

  163. Azeem says:

    Is it possible to use relative path or dynamically created file for xml store in Initialize method? Can we use store as embedded resource? We have a situation where we need to load xml store dynamically, not from physical path. Please help.


  164. Azeem,

    Sorry to say, it doesnt work that way. There is NO InitializeStoreFromStream method. With XML, it requires a file on an NTFS volume.



  165. Azeem says:

    Thanks David for your reply. Another question, can we load provider at runtime?


  166. Bogdan says:

    Hi David,

    Is it possible to access a MS SQL Authorization Store via AuthorizationStoreRoleProvider (shipped with .NET 3.5) from a Windows 2003 SP2 machine?

    I have already installed Microsoft.Interop.Security.AzRoles.dll in GAC, but I still get the following error when trying from a Windows 2003 SP2 machine:

    COMException (0x800704b4): The specified network provider name is invalid. (Exception from HRESULT: 0x800704B4)]

    I guess this has something to do with the mssql provider?

    Thank you!

  167. Mark says:

    How do we pass AD groups in IAzClientContext? It seems only user token, sid, and name are the only parameter option that can be use with the accesscheck to query operations.

    My purpose is to use AD groups to directly associate with Role Assignment without using Azman group.

  168. Mark,

    I dont really understand what you are trying to accomplish but if you want to check AD group membership in string form just use the Windows Principal IsInRole().

    With AzMan you can assign AD group membership or user membership to roles and the client context will be auto populated (the token has the user sid and groups sids) which we use to populate the client context (no need to pass groups)  The name or sid approach – we generate a token for you and perform the same.

     We also have an empty client context and you can add sids, groups or roles to that – see the ADFS samples for the empty client context.

    We intro getting the sids from the client context as of Vista/Win2k8



  169. Bogdan,

    The role provider for azman doesnt have the capability to use a SQL store on Win2k3.  It isnt until Vista/Win2k8 that the feature for SQL AuthZ store is introduced.

    The version of .net framework doesnt affect this capability.  AzMan is a COM API which is accessed via COM Interop.  The source code for the ASP.NET role provider is available in the Win2k8 SDK.  


  170. Azeem,

    AzMan is a COM DLL.  You control the whole life cycle.  An example of an enterprise application utilizing AzMan is establish NLB infront of a two or more ADAM/AD LDS instance, setup replication between those instance, and call from your applications.  They will lazy load the policy store until the working set size reaches the size of the store.  The largest real policy store size that I have personally seen is about 15MB.



  171. Derek says:

    Hi David –

    Was wondering if you knew of a way to deploy the AZMan runtimes to many clients, in an automated fashion.  I am looking at deploying the runtimes to 22,000 XP workstations in support of an in-house developed application.  

    I was hoping there were some command line switches on the installer that would allow me to silently install the runtimes.

    Any insite you can provide would be greatly appreciated.


  172. Bruce P. says:


    Yes, it is possible to automate AzMan deployment to 22,000 machines but I believe this is an unsupported usage and so you cannot expect assistance from Microsoft in this regard.

    If you can’t figure out how to do it, your next option would be to just roll out the Win2003 admin pack via group policy msi deployment.

  173. Derek says:

    Hi David –

    Thanks for the response.  Thankfully, I think we’ve convinced our dev folks to move away from this approach.  

    Thanks again for your response, and for providing this great spot on the ‘net.

  174. Magnus says:

    I’ve been trying to find out if it’s possible to use AzMan for policy management in a heterogeneous network.  AzMan definately fits what we’d like to have, but several of our services run on non-MS platforms and there is zero likelihood of getting them ported to Windows (for very good reasons).  What are the options for a mixed shop (where AD already is used for user and group management)?  Would the combination AzMan+AD storage be accessible through LDAP?

  175. Mike says:


    I’m attempting to use Authorization Manager to control authorization for a number of web sites. I think I’ve got a good handle on the AccessCheck() method as that all seems to be working, but I’m now interested in the authenticaion of users to the site as a whole.

    I understand (and can get it to work) that I can change the roleManager in the applications web.config to point at "RoleManagerAzManADAMProvider" and as a result I can use AzMan roles in the <authorization> section.

    However, I was hoping to create an application group into which I could add all users who have the basic permission to the application and use this group instead of roles in the <authorization>. So far i’ve drawn a blank on this aim.

    Do you know if it is possible to achieve this aim and if so how I would go about it?


  176. Vello says:

    Starting out from an article found at LeastPrivilege we have created a custom principal that merges roles from AD and Azman

    Using IAzClientContext.GetRoles we can read roles for a user. But in Azman it’s possible to create roles "Employee", "Manager" and then include Employee in Manager. If an AD account is assigned a Manager role a call to GetRoles will only return "Manager" not "Manager" and "Employee" as I had hoped! Is there a way to read "subroles" for a role?

  177. If you would like to return both as role assignments then you could create a global scoped application group and assign to that.  Then you may return each role as assigned.  The role definition of a manager including employee would provide potentially a more efficient representation.  You could design your implementation accordingly that instead of just getting roles – you could follow that by returning role definitions.  You would probably want to cache those since the definitions would likely not change often.


