Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made

Reply
Thread Tools

searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made

 
 
rote
Guest
Posts: n/a
 
      12-27-2007
I want users to be able to type a user name in a textox and when they hit
submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button even
below.
In the button event below i just want to send the username typed in in the
textbox but when i test the page i get error :-

"System.Security.SecurityException: The Kerberos subsystem encountered an
error. A service for user protocol request was made
against a domain controller which does not support service for user."

Any ideas??


List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;

foreach (IdentityReference ir in irc)

{

NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

groups.Add(acc.Value);

}
return groups;
}

-----------------------------------------------------------------------------------

protected void LookupADBtn_Click(object sender, EventArgs e)

{

string username = aduser.Text;

Response.Write("You are logged in as " + username + " your GROUPS are: ");

//WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;

WindowsIdentity id = new WindowsIdentity(username);

foreach (string roles in getGroupsforUser(id))

{



Label1.Text += "<br>" + roles.ToString();

}

}


 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      12-27-2007
The error is exactly what you it says it is. The constructor you are using
on the WindowsIdentity object uses Kerberos protocol transition (S4U or
service for user) in order to generate the user's token. This function
requires that the client is 2003 or higher and that the domain controller
servicing the request is 2003 AD in 2003 forest functional level.
Apparently, it is not. If you don't know for sure that your DCs are
converted over, you can't safely use this feature.

The code you have commented out would probably work fine though if your
application was using Windows security in IIS (basic, digest or IWA). Why
not just use that?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <(E-Mail Removed)> wrote in message
news:uM%(E-Mail Removed)...
>I want users to be able to type a user name in a textox and when they hit
>submit displays
> groups the user belongs to from the Acive Directory.
> the getGroupforUser uses the WindowsIdentity and i have a button even
> below.
> In the button event below i just want to send the username typed in in the
> textbox but when i test the page i get error :-
>
> "System.Security.SecurityException: The Kerberos subsystem encountered an
> error. A service for user protocol request was made
> against a domain controller which does not support service for user."
>
> Any ideas??
>
>
> List<string> getGroupsforUser(WindowsIdentity id)
> {
> List<string> groups = new List<string>();
> IdentityReferenceCollection irc = id.Groups;
>
> foreach (IdentityReference ir in irc)
>
> {
>
> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>
> groups.Add(acc.Value);
>
> }
> return groups;
> }
>
> -----------------------------------------------------------------------------------
>
> protected void LookupADBtn_Click(object sender, EventArgs e)
>
> {
>
> string username = aduser.Text;
>
> Response.Write("You are logged in as " + username + " your GROUPS are: ");
>
> //WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
>
> WindowsIdentity id = new WindowsIdentity(username);
>
> foreach (string roles in getGroupsforUser(id))
>
> {
>
>
>
> Label1.Text += "<br>" + roles.ToString();
>
> }
>
> }
>
>



 
Reply With Quote
 
 
 
 
rote
Guest
Posts: n/a
 
      12-27-2007
Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
It does work when i use that but i want users to type in a username and hit
the button to search other users..

Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again



"Joe Kaplan" <(E-Mail Removed)> wrote in message
news:ufR$(E-Mail Removed)...
> The error is exactly what you it says it is. The constructor you are
> using on the WindowsIdentity object uses Kerberos protocol transition (S4U
> or service for user) in order to generate the user's token. This function
> requires that the client is 2003 or higher and that the domain controller
> servicing the request is 2003 AD in 2003 forest functional level.
> Apparently, it is not. If you don't know for sure that your DCs are
> converted over, you can't safely use this feature.
>
> The code you have commented out would probably work fine though if your
> application was using Windows security in IIS (basic, digest or IWA). Why
> not just use that?
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <(E-Mail Removed)> wrote in message
> news:uM%(E-Mail Removed)...
>>I want users to be able to type a user name in a textox and when they hit
>>submit displays
>> groups the user belongs to from the Acive Directory.
>> the getGroupforUser uses the WindowsIdentity and i have a button even
>> below.
>> In the button event below i just want to send the username typed in in
>> the textbox but when i test the page i get error :-
>>
>> "System.Security.SecurityException: The Kerberos subsystem encountered an
>> error. A service for user protocol request was made
>> against a domain controller which does not support service for user."
>>
>> Any ideas??
>>
>>
>> List<string> getGroupsforUser(WindowsIdentity id)
>> {
>> List<string> groups = new List<string>();
>> IdentityReferenceCollection irc = id.Groups;
>>
>> foreach (IdentityReference ir in irc)
>>
>> {
>>
>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>
>> groups.Add(acc.Value);
>>
>> }
>> return groups;
>> }
>>
>> -----------------------------------------------------------------------------------
>>
>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>
>> {
>>
>> string username = aduser.Text;
>>
>> Response.Write("You are logged in as " + username + " your GROUPS are:
>> ");
>>
>> //WindowsIdentity id =
>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>
>> WindowsIdentity id = new WindowsIdentity(username);
>>
>> foreach (string roles in getGroupsforUser(id))
>>
>> {
>>
>>
>>
>> Label1.Text += "<br>" + roles.ToString();
>>
>> }
>>
>> }
>>
>>

