searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

I want users to be able to type a user name in a textox and when they hit
submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button even
below.
In the button event below i just want to send the username typed in in the
textbox but when i test the page i get error :-

"System.Security.SecurityException: The Kerberos subsystem encountered an
error. A service for user protocol request was made
against a domain controller which does not support service for user."

Any ideas??


List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;

foreach (IdentityReference ir in irc)

{

NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

groups.Add(acc.Value);

}
return groups;
}

-----------------------------------------------------------------------------------

protected void LookupADBtn_Click(object sender, EventArgs e)

{

string username = aduser.Text;

Response.Write("You are logged in as " + username + " your GROUPS are: ");

//WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;

WindowsIdentity id = new WindowsIdentity(username);

foreach (string roles in getGroupsforUser(id))

{



Label1.Text += "<br>" + roles.ToString();

}

}

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

The error is exactly what you it says it is. The constructor you are using
on the WindowsIdentity object uses Kerberos protocol transition (S4U or
service for user) in order to generate the user's token. This function
requires that the client is 2003 or higher and that the domain controller
servicing the request is 2003 AD in 2003 forest functional level.
Apparently, it is not. If you don't know for sure that your DCs are
converted over, you can't safely use this feature.

The code you have commented out would probably work fine though if your
application was using Windows security in IIS (basic, digest or IWA). Why
not just use that?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@hotmail.com> wrote in message
news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>I want users to be able to type a user name in a textox and when they hit
>submit displays
> groups the user belongs to from the Acive Directory.
> the getGroupforUser uses the WindowsIdentity and i have a button even
> below.
> In the button event below i just want to send the username typed in in the
> textbox but when i test the page i get error :-
>
> "System.Security.SecurityException: The Kerberos subsystem encountered an
> error. A service for user protocol request was made
> against a domain controller which does not support service for user."
>
> Any ideas??
>
>
> List<string> getGroupsforUser(WindowsIdentity id)
> {
> List<string> groups = new List<string>();
> IdentityReferenceCollection irc = id.Groups;
>
> foreach (IdentityReference ir in irc)
>
> {
>
> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>
> groups.Add(acc.Value);
>
> }
> return groups;
> }
>
> -----------------------------------------------------------------------------------
>
> protected void LookupADBtn_Click(object sender, EventArgs e)
>
> {
>
> string username = aduser.Text;
>
> Response.Write("You are logged in as " + username + " your GROUPS are: ");
>
> //WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
>
> WindowsIdentity id = new WindowsIdentity(username);
>
> foreach (string roles in getGroupsforUser(id))
>
> {
>
>
>
> Label1.Text += "<br>" + roles.ToString();
>
> }
>
> }
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
It does work when i use that but i want users to type in a username and hit
the button to search other users..

Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again



"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
> The error is exactly what you it says it is. The constructor you are
> using on the WindowsIdentity object uses Kerberos protocol transition (S4U
> or service for user) in order to generate the user's token. This function
> requires that the client is 2003 or higher and that the domain controller
> servicing the request is 2003 AD in 2003 forest functional level.
> Apparently, it is not. If you don't know for sure that your DCs are
> converted over, you can't safely use this feature.
>
> The code you have commented out would probably work fine though if your
> application was using Windows security in IIS (basic, digest or IWA). Why
> not just use that?
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <naijacoder@hotmail.com> wrote in message
> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>I want users to be able to type a user name in a textox and when they hit
>>submit displays
>> groups the user belongs to from the Acive Directory.
>> the getGroupforUser uses the WindowsIdentity and i have a button even
>> below.
>> In the button event below i just want to send the username typed in in
>> the textbox but when i test the page i get error :-
>>
>> "System.Security.SecurityException: The Kerberos subsystem encountered an
>> error. A service for user protocol request was made
>> against a domain controller which does not support service for user."
>>
>> Any ideas??
>>
>>
>> List<string> getGroupsforUser(WindowsIdentity id)
>> {
>> List<string> groups = new List<string>();
>> IdentityReferenceCollection irc = id.Groups;
>>
>> foreach (IdentityReference ir in irc)
>>
>> {
>>
>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>
>> groups.Add(acc.Value);
>>
>> }
>> return groups;
>> }
>>
>> -----------------------------------------------------------------------------------
>>
>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>
>> {
>>
>> string username = aduser.Text;
>>
>> Response.Write("You are logged in as " + username + " your GROUPS are:
>> ");
>>
>> //WindowsIdentity id =
>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>
>> WindowsIdentity id = new WindowsIdentity(username);
>>
>> foreach (string roles in getGroupsforUser(id))
>>
>> {
>>
>>
>>
>> Label1.Text += "<br>" + roles.ToString();
>>
>> }
>>
>> }
>>
>>
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing. Or,
get the admin to upgrade the DC. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@hotmail.com> wrote in message
news:u335DBFSIHA.5264@TK2MSFTNGP02.phx.gbl...
> Thanks very much Joe for ther prompt reply
> The DC is still in W2k windows 2000 server..arg.....
> Are u talkng about this line below
> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
> It does work when i use that but i want users to type in a username and
> hit the button to search other users..
>
> Can i use DirectoryServices fr this sceanrio..
> Thanks in advacne once again
>
>
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
>> The error is exactly what you it says it is. The constructor you are
>> using on the WindowsIdentity object uses Kerberos protocol transition
>> (S4U or service for user) in order to generate the user's token. This
>> function requires that the client is 2003 or higher and that the domain
>> controller servicing the request is 2003 AD in 2003 forest functional
>> level. Apparently, it is not. If you don't know for sure that your DCs
>> are converted over, you can't safely use this feature.
>>
>> The code you have commented out would probably work fine though if your
>> application was using Windows security in IIS (basic, digest or IWA).
>> Why not just use that?
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "rote" <naijacoder@hotmail.com> wrote in message
>> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>I want users to be able to type a user name in a textox and when they hit
>>>submit displays
>>> groups the user belongs to from the Acive Directory.
>>> the getGroupforUser uses the WindowsIdentity and i have a button even
>>> below.
>>> In the button event below i just want to send the username typed in in
>>> the textbox but when i test the page i get error :-
>>>
>>> "System.Security.SecurityException: The Kerberos subsystem encountered
>>> an error. A service for user protocol request was made
>>> against a domain controller which does not support service for user."
>>>
>>> Any ideas??
>>>
>>>
>>> List<string> getGroupsforUser(WindowsIdentity id)
>>> {
>>> List<string> groups = new List<string>();