  178. Vello says:

    It’s a bit confusing …

    If I use

    AzAuthorizationStoreClass store=new AzAuthorizationStoreClass();


    IAzApplication app=store.OpenApplication(…);

    And the read Tasks (Note a task i a Role Definition in the mmc console) with

    foreach(IAzTask myTask in app.Tasks)

    It is possible to read sub tasks to myTask!

    BUT  the roles read for my user are not Role objects but String. I read them like this;

    Collection<string> roles = new Collection<string>();

    IAzClientContext ctx = app.InitializeClientContextFromToken((ulong)clientIdentity.Token.ToInt64(), null);

    Object[] rls =(Object[]) ctx.GetRoles("");

      for (int index = 0; index <= rls.GetUpperBound(0); index++)




    To cast to AzRole will render "Unable to cast object of type ‘System.String’ to type ‘AZROLESLib.IAzRole"

    And since the name property, "Role Assignment" read with getRoles above is a string without correlation to the underlying "Role Definition" in Azman I am lost…

  179. Jerald says:

    I’m having a problem…I get an exception on the line that calls InitializeClientContextFromToken.  Only one user gets the error…and there are 12 users in that group.  Now, if that user is added to another active directory group that is linked to another group within Azman, for another application, then the user works for both applications.  And if the user is then taken out of the original group and left in the second group the correct page is displayed saying "you are not authorized to view this application."  

    We have not been able to recreate this error and it is only happening with one user to one application. We have tried taking him out of the group and adding him back in and it still didn’t work.  Could there be something wrong with the users Token?  Or something wrong with AzMan or the Application that calls it?

    Thanks in Advance,


  180. Jerald says:

    Oh I’m sorry the Exception message is "The program issued a command but the command length is incorrect.(Exception from HRESULT: 0x80070018)"

  181. Richard says:

    Hello David

    Is there a way of looking at operations and tasks for a role, but without specifying a user?



  182. nwatt says:

    Hi David

    I’ve managed to create my intranet application using AzMan and tested on W2k3 and everything works great. However, I have just bought the live server which will host the intranet app and it is W2k8. When I run the app on this server it contiuously crashes out when doing AccessCheck with the result

    Value does not fall within the expected range.

    Do you know why this might be happening. Any help would be greatly appreciated as I have spent 6 months working on this project and am pulling out what is left of my hair!



  183. Craig Fisher says:

    I’m trying to connect to a SQL Store through the AZMan MMC UI on Windows Server 2008 and justam  getting "Cannot open the authorization store. The following problem occurred: Access is denied."

    If I tell it to create a new store I get the same message although the DB does actually get created in SQL.

    What could be wrong?

  184. What version of SQL are you running?  What protocols do you have enabled e.g. TCP/IP and is it configured to accept remote connections?  What account are you using to create the database and what role(s) is it in?  What does your connection string look like?  What is your DB coalation?



  185. Dan says:

    Hi Jerald,

    Not sure if you’re still looking, but I have a resolution for the issue you have and thought I should post it here so others could benefit as well 🙂

    We had the same problem as you, some users fine, some users "program issued …" and then adding to groups made the error go away.

    It is a problem with the win64 subsystem and you will need to open up a PSS incident with MS to get hold of the hotfix identified in KB948931.




  186. Craig Fisher says:

    I’m using SQL Server 2005.

    Protocols enabled are: Shared Memory, Named Pipes and TCP/IP. Remote connections are enabled.

    The account I’m running the AZMan snapin as is a domain account and an administrator on the local machine. This account is a member of the sysadmin SQL role.

    Server collation is Latin1_General_CS_AS

    My connection string is:

    "mssql://Driver={SQL Server};Server={KHSVELOCITY09};/AZManDB/KHSWorkflow"

    I noticed that although it creates the DB OK. It does not add the application to the AzMan_AzApplication table.

  187. Craig Fisher says:

    I should’ve said:

    although it creates the DB OK, it does not add the policy store to the AzMan_AzAuthorizationStore table.

  188. Craig Fisher says:

    Another data point:

    I previously had SQL Express edition installed. I can still open a store in a DB that I had created when SQL Express was installed.

  189. Craig Fisher says:

    But if I try to make any edits to that old store that I can open, I again am faced with "Access Denied".

    (wish comment editing was available here!)

  190. Contact PSS for the SQL issue –


    258310  Code Defect – WS 08



  191. Paul Noeldner says:

    We’re testing ADFS with Forms Auth on the front end, triggering Basic Auth via ADFS Agent on the back end, to implement system security (runs as the logged on user).  We understand it is also possible to use Azman in this context.  However, ADFS examples seem to be overloaded with options we don’t need.  We have a Federation Service in place, and the app will run in the same domain.  Can you point us to a simple configuration script for setting up a W2003 R2 IIS6 web server with ADFS Agent to enable use of Azman on the back end?  

  192. Did you look at the AzMan whitepaper located

    There is a section on ADFS that I think is pretty simple.  The concept is to crack open the claims in ADFS and match them to either roles or azman application groups, seed the application with your permissions and perform accesschecks accordingly.