>
>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      12-27-2007
Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing. Or,
get the admin to upgrade the DC.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks very much Joe for ther prompt reply
> The DC is still in W2k windows 2000 server..arg.....
> Are u talkng about this line below
> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
> It does work when i use that but i want users to type in a username and
> hit the button to search other users..
>
> Can i use DirectoryServices fr this sceanrio..
> Thanks in advacne once again
>
>
>
> "Joe Kaplan" <(E-Mail Removed)> wrote in message
> news:ufR$(E-Mail Removed)...
>> The error is exactly what you it says it is. The constructor you are
>> using on the WindowsIdentity object uses Kerberos protocol transition
>> (S4U or service for user) in order to generate the user's token. This
>> function requires that the client is 2003 or higher and that the domain
>> controller servicing the request is 2003 AD in 2003 forest functional
>> level. Apparently, it is not. If you don't know for sure that your DCs
>> are converted over, you can't safely use this feature.
>>
>> The code you have commented out would probably work fine though if your
>> application was using Windows security in IIS (basic, digest or IWA).
>> Why not just use that?
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "rote" <(E-Mail Removed)> wrote in message
>> news:uM%(E-Mail Removed)...
>>>I want users to be able to type a user name in a textox and when they hit
>>>submit displays
>>> groups the user belongs to from the Acive Directory.
>>> the getGroupforUser uses the WindowsIdentity and i have a button even
>>> below.
>>> In the button event below i just want to send the username typed in in
>>> the textbox but when i test the page i get error :-
>>>
>>> "System.Security.SecurityException: The Kerberos subsystem encountered
>>> an error. A service for user protocol request was made
>>> against a domain controller which does not support service for user."
>>>
>>> Any ideas??
>>>
>>>
>>> List<string> getGroupsforUser(WindowsIdentity id)
>>> {
>>> List<string> groups = new List<string>();
>>> IdentityReferenceCollection irc = id.Groups;
>>>
>>> foreach (IdentityReference ir in irc)
>>>
>>> {
>>>
>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>
>>> groups.Add(acc.Value);
>>>
>>> }
>>> return groups;
>>> }
>>>
>>> -----------------------------------------------------------------------------------
>>>
>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>
>>> {
>>>
>>> string username = aduser.Text;
>>>
>>> Response.Write("You are logged in as " + username + " your GROUPS are:
>>> ");
>>>
>>> //WindowsIdentity id =
>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>
>>> WindowsIdentity id = new WindowsIdentity(username);
>>>
>>> foreach (string roles in getGroupsforUser(id))
>>>
>>> {
>>>
>>>
>>>
>>> Label1.Text += "<br>" + roles.ToString();
>>>
>>> }
>>>
>>> }
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
rote
Guest
Posts: n/a
 
      01-02-2008
Joe the admin won't update it because they are damn too lazy.
I'm trying yo use this code here as a guide but its returning null when
passing a search result :
http://www.wwwcoder.com/main/parenti...8/default.aspx
Any ideas..
Do you have a sample snipprt using tokenGroups somehwere on your site been
trying to find a guide from there but to success.
Thanks in advance..