>>> IdentityReferenceCollection irc = id.Groups;
>>>
>>> foreach (IdentityReference ir in irc)
>>>
>>> {
>>>
>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>
>>> groups.Add(acc.Value);
>>>
>>> }
>>> return groups;
>>> }
>>>
>>> -----------------------------------------------------------------------------------
>>>
>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>
>>> {
>>>
>>> string username = aduser.Text;
>>>
>>> Response.Write("You are logged in as " + username + " your GROUPS are:
>>> ");
>>>
>>> //WindowsIdentity id =
>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>
>>> WindowsIdentity id = new WindowsIdentity(username);
>>>
>>> foreach (string roles in getGroupsforUser(id))
>>>
>>> {
>>>
>>>
>>>
>>> Label1.Text += "<br>" + roles.ToString();
>>>
>>> }
>>>
>>> }
>>>
>>>
>>
>>
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

Joe the admin won't update it because they are damn too lazy.
I'm trying yo use this code here as a guide but its returning null when
passing a search result :
http://www.wwwcoder.com/main/parenti...8/default.aspx
Any ideas..
Do you have a sample snipprt using tokenGroups somehwere on your site been
trying to find a guide from there but to success.
Thanks in advance..


"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:uWkU63NSIHA.748@TK2MSFTNGP04.phx.gbl...
> Yeah, you would need to do an LDAP lookup for the user's groups using
> tokenGroups to simulate what the protocol transition logon is doing. Or,
> get the admin to upgrade the DC. :)
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <naijacoder@hotmail.com> wrote in message
> news:u335DBFSIHA.5264@TK2MSFTNGP02.phx.gbl...
>> Thanks very much Joe for ther prompt reply
>> The DC is still in W2k windows 2000 server..arg.....
>> Are u talkng about this line below
>> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
>> It does work when i use that but i want users to type in a username and
>> hit the button to search other users..
>>
>> Can i use DirectoryServices fr this sceanrio..
>> Thanks in advacne once again
>>
>>
>>
>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>> news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
>>> The error is exactly what you it says it is. The constructor you are
>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>> (S4U or service for user) in order to generate the user's token. This
>>> function requires that the client is 2003 or higher and that the domain
>>> controller servicing the request is 2003 AD in 2003 forest functional
>>> level. Apparently, it is not. If you don't know for sure that your DCs
>>> are converted over, you can't safely use this feature.
>>>
>>> The code you have commented out would probably work fine though if your
>>> application was using Windows security in IIS (basic, digest or IWA).
>>> Why not just use that?
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "rote" <naijacoder@hotmail.com> wrote in message
>>> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>>I want users to be able to type a user name in a textox and when they
>>>>hit submit displays
>>>> groups the user belongs to from the Acive Directory.
>>>> the getGroupforUser uses the WindowsIdentity and i have a button even
>>>> below.
>>>> In the button event below i just want to send the username typed in in
>>>> the textbox but when i test the page i get error :-
>>>>
>>>> "System.Security.SecurityException: The Kerberos subsystem encountered
>>>> an error. A service for user protocol request was made
>>>> against a domain controller which does not support service for user."
>>>>
>>>> Any ideas??
>>>>
>>>>
>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>> {
>>>> List<string> groups = new List<string>();
>>>> IdentityReferenceCollection irc = id.Groups;
>>>>
>>>> foreach (IdentityReference ir in irc)
>>>>
>>>> {
>>>>
>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>
>>>> groups.Add(acc.Value);
>>>>
>>>> }
>>>> return groups;
>>>> }
>>>>
>>>> -----------------------------------------------------------------------------------
>>>>
>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>
>>>> {
>>>>
>>>> string username = aduser.Text;
>>>>
>>>> Response.Write("You are logged in as " + username + " your GROUPS are:
>>>> ");
>>>>
>>>> //WindowsIdentity id =
>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>
>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>
>>>> foreach (string roles in getGroupsforUser(id))
>>>>
>>>> {
>>>>
>>>>
>>>>
>>>> Label1.Text += "<br>" + roles.ToString();
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