    Do I understand you correctly?



  193. AzMan only performs authorization.  You can use it in claims generation modules in ADFS or as a claims transformation module within your ADFS enabled web app but it doesnt have anything directly to do with ADFS configuration.



  194. SSG says:

    A while back I adopted AzMan for a management utility, wrapping it in a helper class – it’s been working well since then.  The helper class is implemented as a Singleton.  The application itself is quite slow to start so, as part of an update, I decided to implement a BackgroundWorker during the initial form Load.  The singleton AzMan helper is used both before Load and during it.  At the point that it’s called in the BackgroundWorker thread, I get this:

    System.InvalidCastException was unhandled by user code

    Message="Unable to cast COM object of type ‘System.__ComObject’ to interface type ‘Microsoft.Interop.Security.AzRoles.IAzClientContext’.

    This operation failed because the QueryInterface call on the COM component for the interface with IID ‘{EFF1F00B-488A-466D-AFD9-A401C5F9EEF5}’

    failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE))."



      at Microsoft.Interop.Security.AzRoles.IAzClientContext.AccessCheck(String bstrObjectName, Object varScopeNames, Object varOperations, Object varParameterNames, Object varParameterValues, Object varInterfaceNames, Object varInterfaceFlags, Object varInterfaces)

      at AAA.WiSPA.AzManHelper.CanAccess(String objectName, Int32 operation) in C:WorkVisual Studio 2008ProjectsWiSPAWiSPA-ConsoleWiSPA-ConsoleAzManHelper.cs:line 172

      at AAA.WiSPA.Console.Console.CreateTabs() in C:WorkVisual Studio 2008ProjectsWiSPAWiSPA-ConsoleWiSPA-ConsoleConsole.cs:line 70

      at AAA.WiSPA.Console.uxConsoleForm.SetupTabs(BackgroundWorker worker, DoWorkEventArgs e) in C:WorkVisual Studio 2008ProjectsWiSPAWiSPA-ConsoleWiSPA-ConsoleuxConsoleForm.cs:line 79

      at AAA.WiSPA.Console.uxConsoleForm.backgroundWorker_DoWork(Object sender, DoWorkEventArgs e) in C:WorkVisual Studio 2008ProjectsWiSPAWiSPA-ConsoleWiSPA-ConsoleuxConsoleForm.cs:line 74

      at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)

      at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)


    That was the only change I made.  I’ve removed the BackgroundWorker code and it works okay.  Is this some problem with COM and the threads?  My knowledge of COM is limited – I came to Windows programming straight into .NET.

  195. SSG says:

    I forgot to put in my previous post that I can see in the Output window that the AzManHelper is working before the exception: it’s called from the Program class before the Application.Run statement for the form with the BackgroundWorker.

  196. Jim Bettone says:

    Do the dynamic groups (ldap query groups) support querying the extensionAttributeX properties like this:




  197. SSG says:

    I think I’ve solved the HRESULT: 0x80004002 (E_NOINTERFACE) problem.  More searches revealed thd KB article which I didn’t think was quite the right symptom as my app main was running as STAThread and I’d recreated the problem rolling my own background thread using the Thread class with it set to STA.  But it reminded me that I was running the 2003 SP1 AdminPak on my XP machine. I uninstalled it and installed the SP2 AdminPak from and it’s now passing the point where the exception occurred.  I’ve still got problems but they don’t seem to be AzMan related.

  198. Jason Mueller says:

    David, reading through the comments and responses has been hugely beneficial in better grasping some of the advanced use of AzMan.  I have a question, however, on the custom object picker sample identified multiple times that was targeted at the Vista SDK (and since then I’ve found a reference to it being in the Windows 2008 SDK).  I am unable to find any such sample in either SDK or anywhere else on the web (except for a Channel9 PluralSight video).  Is this available anywhere?

    Thank you,


  199. Mark says:

    Insufficient access rights to perform the operation. (Exception from HRESULT: 0x80072098)

    Hi David,

    I got the error above when trying to login/access AzMan store using network service account. I already added the account as reader under AzMan store security properties. I am using Windows 2003 R2 on both Active Directory and Application server. In the IIS I am using Network Service account in the application pool identity. I did a lot of experiments but I did have any luck so far. Please help.

  200. The network service account translates to COMPUTERNAME$  – network service uses the computer/machine account and requires permission accordingly.



  201. Mark says:

    Hi David,

    Thank you for you prompt response. Can you add a little details on what you mean about

    "The network service account translates to COMPUTERNAME$  – network service uses the computer/machine account and requires permission accordingly."

    Does this mean AzMan only uses user accounts and not machine?

  202. jas says:

    Is there a solution to the Monday, November 05, 2007 post regarding

    HRESULT 0x800704EA “The security identifier provided does not have a domain component.”


  203. rileytaylor says:

    I am calling IAzAuthorizationStore2.Initialize from an ASPNET web app on win2k3.  My profile is stored in an XML file local to the web app.  When the AppPool identity is an administrator, all is fine.  But if not, I get access denied COM error.  Giving the user full rights to all files didn’t help, so it’s not a file access thing.  