"Joe Kaplan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yeah, you would need to do an LDAP lookup for the user's groups using
> tokenGroups to simulate what the protocol transition logon is doing. Or,
> get the admin to upgrade the DC.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thanks very much Joe for ther prompt reply
>> The DC is still in W2k windows 2000 server..arg.....
>> Are u talkng about this line below
>> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
>> It does work when i use that but i want users to type in a username and
>> hit the button to search other users..
>>
>> Can i use DirectoryServices fr this sceanrio..
>> Thanks in advacne once again
>>
>>
>>
>> "Joe Kaplan" <(E-Mail Removed)> wrote in message
>> news:ufR$(E-Mail Removed)...
>>> The error is exactly what you it says it is. The constructor you are
>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>> (S4U or service for user) in order to generate the user's token. This
>>> function requires that the client is 2003 or higher and that the domain
>>> controller servicing the request is 2003 AD in 2003 forest functional
>>> level. Apparently, it is not. If you don't know for sure that your DCs
>>> are converted over, you can't safely use this feature.
>>>
>>> The code you have commented out would probably work fine though if your
>>> application was using Windows security in IIS (basic, digest or IWA).
>>> Why not just use that?
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "rote" <(E-Mail Removed)> wrote in message
>>> news:uM%(E-Mail Removed)...
>>>>I want users to be able to type a user name in a textox and when they
>>>>hit submit displays
>>>> groups the user belongs to from the Acive Directory.
>>>> the getGroupforUser uses the WindowsIdentity and i have a button even
>>>> below.
>>>> In the button event below i just want to send the username typed in in
>>>> the textbox but when i test the page i get error :-
>>>>
>>>> "System.Security.SecurityException: The Kerberos subsystem encountered
>>>> an error. A service for user protocol request was made
>>>> against a domain controller which does not support service for user."
>>>>
>>>> Any ideas??
>>>>
>>>>
>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>> {
>>>> List<string> groups = new List<string>();
>>>> IdentityReferenceCollection irc = id.Groups;
>>>>
>>>> foreach (IdentityReference ir in irc)
>>>>
>>>> {
>>>>
>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>
>>>> groups.Add(acc.Value);
>>>>
>>>> }
>>>> return groups;
>>>> }
>>>>
>>>> -----------------------------------------------------------------------------------
>>>>
>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>
>>>> {
>>>>
>>>> string username = aduser.Text;
>>>>
>>>> Response.Write("You are logged in as " + username + " your GROUPS are:
>>>> ");
>>>>
>>>> //WindowsIdentity id =
>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>
>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>
>>>> foreach (string roles in getGroupsforUser(id))
>>>>
>>>> {
>>>>
>>>>
>>>>
>>>> Label1.Text += "<br>" + roles.ToString();
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      01-02-2008
Ch 10 of our book has a few samples on tokenGroups. You can download the
code samples from ch 10 and the whole chapter in pdf form from our website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Joe the admin won't update it because they are damn too lazy.
> I'm trying yo use this code here as a guide but its returning null when
> passing a search result :
> http://www.wwwcoder.com/main/parenti...8/default.aspx
> Any ideas..
> Do you have a sample snipprt using tokenGroups somehwere on your site
> been trying to find a guide from there but to success.
> Thanks in advance..
>
>
> "Joe Kaplan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Yeah, you would need to do an LDAP lookup for the user's groups using
>> tokenGroups to simulate what the protocol transition logon is doing. Or,
>> get the admin to upgrade the DC.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "rote" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Thanks very much Joe for ther prompt reply
>>> The DC is still in W2k windows 2000 server..arg.....
>>> Are u talkng about this line below
>>> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity ;
>>> It does work when i use that but i want users to type in a username and
>>> hit the button to search other users..
>>>
>>> Can i use DirectoryServices fr this sceanrio..
>>> Thanks in advacne once again
>>>
>>>
>>>
>>> "Joe Kaplan" <(E-Mail Removed)> wrote in message
>>> news:ufR$(E-Mail Removed)...
>>>> The error is exactly what you it says it is. The constructor you are
>>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>>> (S4U or service for user) in order to generate the user's token. This
>>>> function requires that the client is 2003 or higher and that the domain
>>>> controller servicing the request is 2003 AD in 2003 forest functional
>>>> level. Apparently, it is not. If you don't know for sure that your DCs
>>>> are converted over, you can't safely use this feature.
>>>>
>>>> The code you have commented out would probably work fine though if your
>>>> application was using Windows security in IIS (basic, digest or IWA).
>>>> Why not just use that?
>>>>
>>>> Joe K.
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>> "rote" <(E-Mail Removed)> wrote in message
>>>> news:uM%(E-Mail Removed)...
>>>>>I want users to be able to type a user name in a textox and when they
>>>>>hit submit displays
>>>>> groups the user belongs to from the Acive Directory.
>>>>> the getGroupforUser uses the WindowsIdentity and i have a button even
>>>>> below.
>>>>> In the button event below i just want to send the username typed in in
>>>>> the textbox but when i test the page i get error :-
>>>>>
>>>>> "System.Security.SecurityException: The Kerberos subsystem encountered
>>>>> an error. A service for user protocol request was made
>>>>> against a domain controller which does not support service for user."
>>>>>
>>>>> Any ideas??
>>>>>
>>>>>
>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>> {
>>>>> List<string> groups = new List<string>();
>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>
>>>>> foreach (IdentityReference ir in irc)
>>>>>
>>>>> {
>>>>>
>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>
>>>>> groups.Add(acc.Value);
>>>>>
>>>>> }
>>>>> return groups;
>>>>> }
>>>>>
>>>>> -----------------------------------------------------------------------------------
>>>>>
>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>
>>>>> {
>>>>>
>>>>> string username = aduser.Text;
>>>>>
>>>>> Response.Write("You are logged in as " + username + " your GROUPS are:
>>>>> ");
>>>>>
>>>>> //WindowsIdentity id =
>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>
>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>
>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>
>>>>> {
>>>>>
>>>>>
>>>>>
>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
rote
Guest
Posts: n/a
 