Ch 10 of our book has a few samples on tokenGroups. You can download the
code samples from ch 10 and the whole chapter in pdf form from our website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@hotmail.com> wrote in message
news:%23csFyvQTIHA.4196@TK2MSFTNGP04.phx.gbl...
> Joe the admin won't update it because they are damn too lazy.
> I'm trying yo use this code here as a guide but its returning null when
> passing a search result :
> http://www.wwwcoder.com/main/parenti...8/default.aspx
> Any ideas..
> Do you have a sample snipprt using tokenGroups somehwere on your site
> been trying to find a guide from there but to success.
> Thanks in advance..
>
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:uWkU63NSIHA.748@TK2MSFTNGP04.phx.gbl...
>> Yeah, you would need to do an LDAP lookup for the user's groups using
>> tokenGroups to simulate what the protocol transition logon is doing. Or,
>> get the admin to upgrade the DC. :)
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "rote" <naijacoder@hotmail.com> wrote in message
>> news:u335DBFSIHA.5264@TK2MSFTNGP02.phx.gbl...
>>> Thanks very much Joe for ther prompt reply
>>> The DC is still in W2k windows 2000 server..arg.....
>>> Are u talkng about this line below
>>> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
>>> It does work when i use that but i want users to type in a username and
>>> hit the button to search other users..
>>>
>>> Can i use DirectoryServices fr this sceanrio..
>>> Thanks in advacne once again
>>>
>>>
>>>
>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>>> news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>> The error is exactly what you it says it is. The constructor you are
>>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>>> (S4U or service for user) in order to generate the user's token. This
>>>> function requires that the client is 2003 or higher and that the domain
>>>> controller servicing the request is 2003 AD in 2003 forest functional
>>>> level. Apparently, it is not. If you don't know for sure that your DCs
>>>> are converted over, you can't safely use this feature.
>>>>
>>>> The code you have commented out would probably work fine though if your
>>>> application was using Windows security in IIS (basic, digest or IWA).
>>>> Why not just use that?
>>>>
>>>> Joe K.
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>>>I want users to be able to type a user name in a textox and when they
>>>>>hit submit displays
>>>>> groups the user belongs to from the Acive Directory.
>>>>> the getGroupforUser uses the WindowsIdentity and i have a button even
>>>>> below.
>>>>> In the button event below i just want to send the username typed in in
>>>>> the textbox but when i test the page i get error :-
>>>>>
>>>>> "System.Security.SecurityException: The Kerberos subsystem encountered
>>>>> an error. A service for user protocol request was made
>>>>> against a domain controller which does not support service for user."
>>>>>
>>>>> Any ideas??
>>>>>
>>>>>
>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>> {
>>>>> List<string> groups = new List<string>();
>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>
>>>>> foreach (IdentityReference ir in irc)
>>>>>
>>>>> {
>>>>>
>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>
>>>>> groups.Add(acc.Value);
>>>>>
>>>>> }
>>>>> return groups;
>>>>> }
>>>>>
>>>>> -----------------------------------------------------------------------------------
>>>>>
>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>
>>>>> {
>>>>>
>>>>> string username = aduser.Text;
>>>>>
>>>>> Response.Write("You are logged in as " + username + " your GROUPS are:
>>>>> ");
>>>>>
>>>>> //WindowsIdentity id =
>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>
>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>
>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>
>>>>> {
>>>>>
>>>>>
>>>>>
>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes[i].ToString("X2")
);
}
return sb.ToString();
}