    What rights does the app pool user need to access AzMan?



  204. Joe Krueger says:

    I am also getting the "parameter is incorrect" error when trying to perform a role check. I am using Forms authentication, AD Membership, and AzMan for roles. I can get the manual call to work by appending the "" to the end of User.Identity.Name in the call to Roles.IsUserInRole and that is all well and good but this is not possible to do when trying to use security trimming with the SiteMap Provider – which appears to always use User.Identity.Name and not have the ability to append the "" to the end so that the call works. How can I get SecurityTrimming to work with a SiteMapProvider when using Forms Authentication with ActiveDirectory membership and AzMan roles?

    Thank you so much for this great post!

  205. David Eggins says:

    In response to Craig Fisher’s question, I had this problem as well.

    In our case, we were running AZMAN on a Windows Server 2008 32 bit server. It was trying to connect to our Windows Server 2003 64 bit, SQL Server 2005 server to create the AZMAN store. We got the exact message "Cannot open the authorization store. The following problem occurred: Access is denied.". The database had been created, the Extended Stored Procedures had been created in the Master database, but no records had been created in the AZMAN database.

    I Used SQL Profiler to see what calls were being executed against SQL Server. I grabbed the last one that was executed, and tried running it in SQL Server Management Studio with a Begin Transaction. It failed with an error stating that it could not find "AzSqlExt.dll". I looked in the Master database Extended Stored Procedures created by Azman, and indeed, they used this DLL.

    It turns out that Windoes Server 2003 does not have this dll. After some research, and talking to someone from Microsoft, I was told to grab this AzSqlExt from a Windows Server 2008 server, and place it in the System32 folder. Make SURE you get the 32 bit or 64 bit version as needed… It comes with the Operating System, not SQL server…


    [Original Msg from Craig Fisher:

    I’m trying to connect to a SQL Store through the AZMan MMC UI on Windows Server 2008 and justam  getting "Cannot open the authorization store. The following problem occurred: Access is denied."

    If I tell it to create a new store I get the same message although the DB does actually get created in SQL.

    What could be wrong? ]

  206. David Eggins says:

    Does anyone know of a good tool to migrate an AZMAN XML store to an AZMAN SQL store?

    I am told there is one in the "Windows SDK for Windows Server 2008 and .NET Framework 3.5" at

    which I am about to look at, but was hoping there was one that did not require such a huge install.



  207. Craig says:

    I need to be able to show a list of users who have are authorized to perform a particular AzMan operation.

    I don’t think there’s any simple way to do this.

    Options I’m considering:

    1) create an AD group for these users and write code to enumerate the members of that group

    2) store a list of the users in SQL.

    In each of these cases it means managing these users in two places (in AzMan and in AD or SQL), although with the AD group I can just use that group to grant the operation permission to. The problem with using AD though is that I’d need to grant my ASP.Net app additional permissions to interact with the directory.

    Do you have any guidance around the best way to achieve this?

    (The reason I want to do this is that one user of the app needs to be able to assign a unit of work to another user. That second user needs to be someone who is authorized to perform the next operation on the unit of work.)

  208. Get Ops method if running Vista/Win2k8

    IAzClientContext3::GetOperations Method

    The GetOperations method returns a collection of the operations, within the specified scope, that the principal represented by the current client context has permission to perform.



    HRESULT GetOperations(

     [in]   BSTR bstrScopeName,

     [out]  IAzOperations **ppOperationCollection



    bstrScopeName [in]

    The name of the scope to check.

    ppOperationCollection [out]

    The address of a pointer to the collection of operations that the principal represented by the current client context has permission to perform.

    Return Value

    If the method succeeds, it returns S_OK.

    If the method fails, it returns an error code. For a list of common error codes, see Common HRESULT Values.

    Prior to that you need to determine whether sending a bunch of ops in and performing an accesscheck on them in a single call will do or whether you need to go to the store.



  209. Craig says:

    GetOperations isn’t what I want. I want to find the list of users who have permission to perform a particular operation.

  210. Sorry – sounds like you may need to perform a store operation or a version of what I said previously.  Since a role to role assignment is where the membership is set then you would need to spin through the role defs/(tasks).  The problem comes in when you have something like ldap query groups, bizrules or adfs claims that you have no direct user assignement set (which the accesscheck method would address a subset).  In the grand scheme of things, instead of writing the code to spin through the store, I would load up my users (either from the membership assignment or AD/ADAM if using LDAP Query groups), init client context by name and perform an accesscheck for each sending in an array of ops to check per user then spin through the accesscheck result array.  


  211. Ben says:

    I’d like to get a clearer defintion of:

    The GetOperations method returns a collection of the operations, within the specified scope, that the principal represented by the current client context has permission to perform

    Also, GetTasks() is defined the same.

    What does ‘has permission to perform’ mean with respect to BizRule processing. Are BizRules taken into account for the permission check? And if so, how are the BizRule Parameters defined before GetOperations or GetTasks is invoked?

  212. In this context operations are essentially permissions identified as integers in your code and also in your policy store coorespondingly.