      01-02-2008
Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes[i].ToString("X2")
);
}
return sb.ToString();
}

"Joe Kaplan" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Ch 10 of our book has a few samples on tokenGroups. You can download the
> code samples from ch 10 and the whole chapter in pdf form from our
> website.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Joe the admin won't update it because they are damn too lazy.
>> I'm trying yo use this code here as a guide but its returning null when
>> passing a search result :
>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>> Any ideas..
>> Do you have a sample snipprt using tokenGroups somehwere on your site
>> been trying to find a guide from there but to success.
>> Thanks in advance..
>>
>>
>> "Joe Kaplan" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>> tokenGroups to simulate what the protocol transition logon is doing.
>>> Or, get the admin to upgrade the DC.
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "rote" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Thanks very much Joe for ther prompt reply
>>>> The DC is still in W2k windows 2000 server..arg.....
>>>> Are u talkng about this line below
>>>> WindowsIdentity id =
>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>> It does work when i use that but i want users to type in a username and
>>>> hit the button to search other users..
>>>>
>>>> Can i use DirectoryServices fr this sceanrio..
>>>> Thanks in advacne once again
>>>>
>>>>
>>>>
>>>> "Joe Kaplan" <(E-Mail Removed)> wrote in
>>>> message news:ufR$(E-Mail Removed)...
>>>>> The error is exactly what you it says it is. The constructor you are
>>>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>>>> (S4U or service for user) in order to generate the user's token. This
>>>>> function requires that the client is 2003 or higher and that the
>>>>> domain controller servicing the request is 2003 AD in 2003 forest
>>>>> functional level. Apparently, it is not. If you don't know for sure
>>>>> that your DCs are converted over, you can't safely use this feature.
>>>>>
>>>>> The code you have commented out would probably work fine though if
>>>>> your application was using Windows security in IIS (basic, digest or
>>>>> IWA). Why not just use that?
>>>>>
>>>>> Joe K.
>>>>>
>>>>> --
>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>> Programming"
>>>>> http://www.directoryprogramming.net
>>>>> --
>>>>> "rote" <(E-Mail Removed)> wrote in message
>>>>> news:uM%(E-Mail Removed)...
>>>>>>I want users to be able to type a user name in a textox and when they
>>>>>>hit submit displays
>>>>>> groups the user belongs to from the Acive Directory.
>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>> even below.
>>>>>> In the button event below i just want to send the username typed in
>>>>>> in the textbox but when i test the page i get error :-
>>>>>>
>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>> encountered an error. A service for user protocol request was made
>>>>>> against a domain controller which does not support service for user."
>>>>>>
>>>>>> Any ideas??
>>>>>>
>>>>>>
>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>> {
>>>>>> List<string> groups = new List<string>();
>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>
>>>>>> foreach (IdentityReference ir in irc)
>>>>>>
>>>>>> {
>>>>>>
>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>
>>>>>> groups.Add(acc.Value);
>>>>>>
>>>>>> }
>>>>>> return groups;
>>>>>> }
>>>>>>
>>>>>> -----------------------------------------------------------------------------------
>>>>>>
>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>
>>>>>> {
>>>>>>
>>>>>> string username = aduser.Text;
>>>>>>
>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>> are: ");
>>>>>>
>>>>>> //WindowsIdentity id =
>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>
>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>
>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>
>>>>>> {
>>>>>>
>>>>>>
>>>>>>
>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>
>>>>>> }
>>>>>>
>>>>>> }
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
rote
Guest
Posts: n/a
 
      01-03-2008
Joe i have modified the code and i can get the TokenGroups based on a user..
But no groups are displayed ..
But i can see the filter query like so:-
(|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20
0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
and also see how many tokengroups are returned..
Any ideas?