"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:%23QtMQ6UTIHA.3916@TK2MSFTNGP02.phx.gbl...
> Ch 10 of our book has a few samples on tokenGroups. You can download the
> code samples from ch 10 and the whole chapter in pdf form from our
> website.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <naijacoder@hotmail.com> wrote in message
> news:%23csFyvQTIHA.4196@TK2MSFTNGP04.phx.gbl...
>> Joe the admin won't update it because they are damn too lazy.
>> I'm trying yo use this code here as a guide but its returning null when
>> passing a search result :
>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>> Any ideas..
>> Do you have a sample snipprt using tokenGroups somehwere on your site
>> been trying to find a guide from there but to success.
>> Thanks in advance..
>>
>>
>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>> news:uWkU63NSIHA.748@TK2MSFTNGP04.phx.gbl...
>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>> tokenGroups to simulate what the protocol transition logon is doing.
>>> Or, get the admin to upgrade the DC. :)
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "rote" <naijacoder@hotmail.com> wrote in message
>>> news:u335DBFSIHA.5264@TK2MSFTNGP02.phx.gbl...
>>>> Thanks very much Joe for ther prompt reply
>>>> The DC is still in W2k windows 2000 server..arg.....
>>>> Are u talkng about this line below
>>>> WindowsIdentity id =
>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>> It does work when i use that but i want users to type in a username and
>>>> hit the button to search other users..
>>>>
>>>> Can i use DirectoryServices fr this sceanrio..
>>>> Thanks in advacne once again
>>>>
>>>>
>>>>
>>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in
>>>> message news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>> The error is exactly what you it says it is. The constructor you are
>>>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>>>> (S4U or service for user) in order to generate the user's token. This
>>>>> function requires that the client is 2003 or higher and that the
>>>>> domain controller servicing the request is 2003 AD in 2003 forest
>>>>> functional level. Apparently, it is not. If you don't know for sure
>>>>> that your DCs are converted over, you can't safely use this feature.
>>>>>
>>>>> The code you have commented out would probably work fine though if
>>>>> your application was using Windows security in IIS (basic, digest or
>>>>> IWA). Why not just use that?
>>>>>
>>>>> Joe K.
>>>>>
>>>>> --
>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>> Programming"
>>>>> http://www.directoryprogramming.net
>>>>> --
>>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>>> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>>>>I want users to be able to type a user name in a textox and when they
>>>>>>hit submit displays
>>>>>> groups the user belongs to from the Acive Directory.
>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>> even below.
>>>>>> In the button event below i just want to send the username typed in
>>>>>> in the textbox but when i test the page i get error :-
>>>>>>
>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>> encountered an error. A service for user protocol request was made
>>>>>> against a domain controller which does not support service for user."
>>>>>>
>>>>>> Any ideas??
>>>>>>
>>>>>>
>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>> {
>>>>>> List<string> groups = new List<string>();
>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>
>>>>>> foreach (IdentityReference ir in irc)
>>>>>>
>>>>>> {
>>>>>>
>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>
>>>>>> groups.Add(acc.Value);
>>>>>>
>>>>>> }
>>>>>> return groups;
>>>>>> }
>>>>>>
>>>>>> -----------------------------------------------------------------------------------
>>>>>>
>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>
>>>>>> {
>>>>>>
>>>>>> string username = aduser.Text;
>>>>>>
>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>> are: ");
>>>>>>
>>>>>> //WindowsIdentity id =
>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>
>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>
>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>
>>>>>> {
>>>>>>
>>>>>>
>>>>>>
>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>
>>>>>> }
>>>>>>
>>>>>> }
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

Joe i have modified the code and i can get the TokenGroups based on a user..
But no groups are displayed ..
But i can see the filter query like so:-
(|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20
0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
and also see how many tokengroups are returned..
Any ideas?