    The overall concepts are explained in detail here however the new API addresses questions from the runtime (as oposed to the store operations)

    An accesscheck with an operation or array of operations passed in would result in a result list returned determining permission.Having to do with COM roots the convention was OK=0 and anything else false(.NET implementors process the result accordingly)

    The question of what operations or tasks do I have access to is the inverse question of an accesscheck at runtime.  Instead of seeding the code with an operation or set of ops and checking each as a set in one call you are returning the list up front.  Then you can make your AuthZ decisions from there. There are a number of reasons why you may choose this approach and that is why the OM was enhanced to include.  

    On to BizRules, as written in the paper, an accesscheck will resolve a result of a bizrule into success or failure (which is the permission check).  Operations are the lowest level and are esentially permissions.  Another type of permission is an ldap query group and another is a bizrule.  

    Offhand, I do not believe that GetTasks resolves bizrules and couldn’t see how it would do it for operations.  BizRule parameters are defined on the accesscheck base. The IAzClientContext3 permits viewing their state.  I’ll have to test to be 100% sure. I would also have to include the test case of a previous accesscheck resolving permission to a task and then caching the result.  From memory, direct assignment would take priority over a more expensive function call if I remember the internals correctly.



  213. Kreshiv says:


    I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me

    what is the configuration needed, for a WCF to work successfully.

    I am using Windows Authentication for my application. I want to use

    anonymous access for WCF. I have already created the WCF, but i am

    continuously getting 1 or these errors.

    Handle is invalid.

    Access Denied.

    Insufficient Access Rights.

    I am not able to bind to AzMan from

    WCF, using credentials. What are the requirements, an AzMan Store looks for..

    AzAuthorizationStore store = new AzAuthorizationStoreClass();




    IAzApplication app =

    store.OpenApplication(Roles.ApplicationName, null);

    // Get the current user context

    IAzClientContext ctx =

    app.InitializeClientContextFromToken((ulong)userToken, null);

    Here is the error which i am getting stuck with. I can get only access

    rights error.

  214. perninha says:


       First i wanna thank you for your time and this wonderful product. I developed A Service to exposes AzMan in a easy way. This is in Codeplex as open source. Here in my company we are using AzMan with this service for all our new System and products and migrating the old ones. (More then 100 webapps). But i had a doubt,  we have 2 types of users here, one using AD. This is OK for us now. But the second type of user are external users, and we are using SQL Server (MemberShipProvider) to stores them. But we want to uses AzMan too. What we can do? I’m searching for the the Custom Object Picker examples in the Windows SDK and not found. This is very important, and we need to put this working in 1 week for the new projects and portal.

  215. Trevor Ward says:


     I’m still looking for a solution to the problem posted about November 05, 2007.  When using a dynamic LDAP group (queried from an ADAM instance which is also hosting my AzMan store) I get the following exception:

    HRESULT 0x800704EA “The security identifier provided does not have a domain component.”

    Does anyone have a solution to this?


    Trevor Ward

  216. Did you run your ADAM instance from a DC?  I remember that there was an incident/bug a while ago but havent followed the status.  

    Incredibly busy at the moment… on project.  (I’ll see if I can ping some others for status – in the mean time, try running from ADAM from a DC machine in your test (or test VHD if possible to rule out)  Check support for patches too. It should have been gone by Vista/Win2k8 and forward if it is what I think it is)


  217. Aldo Bressan says:

    Hi all! I’ve this situation: I’m required to use Azman, with SQL Server store, but my AzMan needs to be executed in a Windows 2003 server. Is this possible? Can I "upgrade" the AzMan version in the 2003 server to the new one that comes with 2008 server?

    Thanks a lot!



  218. Sridhar Yernagula says:

    We have AzMan configured with SQL Server Store, which contains Operations, Tasks, Roles, BizRules.

    I have opened the store in AzMan.Msc SnapIn, I am able to see Operations, Tasks, Bizrules, Roles, Groups.

    I have added more Operations, Tasks, Bizrules, Roles. After adding these, i have closed the AzMan.Msc and try to re-open the same store again, i got the following error.

    "Cannot enumerate child objects. The following problem occured: Access id denied."

    I am not able to open the store now, could someone help me out in understanding the problem.

    I have an application, which is running pretty fine, but after adding more Operations, Tasks, Bizrules, Roles. Now my application is throwing below error,

    System.Unauthorized.AccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED).

    at AZROLESLib.AzAuthorizationStoreClass.OpenApplication(String bstrApplicationName, Object varReserved).

    If this is not the right place to post this, could you please redirect me to the right place.

  219. Aldo,

    Sorry not directly, Windows 2008 or Vista can access SQL as a policy store only.

    You may however access a web service residing on a Win2k8 or Vista machine from your Win2k3 machine.



  220. post2ankit says:

    I am trying to use xml as an authorization store on my Windows XP SP3 computer (I have installed AzMan through the Admin server pack).