"rote" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Joe are you talking about this snippet code below ?
> Is it this one?
> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
> whats the user? Is it the DirectoryEntry object.
> The code doesn;t look complete or something..
> Thanks
>
>
>
> public void theGurusCode()
>
> {
>
>
> StringBuilder sb = new StringBuilder();
>
> //we are building an '|' clause
> sb.Append("(|");
>
> foreach (byte[] sid in user.Properties["tokenGroups"])
> {
> //append each member into the filter
> sb.AppendFormat(
> "(objectSid={0})", BuildFilterOctetString(sid));
> }
>
> //end our initial filter
> sb.Append(")");
>
> DirectoryEntry searchRoot = new DirectoryEntry(
> "LDAP://DC=domain,DC=com",
> null,
> null,
> AuthenticationTypes.Secure
> );
>
>
>
> using (searchRoot)
> {
> //we now have our filter, we can just search for the groups
> DirectorySearcher ds = new DirectorySearcher(
> searchRoot,
> sb.ToString() //our filter
> );
>
> using (SearchResultCollection src = ds.FindAll())
> {
> foreach (SearchResult sr in src)
> {
> //Here is each group now...
> Console.WriteLine(
> sr.Properties["samAccountName"][0]);
> }
> }
> }
> }
>
> private string BuildFilterOctetString(byte[] bytes)
> {
> StringBuilder sb = new StringBuilder();
>
> for(int i=0; i < bytes.Length; i++)
> {
> sb.AppendFormat(
> "\\{0}",
> bytes[i].ToString("X2")
> );
> }
> return sb.ToString();
> }
>
> "Joe Kaplan" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Ch 10 of our book has a few samples on tokenGroups. You can download the
>> code samples from ch 10 and the whole chapter in pdf form from our
>> website.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "rote" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Joe the admin won't update it because they are damn too lazy.
>>> I'm trying yo use this code here as a guide but its returning null when
>>> passing a search result :
>>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>>> Any ideas..
>>> Do you have a sample snipprt using tokenGroups somehwere on your site
>>> been trying to find a guide from there but to success.
>>> Thanks in advance..
>>>
>>>
>>> "Joe Kaplan" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>>> tokenGroups to simulate what the protocol transition logon is doing.
>>>> Or, get the admin to upgrade the DC.
>>>>
>>>> Joe K.
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>> "rote" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> Thanks very much Joe for ther prompt reply
>>>>> The DC is still in W2k windows 2000 server..arg.....
>>>>> Are u talkng about this line below
>>>>> WindowsIdentity id =
>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>> It does work when i use that but i want users to type in a username
>>>>> and hit the button to search other users..
>>>>>
>>>>> Can i use DirectoryServices fr this sceanrio..
>>>>> Thanks in advacne once again
>>>>>
>>>>>
>>>>>
>>>>> "Joe Kaplan" <(E-Mail Removed)> wrote in
>>>>> message news:ufR$(E-Mail Removed)...
>>>>>> The error is exactly what you it says it is. The constructor you are
>>>>>> using on the WindowsIdentity object uses Kerberos protocol transition
>>>>>> (S4U or service for user) in order to generate the user's token.
>>>>>> This function requires that the client is 2003 or higher and that the
>>>>>> domain controller servicing the request is 2003 AD in 2003 forest
>>>>>> functional level. Apparently, it is not. If you don't know for sure
>>>>>> that your DCs are converted over, you can't safely use this feature.
>>>>>>
>>>>>> The code you have commented out would probably work fine though if
>>>>>> your application was using Windows security in IIS (basic, digest or
>>>>>> IWA). Why not just use that?
>>>>>>
>>>>>> Joe K.
>>>>>>
>>>>>> --
>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>> Programming"
>>>>>> http://www.directoryprogramming.net
>>>>>> --
>>>>>> "rote" <(E-Mail Removed)> wrote in message
>>>>>> news:uM%(E-Mail Removed)...
>>>>>>>I want users to be able to type a user name in a textox and when they
>>>>>>>hit submit displays
>>>>>>> groups the user belongs to from the Acive Directory.
>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>>> even below.
>>>>>>> In the button event below i just want to send the username typed in
>>>>>>> in the textbox but when i test the page i get error :-
>>>>>>>
>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>>> encountered an error. A service for user protocol request was made
>>>>>>> against a domain controller which does not support service for
>>>>>>> user."
>>>>>>>
>>>>>>> Any ideas??
>>>>>>>
>>>>>>>
>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>>> {
>>>>>>> List<string> groups = new List<string>();
>>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>>
>>>>>>> foreach (IdentityReference ir in irc)
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>>
>>>>>>> groups.Add(acc.Value);
>>>>>>>
>>>>>>> }
>>>>>>> return groups;
>>>>>>> }
>>>>>>>
>>>>>>> -----------------------------------------------------------------------------------
>>>>>>>
>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>> string username = aduser.Text;
>>>>>>>
>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>>> are: ");
>>>>>>>
>>>>>>> //WindowsIdentity id =
>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>>
>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>>
>>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      01-03-2008
That query filter does not look right. The SIDs should look like:

\xx\xx\xx\xx\xx

I can't see how your call to BuildFilterOctetString produced the output that
you got. Are you sure you called it right?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Joe i have modified the code and i can get the TokenGroups based on a
> user..
> But no groups are displayed ..
> But i can see the filter query like so:-
> (|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
> 0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
> 0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
> and also see how many tokengroups are returned..
> Any ideas?
>
> "rote" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Joe are you talking about this snippet code below ?
>> Is it this one?
>> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
>> whats the user? Is it the DirectoryEntry object.
>> The code doesn;t look complete or something..
>> Thanks
>>
>>
>>
>> public void theGurusCode()
>>
>> {
>>
>>
>> StringBuilder sb = new StringBuilder();
>>
>> //we are building an '|' clause
>> sb.Append("(|");
>>
>> foreach (byte[] sid in user.Properties["tokenGroups"])
>> {
>> //append each member into the filter
>> sb.AppendFormat(
>> "(objectSid={0})", BuildFilterOctetString(sid));
>> }
>>
>> //end our initial filter
>> sb.Append(")");
>>
>> DirectoryEntry searchRoot = new DirectoryEntry(
>> "LDAP://DC=domain,DC=com",
>> null,
>> null,
>> AuthenticationTypes.Secure
>> );
>>
>>
>>
>> using (searchRoot)
>> {
>> //we now have our filter, we can just search for the groups
>> DirectorySearcher ds = new DirectorySearcher(
>> searchRoot,
>> sb.ToString() //our filter
>> );
>>
>> using (SearchResultCollection src = ds.FindAll())
>> {
>> foreach (SearchResult sr in src)
>> {
>> //Here is each group now...
>> Console.WriteLine(
>> sr.Properties["samAccountName"][0]);
>> }
>> }
>> }
>> }
>>
>> private string BuildFilterOctetString(byte[] bytes)
>> {
>> StringBuilder sb = new StringBuilder();
>>
>> for(int i=0; i < bytes.Length; i++)
>> {
>> sb.AppendFormat(
>> "\\{0}",
>> bytes[i].ToString("X2")
>> );
>> }
>> return sb.ToString();
>> }
>>
>> "Joe Kaplan" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Ch 10 of our book has a few samples on tokenGroups. You can download
>>> the code samples from ch 10 and the whole chapter in pdf form from our
>>> website.
>>>
>>> Joe K.
>>>
>>> --
>>> Joe Kaplan-MS MVP Directory Services Programming
>>> Co-author of "The .NET Developer's Guide to Directory Services
>>> Programming"
>>> http://www.directoryprogramming.net
>>> --
>>> "rote" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>>> Joe the admin won't update it because they are damn too lazy.
>>>> I'm trying yo use this code here as a guide but its returning null when
>>>> passing a search result :
>>>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>>>> Any ideas..
>>>> Do you have a sample snipprt using tokenGroups somehwere on your site
>>>> been trying to find a guide from there but to success.
>>>> Thanks in advance..
>>>>
>>>>
>>>> "Joe Kaplan" <(E-Mail Removed)> wrote in
>>>> message news:(E-Mail Removed)...
>>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>>>> tokenGroups to simulate what the protocol transition logon is doing.
>>>>> Or, get the admin to upgrade the DC.
>>>>>
>>>>> Joe K.
>>>>>
>>>>> --
>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>> Programming"
>>>>> http://www.directoryprogramming.net
>>>>> --
>>>>> "rote" <(E-Mail Removed)> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>> Thanks very much Joe for ther prompt reply
>>>>>> The DC is still in W2k windows 2000 server..arg.....
>>>>>> Are u talkng about this line below
>>>>>> WindowsIdentity id =
>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>> It does work when i use that but i want users to type in a username
>>>>>> and hit the button to search other users..
>>>>>>
>>>>>> Can i use DirectoryServices fr this sceanrio..
>>>>>> Thanks in advacne once again
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Joe Kaplan" <(E-Mail Removed)> wrote in
>>>>>> message news:ufR$(E-Mail Removed)...
>>>>>>> The error is exactly what you it says it is. The constructor you
>>>>>>> are using on the WindowsIdentity object uses Kerberos protocol
>>>>>>> transition (S4U or service for user) in order to generate the user's
>>>>>>> token. This function requires that the client is 2003 or higher and
>>>>>>> that the domain controller servicing the request is 2003 AD in 2003
>>>>>>> forest functional level. Apparently, it is not. If you don't know
>>>>>>> for sure that your DCs are converted over, you can't safely use this
>>>>>>> feature.
>>>>>>>
>>>>>>> The code you have commented out would probably work fine though if
>>>>>>> your application was using Windows security in IIS (basic, digest or
>>>>>>> IWA). Why not just use that?
>>>>>>>
>>>>>>> Joe K.
>>>>>>>
>>>>>>> --
>>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>>> Programming"
>>>>>>> http://www.directoryprogramming.net
>>>>>>> --
>>>>>>> "rote" <(E-Mail Removed)> wrote in message
>>>>>>> news:uM%(E-Mail Removed)...
>>>>>>>>I want users to be able to type a user name in a textox and when
>>>>>>>>they hit submit displays
>>>>>>>> groups the user belongs to from the Acive Directory.
>>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>>>> even below.
>>>>>>>> In the button event below i just want to send the username typed in
>>>>>>>> in the textbox but when i test the page i get error :-
>>>>>>>>
>>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>>>> encountered an error. A service for user protocol request was made
>>>>>>>> against a domain controller which does not support service for
>>>>>>>> user."
>>>>>>>>
>>>>>>>> Any ideas??
>>>>>>>>
>>>>>>>>
>>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>>>> {
>>>>>>>> List<string> groups = new List<string>();
>>>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>>>
>>>>>>>> foreach (IdentityReference ir in irc)
>>>>>>>>
>>>>>>>> {
>>>>>>>>
>>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>>>
>>>>>>>> groups.Add(acc.Value);
>>>>>>>>
>>>>>>>> }
>>>>>>>> return groups;
>>>>>>>> }
>>>>>>>>
>>>>>>>> -----------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>>>
>>>>>>>> {
>>>>>>>>
>>>>>>>> string username = aduser.Text;
>>>>>>>>
>>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>>>> are: ");
>>>>>>>>
>>>>>>>> //WindowsIdentity id =
>>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>>>
>>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>>>
>>>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>>>
>>>>>>>> {
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
rote
Guest
Posts: n/a
 