"rote" <naijacoder@hotmail.com> wrote in message
news:e2FzUcZTIHA.5404@TK2MSFTNGP03.phx.gbl...
> Joe are you talking about this snippet code below ?
> Is it this one?
> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
> whats the user? Is it the DirectoryEntry object.
> The code doesn;t look complete or something..
> Thanks
>
>
>
> public void theGurusCode()
>
> {
>
>
> StringBuilder sb = new StringBuilder();
>
> //we are building an '|' clause
> sb.Append("(|");
>
> foreach (byte[] sid in user.Properties["tokenGroups"])
> {
> //append each member into the filter
> sb.AppendFormat(
> "(objectSid={0})", BuildFilterOctetString(sid));
> }
>
> //end our initial filter
> sb.Append(")");
>
> DirectoryEntry searchRoot = new DirectoryEntry(
> "LDAP://DC=domain,DC=com",
> null,
> null,
> AuthenticationTypes.Secure
> );
>
>
>
> using (searchRoot)
> {
> //we now have our filter, we can just search for the groups
> DirectorySearcher ds = new DirectorySearcher(
> searchRoot,
> sb.ToString() //our filter
> );
>
> using (SearchResultCollection src = ds.FindAll())
> {
> foreach (SearchResult sr in src)
> {
> //Here is each group now...
> Console.WriteLine(
> sr.Properties["samAccountName"][0]);
> }
> }
> }
> }
>
> private string BuildFilterOctetString(byte[] bytes)
> {
> StringBuilder sb = new StringBuilder();
>
> for(int i=0; i < bytes.Length; i++)
> {
> sb.AppendFormat(
> "\\{0}",
> bytes[i].ToString("X2")
> );
> }
> return sb.ToString();
> }
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:%23QtMQ6UTIHA.3916@TK2MSFTNGP02.phx.gbl...
>> Ch 10 of our book has a few samples on tokenGroups. You can download the
>> code samples from ch 10 and the whole chapter in pdf form from our
>> website.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "rote" <naijacoder@hotmail.com> wrote in message
>> news:%23csFyvQTIHA.4196@TK2MSFTNGP04.phx.gbl...
>>> Joe the admin won't update it because they are damn too lazy.
>>> I'm trying yo use this code here as a guide but its returning null when
>>> passing a search result :
>>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>>> Any ideas..
>>> Do you have a sample snipprt using tokenGroups somehwere on your site
>>> been trying to find a guide from there but to success.
>>> Thanks in advance..
>>>
>>>
>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>>> news:uWkU63NSIHA.748@TK2MSFTNGP04.phx.gbl...
>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>>> tokenGroups to simulate what the protocol transition logon is doing.
>>>> Or, get the admin to upgrade the DC. :)
>>>>
>>>> Joe K.
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>> news:u335DBFSIHA.5264@TK2MSFTNGP02.phx.gbl...
>>>>> Thanks very much Joe for ther prompt reply
>>>>> The DC is still in W2k windows 2000 server..arg.....
>>>>> Are u talkng about this line below
>>>>> WindowsIdentity id =
>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>> It does work when i use that but i want users to type in a username
>>>>> and hit the button to search other users..
>>>>>
>>>>> Can i use DirectoryServices fr this sceanrio..
>>>>> Thanks in advacne once again
>>>>>
>>>>>
>>>>>
>>>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in
>>>>> message news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>>> The error is exactly what you it says it is. The constructor you are
>>>>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>>>>> (S4U or service for user) in order to generate the user's token.
>>>>>> This function requires that the client is 2003 or higher and that the
>>>>>> domain controller servicing the request is 2003 AD in 2003 forest
>>>>>> functional level. Apparently, it is not. If you don't know for sure
>>>>>> that your DCs are converted over, you can't safely use this feature.
>>>>>>
>>>>>> The code you have commented out would probably work fine though if
>>>>>> your application was using Windows security in IIS (basic, digest or
>>>>>> IWA). Why not just use that?
>>>>>>
>>>>>> Joe K.
>>>>>>
>>>>>> --
>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>> Programming"
>>>>>> http://www.directoryprogramming.net
>>>>>> --
>>>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>>>> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>>>>>I want users to be able to type a user name in a textox and when they
>>>>>>>hit submit displays
>>>>>>> groups the user belongs to from the Acive Directory.
>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>>> even below.
>>>>>>> In the button event below i just want to send the username typed in
>>>>>>> in the textbox but when i test the page i get error :-
>>>>>>>
>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>>> encountered an error. A service for user protocol request was made
>>>>>>> against a domain controller which does not support service for
>>>>>>> user."
>>>>>>>
>>>>>>> Any ideas??
>>>>>>>
>>>>>>>
>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>>> {
>>>>>>> List<string> groups = new List<string>();
>>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>>
>>>>>>> foreach (IdentityReference ir in irc)
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>>
>>>>>>> groups.Add(acc.Value);
>>>>>>>
>>>>>>> }
>>>>>>> return groups;
>>>>>>> }
>>>>>>>
>>>>>>> -----------------------------------------------------------------------------------
>>>>>>>
>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>> string username = aduser.Text;
>>>>>>>
>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>>> are: ");
>>>>>>>
>>>>>>> //WindowsIdentity id =
>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>>
>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>>
>>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