    When I try to initialise the AzMan client (using call – AzAuthorizationStore.Initialize(0, storePath, null), I get an argument exception – Value does not fall in range.

    the sample store path is as following – "msxml://C:\RedcloudLive\TestData\SecurityStore\AuthorizationStore.xml"

  221. post2ankit – Are you able to use the UI to open the policy store?


  222. Sridhar Yernagula  – what environment are you calling from… is everything  Win2k8?  What is your SQL policy store coalation?



  223. post2ankit says:

    I am able to use UI for opening policy store. I am using xml stored on the local computer as policy store.

    I just found that my local account is able to initialise the Authorization Store but the domain service account is unable to do so.

  224. Parul says:

    I am using C++ for implementing authorization manager. But I am stuck at InitializeClientContextFromToken function as the hToken I am passing to it is of type HANDLE and this funtion required the Type to be ULONGLONG.How to convert this token?

  225. Manjari Madhan says:


    I am using ADAM as DB for my AzMan Environment. We are using NTBackup/Restore for transferring ADAM data between DEV TEST and PROD Environments.

    We have seperate set of users in each Environments. I can see the Role Assignments getting over written when I do a restore.

    Is there a better way to Backup/Restore AzMan Data in ADAM without affecting Role Assignments?

  226. Bob says:

    Hi, I have an Win server 2008 AD environment that has some unix machines integrated.

    If I use Azman to manage groups and roles for the domain users I just want to confirm whether Java or C++ apps running in the unix environment could also access azman data via LDAP.  

    From earlier comments that appears to be the case, I just wanted to double-check this.

    I assume that we might have to manually perform more queries to enumerate the groups and roles, but I’m hoping this can still be done?


  227. @Bob – this api is utilized in custom applications.  It is not used for managing domain roles/groups.  This api however will utilize domain groups/etc for membership assignment in AzMan applications of which the policy store may also reside in AD.  The concept is that these are essentially SID buckets and in your applications you use the API to call these and resolve.  Check out the white paper for greater detail…

  228. @Manjari – check out the Vista sdk for sample code to migrate policy store data.  Usually I migrate to xml then import to X target in the next environment.  (xml because I can copy the file/email the file/etc to the next environment w/o needed connectivity to both environments at the same time.)



  229. Bob says:


    Thanks for your reply. I didn’t mean that I was looking for a particular way to manage groups/roles. I just meant that we have a custom application that we need to develop and I was looking into Azman as a possible tool to create custom roles for that application (as opposed to coding up knowledge of roles in a database or something).

    However my real question is: if we use Azman to specify roles for this application in AD, can the parts of this application that will run on unix also be able to access this Azman-specified user/role data via LDAP? It seems like that is the case, but I just wanted to understand if there were any pitfalls there to know about.

    I realize that if my app were windows-only then there is some additional role-checking and other behaviors that we could leverage, eg bizrules, etc. that I don’t quite understand yet, but I think if we can query a user’s groups/roles via LDAP will be good enough.

  230. @Bob – it is possible to access our AzMan policy store via LDAP if it resides in AD or AD-LDS previously known as ADAM.  It is not possible to access the AzMan API via the LDAP protocol.  It would be possible to write a web service interface that encapsulates the functionality of AzMan and call from a Unix client.  There are vendors which may have written software to copy the AzMan api and run on Unix.  I am fairly sure that Centrify has such a component and NetIQ may have one also – not so sure here.  I don’t have much more detail than that.  I believe there could be a couple approaches and that one could be only LDAP access from a unix machine from our partner’s api. I don’t have the details on it.

    Check out the WP for bizrule details –

    A lot of the API relies on the Windows architecture.  The bizrules or any COM DLL will run in process of your application and as such do things that architecture allows you to do.  For instance, you can call COM or COM interop to .NET using vbscript within the API.  You have to turn that capability on specifically in Vista and up (see )for more.  Submit your contact info via the private posting form and we can setup a short discussion (otherwise I’ll end up writing another whitepaper in response here 🙂 )

  231. Bob says:

    David, many thanks. It’s very helpful to be able to ask questions about this. After looking over the white papers your mentioned and viewing some Azman introductory videos by Keith Brown that I found, I think I’ve gotten an OK handle on this.

    As far as accessing Azman from unix Java/C++ clients, I think that either LDAP queries of the store data or a webservice that wraps some of the Azman API should do the trick.

    One final question: I noticed when playing with Azman on Win server 2008 that I have a choice between schema 1.0 and 2.0. Is there any particular reason to choose one over the other? This will be a Win server 2008 with Windows 7 clients.

  232. Bob says:

    Hopefully I can get you to help with this too. I’m running some example code in a command-line .net example application on a domain client:

    AzAuthorizationStore store = new AzAuthorizationStore();

    store.Initialize(0, @"msldap://dcserver:389/cn=MyStore,cn=Program Data,dc=xyz,dc=com", null);

    IAzApplication app = store.OpenApplication("MyApp", null);

    I’m getting an exception on the Initialize line: 0x80072098 (insufficient access).

    I see an earlier post about granting the network service access to the computer account (MYCLIENT$). However, it’s unclear to me what I grant this access on?