      01-03-2008
I was just about to write back Joe.
I was using :-

private string BuildFilterOctetString(byte[] bytes)

{

StringBuilder sb = new StringBuilder();

for (int i = 0; i < bytes.Length; i++)

{

sb.AppendFormat("0x{0} ", bytes[i].ToString("X2"));

}

return sb.ToString();

}

Instead of

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes[i].ToString("X2")
);
}
return sb.ToString();
}

After i changed that it worked like a charm.And by the way congrats on your
new born baby.
One more question is can i do group names to return me users that belongs to
those groups?
Thanka alot


"Joe Kaplan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> That query filter does not look right. The SIDs should look like:
>
> \xx\xx\xx\xx\xx
>
> I can't see how your call to BuildFilterOctetString produced the output
> that you got. Are you sure you called it right?
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "rote" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Joe i have modified the code and i can get the TokenGroups based on a
>> user..
>> But no groups are displayed ..
>> But i can see the filter query like so:-
>> (|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
>> 0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
>> 0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
>> and also see how many tokengroups are returned..
>> Any ideas?
>>
>> "rote" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Joe are you talking about this snippet code below ?
>>> Is it this one?
>>> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
>>> whats the user? Is it the DirectoryEntry object.
>>> The code doesn;t look complete or something..
>>> Thanks
>>>
>>>
>>>
>>> public void theGurusCode()
>>>
>>> {
>>>
>>>
>>> StringBuilder sb = new StringBuilder();
>>>
>>> //we are building an '|' clause
>>> sb.Append("(|");
>>>
>>> foreach (byte[] sid in user.Properties["tokenGroups"])
>>> {
>>> //append each member into the filter
>>> sb.AppendFormat(
>>> "(objectSid={0})", BuildFilterOctetString(sid));
>>> }
>>>
>>> //end our initial filter
>>> sb.Append(")");
>>>
>>> DirectoryEntry searchRoot = new DirectoryEntry(
>>> "LDAP://DC=domain,DC=com",
>>> null,
>>> null,
>>> AuthenticationTypes.Secure
>>> );
>>>
>>>
>>>
>>> using (searchRoot)
>>> {
>>> //we now have our filter, we can just search for the groups
>>> DirectorySearcher ds = new DirectorySearcher(
>>> searchRoot,
>>> sb.ToString() //our filter
>>> );
>>>
>>> using (SearchResultCollection src = ds.FindAll())
>>> {
>>> foreach (SearchResult sr in src)
>>> {
>>> //Here is each group now...
>>> Console.WriteLine(
>>> sr.Properties["samAccountName"][0]);
>>> }
>>> }
>>> }
>>> }
>>>
>>> private string BuildFilterOctetString(byte[] bytes)
>>> {
>>> StringBuilder sb = new StringBuilder();
>>>
>>> for(int i=0; i < bytes.Length; i++)
>>> {
>>> sb.AppendFormat(
>>> "\\{0}",
>>> bytes[i].ToString("X2")
>>> );
>>> }
>>> return sb.ToString();
>>> }
>>>
>>> "Joe Kaplan" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>>> Ch 10 of our book has a few samples on tokenGroups. You can download
>>>> the code samples from ch 10 and the whole chapter in pdf form from our
>>>> website.
>>>>
>>>> Joe K.
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>> "rote" <(E-Mail Removed)> wrote in message
>>>> news:%(E-Mail Removed)...
>>>>> Joe the admin won't update it because they are damn too lazy.
>>>>> I'm trying yo use this code here as a guide but its returning null
>>>>> when passing a search result :
>>>>> http://www.wwwcoder.com/main/parenti...8/default.aspx
>>>>> Any ideas..
>>>>> Do you have a sample snipprt using tokenGroups somehwere on your site
>>>>> been trying to find a guide from there but to success.
>>>>> Thanks in advance..
>>>>>
>>>>>
>>>>> "Joe Kaplan" <(E-Mail Removed)> wrote in
>>>>> message news:(E-Mail Removed)...
>>>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
>>>>>> tokenGroups to simulate what the protocol transition logon is doing.
>>>>>> Or, get the admin to upgrade the DC.
>>>>>>
>>>>>> Joe K.
>>>>>>
>>>>>> --
>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>> Programming"
>>>>>> http://www.directoryprogramming.net