That query filter does not look right. The SIDs should look like:

\xx\xx\xx\xx\xx

I can't see how your call to BuildFilterOctetString produced the output that
you got. Are you sure you called it right?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@hotmail.com> wrote in message
news:OA3aYRbTIHA.3400@TK2MSFTNGP03.phx.gbl...
> Joe i have modified the code and i can get the TokenGroups based on a
> user..
> But no groups are displayed ..
> But i can see the filter query like so:-
> (|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
> 0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
> 0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
> and also see how many tokengroups are returned..
> Any ideas?
>
> "rote" <naijacoder@hotmail.com> wrote in message
> news:e2FzUcZTIHA.5404@TK2MSFTNGP03.phx.gbl...
>> Joe are you talking about this snippet code below ?
>> Is it this one?
>> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
>> whats the user? Is it the DirectoryEntry object.
>> The code doesn;t look complete or something..
>> Thanks
>>
>>
>>
>> public void theGurusCode()
>>
>> {
>>
>>
>> StringBuilder sb = new StringBuilder();
>>
>> //we are building an '|' clause
>> sb.Append("(|");
>>
>> foreach (byte[] sid in user.Properties["tokenGroups"])
>> {
>> //append each member into the filter
>> sb.AppendFormat(
>> "(objectSid={0})", BuildFilterOctetString(sid));
>> }
>>
>> //end our initial filter
>> sb.Append(")");
>>
>> DirectoryEntry searchRoot = new DirectoryEntry(
>> "LDAP://DC=domain,DC=com",
>> null,
>> null,
>> AuthenticationTypes.Secure
>> );
>>
>>
>>
>> using (searchRoot)
>> {
>> //we now have our filter, we can just search for the groups
>> DirectorySearcher ds = new DirectorySearcher(
>> searchRoot,
>> sb.ToString() //our filter
>> );
>>
>> using (SearchResultCollection src = ds.FindAll())
>> {
>> foreach (SearchResult sr in src)
>> {
>> //Here is each group now...
>> Console.WriteLine(
>> sr.Properties["samAccountName"][0]);
>> }
>> }
>> }
>> }
>>
>> private string BuildFilterOctetString(byte[] bytes)
>> {
>> StringBuilder sb = new StringBuilder();
>>
>> for(int i=0; i < bytes.Length; i++)
>> {
>> sb.AppendFormat(
>> "\\{0}",
>> bytes[i].ToString("X2")
>> );
>> }
>> return sb.ToString();
>> }
>>
>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>> news:%23QtMQ6UTIHA.3916@TK2MSFTNGP02.phx.gbl...
>>> Ch 10 of our book has a few samples on tokenGroups. You can download
>>> the code samples from ch 10 and the whole chapter in pdf form from our
>>> website.
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "rote" <naijacoder@hotmail.com> wrote in message
>>> news:%23csFyvQTIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>> Joe the admin won't update it because they are damn too lazy.
>>>> I'm trying yo use this code here as a guide but its returning null when
>>>> passing a search result :
>>>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>>>> Any ideas..
>>>> Do you have a sample snipprt using tokenGroups somehwere on your site
>>>> been trying to find a guide from there but to success.
>>>> Thanks in advance..
>>>>
>>>>
>>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in
>>>> message news:uWkU63NSIHA.748@TK2MSFTNGP04.phx.gbl...
>>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>>>> tokenGroups to simulate what the protocol transition logon is doing.
>>>>> Or, get the admin to upgrade the DC. :)
>>>>>
>>>>> Joe K.
>>>>>
>>>>> --
>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>> Programming"
>>>>> http://www.directoryprogramming.net
>>>>> --
>>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>>> news:u335DBFSIHA.5264@TK2MSFTNGP02.phx.gbl...
>>>>>> Thanks very much Joe for ther prompt reply
>>>>>> The DC is still in W2k windows 2000 server..arg.....
>>>>>> Are u talkng about this line below
>>>>>> WindowsIdentity id =
>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>> It does work when i use that but i want users to type in a username
>>>>>> and hit the button to search other users..
>>>>>>
>>>>>> Can i use DirectoryServices fr this sceanrio..
>>>>>> Thanks in advacne once again
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in
>>>>>> message news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>>>> The error is exactly what you it says it is. The constructor you
>>>>>>> are using on the WindowsIdentity object uses Kerberos protocol
>>>>>>> transition (S4U or service for user) in order to generate the user's
>>>>>>> token. This function requires that the client is 2003 or higher and
>>>>>>> that the domain controller servicing the request is 2003 AD in 2003
>>>>>>> forest functional level. Apparently, it is not. If you don't know
>>>>>>> for sure that your DCs are converted over, you can't safely use this
>>>>>>> feature.
>>>>>>>
>>>>>>> The code you have commented out would probably work fine though if
>>>>>>> your application was using Windows security in IIS (basic, digest or
>>>>>>> IWA). Why not just use that?
>>>>>>>
>>>>>>> Joe K.
>>>>>>>
>>>>>>> --
>>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>>> Programming"
>>>>>>> http://www.directoryprogramming.net
>>>>>>> --
>>>>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>>>>> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>>>>>>I want users to be able to type a user name in a textox and when
>>>>>>>>they hit submit displays
>>>>>>>> groups the user belongs to from the Acive Directory.
>>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>>>> even below.
>>>>>>>> In the button event below i just want to send the username typed in
>>>>>>>> in the textbox but when i test the page i get error :-
>>>>>>>>
>>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>>>> encountered an error. A service for user protocol request was made
>>>>>>>> against a domain controller which does not support service for
>>>>>>>> user."
>>>>>>>>
>>>>>>>> Any ideas??
>>>>>>>>
>>>>>>>>
>>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>>>> {
>>>>>>>> List<string> groups = new List<string>();
>>>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>>>
>>>>>>>> foreach (IdentityReference ir in irc)
>>>>>>>>
>>>>>>>> {
>>>>>>>>
>>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>>>
>>>>>>>> groups.Add(acc.Value);
>>>>>>>>
>>>>>>>> }
>>>>>>>> return groups;
>>>>>>>> }
>>>>>>>>
>>>>>>>> -----------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>>>
>>>>>>>> {
>>>>>>>>
>>>>>>>> string username = aduser.Text;
>>>>>>>>
>>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>>>> are: ");
>>>>>>>>
>>>>>>>> //WindowsIdentity id =
>>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>>>
>>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>>>
>>>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>>>
>>>>>>>> {
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
 