  233. @Bob – granting network service (the service account) is granting mymachine$ to whatever access it requires on the policy store.  If only accesschecks then you can give it read access to the containing node of the authz policy store.  I think you can give the computer object administrative rights in the azman.msc as well… if not your admin has to grant rights to the computer account for that container.



  234. @Bob – as far as the two schemas, offhand, I think the new is needed if you plan to use new functionality such as bizrule groups… etc

  235. Bob says:

    Thanks. I’ll give those links a read…

    Here’s is hopefully a quick question. I just want a sanity check: Say I have three groups of users and I want to assign three different sets of Operations that those  users can perform in my application. However, in AD there are also various different network resources that I want to grant to those same groups.

    What seems to make sense to me is that I want to create three role definitions representing the operations those groups will have in Azman. However also I would create three AD security groups representing those same three groups of users in AD.

    Then, in Azman role mapping, I would simply map those security groups to their respective roles.

    This all seems pretty straight-forward. The only thing that bothered me was the redundancy of creating this set of groups both as AD security groups as well as Azman roles. Does this make sense?

    thanks, Bob

  236. @Bob – although it may seem redundant there are performance benefits by utilizing role assignment from AD groups to AzMan groups.  I thought that we put that in the white paper.  I like to think of AzMan as having three buckets – a client context bucket that would come with my sid and lets say a group sid, the policy store bucket with role assignment and lastly your code implementation/operation/permission seeding in your line of business app.  By using a group sid, your client context and role assignment become much smaller which reduces initialization and comparison time (even if looking at hash matches).  You could have for instance 5000 users represented by a single sid but the application only sees it as two sids to compare. You should generally keep your azman role assignment under 1000 members for best performance/fastest initialization time.



  237. John R. says:

    I don’t understand the point of having both Role Definitions and Role Assignments.  

    Why isn’t there just the concept of ‘Role’ which contains both the definition of what tasks/ops it gives access to AND the assignments of who belongs to that role?

  238. Here is the short of it from posting…

    How come when I create a Role Definition in the UI it doesn’t show up when I enum Roles?

    We continue to enhance the OM for better productivity (see "2" and "3" interfaces) but this is a bit of legacy described.

  239. huseyint says:

    For those having "Cannot open the authorization store. The following problem occurred: Access is denied." or "Cannot create a new authorization store. The following problem occurred: Access is denied." with SQL Server store type, try creating a database with collation Latin1_General_CI_AS and set store name something like:

    mssql://Driver={SQL Server};Server={.SQLEXPRESS};/AzManDB/AzManStore

  240. huseyint says:


    This worked for me on my Windows 7 RTM x64 machine.

    Hope this helps.

    P.S. I've also installed…/975332 hotfix just before trying this, maybe this also helps.

  241. Ash says:

    Hi David,

    Under what circumstances will Azman AccessCheck (running under an xml store) return 5 instead of 0 or 1?

    I have setup an azman store on the local machine (win2003 std sp2) which is accessed via a webservice. Using either ClientContext orClientContext2 when I make an AccessCheck call, the results come back as 5 where I would expect 1.

    Azman is behaving as I would expect in all other scenarios, for example if I pass operations that do not exist in the store it throws a COM Exception, getting lists of Roles and Operations from the Application object works as expected.

    I have tried running the code (currently hosted in VS2010) as the local administrator on the machine and as a domain user. Same result each time. The context is being created around a defined AD user that has been added to the Role within Azman.

    Rather typically this is the only thing standing between us and a completely working Azman implementation.

    Any help appreciated!

  242. Scott says:

    I am new to AzMan but I have one basic question before I take a deep dive into this:

    We are building a rather large GRC application and the client strores the AD users in multiple OUs

    It seems that the store of roles can be set up in many other locations as well. This I find attactive…

    Can an AzMan store access multiple OUs to get the users for it's store in AD?

  243. Bill Harmon says:

    What is status of Azman?

  244. Internally, we call it sustained engineering.  It's a supported component with the OS described at our "lifecycle" section of our public site

    Essentially, it means no new development is currently being performed.  State of API is complete.

    Regards, David

  245. Het says:

    Hi Dave, I am trying to get list of operations based on user id and not current context. Is there a way I can get that?

  246. Could you help me understand what you are doing?  I think you looked at this…/aa377877(v=vs.85).aspx    

    "The GetOperations method returns a collection of the operations, within the specified scope, that the principal represented by the current client context has permission to perform."  and iterate through your account store producing these.  You could also query your policy store and roll your way back.

  247. Het says:

    Thank you David for prompt response.

    What I am trying to do is, on my web application, I am trying to show list of roles, tasks and operations based on the user id. So administrator of the application can select a user id from the dropdown and I pass that to some function which will return me roles, tasks and operation for the selected user. That user id may not be the current user logged in, but can be any user.

    I hope I am clear and not confused.