>>>>>> --
>>>>>> "rote" <(E-Mail Removed)> wrote in message
>>>>>> news:(E-Mail Removed)...
>>>>>>> Thanks very much Joe for ther prompt reply
>>>>>>> The DC is still in W2k windows 2000 server..arg.....
>>>>>>> Are u talkng about this line below
>>>>>>> WindowsIdentity id =
>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>> It does work when i use that but i want users to type in a username
>>>>>>> and hit the button to search other users..
>>>>>>>
>>>>>>> Can i use DirectoryServices fr this sceanrio..
>>>>>>> Thanks in advacne once again
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "Joe Kaplan" <(E-Mail Removed)> wrote in
>>>>>>> message news:ufR$(E-Mail Removed)...
>>>>>>>> The error is exactly what you it says it is. The constructor you
>>>>>>>> are using on the WindowsIdentity object uses Kerberos protocol
>>>>>>>> transition (S4U or service for user) in order to generate the
>>>>>>>> user's token. This function requires that the client is 2003 or
>>>>>>>> higher and that the domain controller servicing the request is 2003
>>>>>>>> AD in 2003 forest functional level. Apparently, it is not. If you
>>>>>>>> don't know for sure that your DCs are converted over, you can't
>>>>>>>> safely use this feature.
>>>>>>>>
>>>>>>>> The code you have commented out would probably work fine though if
>>>>>>>> your application was using Windows security in IIS (basic, digest
>>>>>>>> or IWA). Why not just use that?
>>>>>>>>
>>>>>>>> Joe K.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>>>>>> Programming"
>>>>>>>> http://www.directoryprogramming.net
>>>>>>>> --
>>>>>>>> "rote" <(E-Mail Removed)> wrote in message
>>>>>>>> news:uM%(E-Mail Removed)...
>>>>>>>>>I want users to be able to type a user name in a textox and when
>>>>>>>>>they hit submit displays
>>>>>>>>> groups the user belongs to from the Acive Directory.
>>>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
>>>>>>>>> even below.
>>>>>>>>> In the button event below i just want to send the username typed
>>>>>>>>> in in the textbox but when i test the page i get error :-
>>>>>>>>>
>>>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
>>>>>>>>> encountered an error. A service for user protocol request was
>>>>>>>>> made
>>>>>>>>> against a domain controller which does not support service for
>>>>>>>>> user."
>>>>>>>>>
>>>>>>>>> Any ideas??
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
>>>>>>>>> {
>>>>>>>>> List<string> groups = new List<string>();
>>>>>>>>> IdentityReferenceCollection irc = id.Groups;
>>>>>>>>>
>>>>>>>>> foreach (IdentityReference ir in irc)
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>
>>>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
>>>>>>>>>
>>>>>>>>> groups.Add(acc.Value);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>> return groups;
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> -----------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>
>>>>>>>>> string username = aduser.Text;
>>>>>>>>>
>>>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
>>>>>>>>> are: ");
>>>>>>>>>
>>>>>>>>> //WindowsIdentity id =
>>>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity ;
>>>>>>>>>
>>>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
>>>>>>>>>
>>>>>>>>> foreach (string roles in getGroupsforUser(id))
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Label1.Text += "<br>" + roles.ToString();
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Google search result to be URL-limited when searching site, but notwhen searching Web stumblng.tumblr Javascript 1 02-04-2008 09:01 AM
Kerberos Decrypted - Interesting URLs on how kerberos work ii.unforgiven@gmail.com Computer Security 1 07-04-2006 07:37 AM
I know this does not belong here... but.... =?Utf-8?B?U3R1YXJ0?= ASP .Net 1 06-29-2005 12:47 PM
When i try to implement a server program giving UDP as protocol , it works fine , but if the same code is executed with TCP as protocol option, it gives an error. Tompyna Perl Misc 4 02-17-2004 06:51 PM
Having a Radio button one in each column in a Datagrid but belong to the same group? Satish Appasani ASP .Net Web Controls 2 12-14-2003 10:50 PM



Advertisments