I was just about to write back Joe.
I was using :-

private string BuildFilterOctetString(byte[] bytes)

{

StringBuilder sb = new StringBuilder();

for (int i = 0; i < bytes.Length; i++)

{

sb.AppendFormat("0x{0} ", bytes[i].ToString("X2"));

}

return sb.ToString();

}

Instead of

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes[i].ToString("X2")
);
}
return sb.ToString();
}

After i changed that it worked like a charm.And by the way congrats on your
new born baby.
One more question is can i do group names to return me users that belongs to
those groups?
Thanka alot


"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:uJJBT2bTIHA.2000@TK2MSFTNGP05.phx.gbl...
> That query filter does not look right. The SIDs should look like:
>
> \xx\xx\xx\xx\xx
>
> I can't see how your call to BuildFilterOctetString produced the output
> that you got. Are you sure you called it right?
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <naijacoder@hotmail.com> wrote in message
> news:OA3aYRbTIHA.3400@TK2MSFTNGP03.phx.gbl...
>> Joe i have modified the code and i can get the TokenGroups based on a
>> user..
>> But no groups are displayed ..
>> But i can see the filter query like so:-
>> (|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
>> 0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
>> 0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
>> and also see how many tokengroups are returned..
>> Any ideas?
>>
>> "rote" <naijacoder@hotmail.com> wrote in message
>> news:e2FzUcZTIHA.5404@TK2MSFTNGP03.phx.gbl...
>>> Joe are you talking about this snippet code below ?
>>> Is it this one?
>>> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
>>> whats the user? Is it the DirectoryEntry object.
>>> The code doesn;t look complete or something..
>>> Thanks
>>>
>>>
>>>
>>> public void theGurusCode()
>>>
>>> {
>>>
>>>
>>> StringBuilder sb = new StringBuilder();
>>>
>>> //we are building an '|' clause
>>> sb.Append("(|");
>>>
>>> foreach (byte[] sid in user.Properties["tokenGroups"])
>>> {
>>> //append each member into the filter
>>> sb.AppendFormat(
>>> "(objectSid={0})", BuildFilterOctetString(sid));
>>> }
>>>
>>> //end our initial filter
>>> sb.Append(")");
>>>
>>> DirectoryEntry searchRoot = new DirectoryEntry(
>>> "LDAP://DC=domain,DC=com",
>>> null,
>>> null,
>>> AuthenticationTypes.Secure
>>> );
>>>
>>>
>>>
>>> using (searchRoot)
>>> {
>>> //we now have our filter, we can just search for the groups
>>> DirectorySearcher ds = new DirectorySearcher(
>>> searchRoot,
>>> sb.ToString() //our filter
>>> );
>>>
>>> using (SearchResultCollection src = ds.FindAll())
>>> {
>>> foreach (SearchResult sr in src)
>>> {
>>> //Here is each group now...
>>> Console.WriteLine(
>>> sr.Properties["samAccountName"][0]);
>>> }
>>> }
>>> }
>>> }
>>>
>>> private string BuildFilterOctetString(byte[] bytes)
>>> {
>>> StringBuilder sb = new StringBuilder();
>>>
>>> for(int i=0; i < bytes.Length; i++)
>>> {
>>> sb.AppendFormat(
>>> "\\{0}",
>>> bytes[i].ToString("X2")
>>> );
>>> }
>>> return sb.ToString();
>>> }
>>>
>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
>>> news:%23QtMQ6UTIHA.3916@TK2MSFTNGP02.phx.gbl...
>>>> Ch 10 of our book has a few samples on tokenGroups. You can download
>>>> the code samples from ch 10 and the whole chapter in pdf form from our
>>>> website.
>>>>
>>>> Joe K.
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>> news:%23csFyvQTIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>>> Joe the admin won't update it because they are damn too lazy.
>>>>> I'm trying yo use this code here as a guide but its returning null
>>>>> when passing a search result :
>>>>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>>>>> Any ideas..
>>>>> Do you have a sample snipprt using tokenGroups somehwere on your site
>>>>> been trying to find a guide from there but to success.
>>>>> Thanks in advance..
>>>>>
>>>>>
>>>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in
>>>>> message news:uWkU63NSIHA.748@TK2MSFTNGP04.phx.gbl...
>>>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>>>>> tokenGroups to simulate what the protocol transition logon is doing.
>>>>>> Or, get the admin to upgrade the DC. :)
>>>>>>
>>>>>> Joe K.
>>>>>>
>>>>>> --
>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>> Programming"
>>>>>> http://www.directoryprogramming.net
>>>>>> --
>>>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>>>> news:u335DBFSIHA.5264@TK2MSFTNGP02.phx.gbl...
>>>>>>> Thanks very much Joe for ther prompt reply
>>>>>>> The DC is still in W2k windows 2000 server..arg.....
>>>>>>> Are u talkng about this line below
>>>>>>> WindowsIdentity id =
>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>> It does work when i use that but i want users to type in a username
>>>>>>> and hit the button to search other users..
>>>>>>>
>>>>>>> Can i use DirectoryServices fr this sceanrio..
>>>>>>> Thanks in advacne once again
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in
>>>>>>> message news:ufR$TaESIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>>>>> The error is exactly what you it says it is. The constructor you
>>>>>>>> are using on the WindowsIdentity object uses Kerberos protocol
>>>>>>>> transition (S4U or service for user) in order to generate the
>>>>>>>> user's token. This function requires that the client is 2003 or
>>>>>>>> higher and that the domain controller servicing the request is 2003
>>>>>>>> AD in 2003 forest functional level. Apparently, it is not. If you
>>>>>>>> don't know for sure that your DCs are converted over, you can't
>>>>>>>> safely use this feature.
>>>>>>>>
>>>>>>>> The code you have commented out would probably work fine though if
>>>>>>>> your application was using Windows security in IIS (basic, digest
>>>>>>>> or IWA). Why not just use that?
>>>>>>>>
>>>>>>>> Joe K.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>>>> Programming"
>>>>>>>> http://www.directoryprogramming.net
>>>>>>>> --
>>>>>>>> "rote" <naijacoder@hotmail.com> wrote in message
>>>>>>>> news:uM%23ecWESIHA.4196@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>I want users to be able to type a user name in a textox and when
>>>>>>>>>they hit submit displays
>>>>>>>>> groups the user belongs to from the Acive Directory.
>>>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>>>>> even below.
>>>>>>>>> In the button event below i just want to send the username typed
>>>>>>>>> in in the textbox but when i test the page i get error :-
>>>>>>>>>
>>>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>>>>> encountered an error. A service for user protocol request was
>>>>>>>>> made
>>>>>>>>> against a domain controller which does not support service for
>>>>>>>>> user."
>>>>>>>>>
>>>>>>>>> Any ideas??
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>>>>> {
>>>>>>>>> List<string> groups = new List<string>();
>>>>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>>>>
>>>>>>>>> foreach (IdentityReference ir in irc)
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>
>>>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>>>>
>>>>>>>>> groups.Add(acc.Value);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>> return groups;
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> -----------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>
>>>>>>>>> string username = aduser.Text;
>>>>>>>>>
>>>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>>>>> are: ");
>>>>>>>>>
>>>>>>>>> //WindowsIdentity id =
>>>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>>>>
>>>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>>>>
>>>>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>