  248. Het says:

    Hi David, I found the way the get all roles, tasks and operation from user. Below is my code for anyone else who may use or suggest any other better way.:

    _clientContext2 = _azApplication3.InitializeClientContextFromName(userId, "domain", null);

                   roles = (object[])_clientContext2.GetRoles();

                   bool found = false;

                   foreach (object currRoleDef in roles)


                       found = false;

                       foreach (IAzRoleDefinition currentRoleDefinition in _azApplication3.RoleDefinitions)


                           if (currRoleDef.ToString().Equals(currentRoleDefinition.Name))


                               found = true;

                               Array roleTasks = (Array)currentRoleDefinition.Tasks;

                               foreach (string taskId in roleTasks)


                                   IAzTask currentTask = _azApplication3.OpenTask(taskId, null);

                                   Array taskOperations = (Array)currentTask.Operations;

                                   foreach (string operationId in taskOperations)


                                       IAzOperation currentOperation = _azApplication3.OpenOperation(operationId, null);

                                       perm = new Permission(); // my own created object with 3 properties

                                       perm.Role = currentRoleDefinition.Name;

                                       perm.Task = currentTask.Name;

                                       perm.Operation = currentOperation.Name;

                                       lst.Add(perm); // List<Permission> object




                           if (found) break;



                   return lst;

    Thank you again David for your help.

  249. Just want to make sure that you are aware that authorization manager API will be obsoleted in the next OS after WS2012R2 and Win8.x.  It will continue to be supported for the length of the OS in which it resides (which still gives you a good long time) but still it's something to keep in mind.  

  250. Het says:

    When you say WS2012R2, do you mean that we cannot upgrade our server WS2012 after R2? As we are not planning to upgrade to WS2013 in near future for sure, but if 2012 come out with R3, will AzMan api be supported?

  251. If there was such a thing then you wouldn't be able to upgrade to the new OS beyond WSVR2012R2  "and" have a supported instance of AzMan.  For official word on this, you can contact Premier Support and open an advisory case.  (I'm not in the support org or product group to make official statements) Just interpreting our policy and noting that AzMan carries the support lifecycle of the OS that releases with it as a component.

    As you will note from the support link above that you have a good long time with WSVR2012R2 still.

  252. Het says:

    Thank you very much Davind for an insight. I will keep this under my radar.

    Also, this page is one of the most useful page I have found on web regarding AzMan. I really appreciate your prompt response everytime.


    Features Removed or Deprecated in Windows Server 2012 R2

  254. Pat says:

    I am using AzMan (Sql Server 2014 store) to manage role assignment of users from SqlMembership store in the same database as the Azman store. I am trying to create membership user and assign the user to role (in Azman) in the same transaction. How can I enlist the AzMan connection in the same transaction scope as the SqlMembership provider? The goal is to ensure that both operations succeed or fail. I don't even know how to get the AzMan connection handle.

    Any suggestion will be appreciated.

  255. Het says:

    Hi David,

    Is there a way to get all users from Rolename and/or Groupname?

  256. Curious – For those still utilizing AzMan, what context or types of applications are you leveraging it in?  What is the general user base size?  Anonymous posting, nothing too specific would be great.  I'm just curious 🙂


  257. There is no acid transaction capability with AzMan.


  258. Peter Lindgren says:

    At a customer's site, they're using AzMan for fine-grained permissions in their BizTalk. Role assignments from AD groups, to control operations permissions (for example, allow GetCustomer but not UpdateCustomer). The customer is a bank and BizTalk is their middleware between their CRM, Internet Bank, etc.

  259. Thanks for the update Peter!

  260. Peter Lindgren says:

    I got here when I was troubleshooting a problem. It turned out their problem was that there was a duplicate in OperationID's. It's easy to reproduce, just start two consoles and add a new operation with identical (and previously unused) OperationID's in each console. Close both consoles and start a new one. Both new operations have the same OperationID. This is tested with the Authorization store in AD. It's sad that the console doesn't show the OperationID in any column, if that had been available the troubleshooting would have been easier. I made a script that looks for OperationID duplicates and then lists the operations in numerical order.

  261. john says:

    Hi David,

    When i call updatecache method to refresh policies the accessCheck method does not respond till updatecache is finished. is there any way to keep accesscheck responsive with the previous state of store till the updatecache is finished.

  262. Sorry to say, I am unaware of any way to make that more responsive.  A next step would be to contact our support organization. Once a trace is performed, they can identify if there are any further options for your code.

  263. Venkatesh says:

    Hi David,

    Sorry, in the previous post I entered the subject instead of my name. You can delete that post.

    In my product we use AzMan with ADAM as the back-end (store). On ***some*** machines AzMan access is v.slow. Not just through our code, but even AzMan.msc is itself slow. It takes a few seconds to create a role. Not been able to narrow it down yet. No anti-virus is running. Any tip on what could be causing this?


  264. It's hard to tell without doing some tracing.  I would look at the CPU on ADLDS side in combination with your connection from a good performing machine and a bad one.  I'd look at the ldap connection and test a couple queries as well, just to rule out anything there.  I'd try also running similar operations from multiple machines (if that is what you are doing to determine if concurrency is presenting a challenge.

    Fast path would be contacting our support org.


  265. Mohan says:

    Hi David,

      Need support from you, I want to know on which port a particular azman instance is installed?

    how do I get this info ?

    Thanks in advance

Skip to main content