Getting GROUPS from Active Directory by inputing an AD username

Discussion in 'ASP .Net Security' started by Patrick.O.Ige, Feb 22, 2007.

  1. I used the WindowsTokenRoleProvider and i was able to input my username and
    i retrieved all the GROUPS i belong to on my PC.
    I'm thinking of doing the same but against Active Directory.
    How can i do the same against AD?
    Will i have to use "AuthorizationStoreRoleProvider" and install Azman? Or
    iare they any other ways?
    I have used ActiveDirectoryMembershipProvider before with my treeview for
    securitytimming can i use that?
    Thanks in Advance
     
    Patrick.O.Ige, Feb 22, 2007
    #1
    1. Advertising

  2. Just use plain WindowsAuthentication - you can get all groups from the WindowsIdentity
    that hangs off Context.User...

    http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I used the WindowsTokenRoleProvider and i was able to input my
    > username and
    > i retrieved all the GROUPS i belong to on my PC.
    > I'm thinking of doing the same but against Active Directory.
    > How can i do the same against AD?
    > Will i have to use "AuthorizationStoreRoleProvider" and install Azman?
    > Or
    > iare they any other ways?
    > I have used ActiveDirectoryMembershipProvider before with my treeview
    > for
    > securitytimming can i use that?
    > Thanks in Advance
     
    Dominick Baier, Feb 22, 2007
    #2
    1. Advertising

  3. Patrick.O.Ige

    Craig Wagner Guest

    I've been orking on this very thing. You might want to read the thread titled
    "WindowsTokenRoleProvider & Domain Groups" in this group.

    In short, if you can't use Windows Authentication for some reason, download
    the free chapter of Joe Kaplan's book available at
    http://directoryprogramming.net/default.aspx and follow the instructions near
    the end of the chapter.
     
    Craig Wagner, Feb 22, 2007
    #3
  4. Thanks for the response.
    But whan i want to do is to have a textbox and when i input a AD username
    and click search
    i would like to retrieve the groups they belong to.
    But what you pointed me to uses the "WindowsIdentity" can iuse the
    User.Identity.Name?
    Thanks in Advance..
    Also is it also possible to do the vice versa..i.e input the AD GROUPS and
    then recieve the users?
    PAtrick

    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Just use plain WindowsAuthentication - you can get all groups from the
    > WindowsIdentity that hangs off Context.User...
    >
    > http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> I used the WindowsTokenRoleProvider and i was able to input my
    >> username and
    >> i retrieved all the GROUPS i belong to on my PC.
    >> I'm thinking of doing the same but against Active Directory.
    >> How can i do the same against AD?
    >> Will i have to use "AuthorizationStoreRoleProvider" and install Azman?
    >> Or
    >> iare they any other ways?
    >> I have used ActiveDirectoryMembershipProvider before with my treeview
    >> for
    >> securitytimming can i use that?
    >> Thanks in Advance

    >
    >
     
    Patrick.O.Ige, Feb 23, 2007
    #4
  5. Patrick.O.Ige

    Joe Kaplan Guest

    There are two options for this that I would consider using:

    If your AD is 2003 native mode and the machine that your app is running on
    is 2003 or higher, you can use protocol transition to generate a
    WindowsIdentity for a user and get their groups. Use the constructor on
    WindowsIdentity that takes the userPrincipalName as the only parameter. It
    just works. :)

    Alternately, you can use LDAP to look up the users groups. I recommend the
    tokenGroups technique discussed at the end of ch 10 of my book, which you
    can download from the site in my signature.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Patrick.O.Ige" <> wrote in message
    news:...
    > Thanks for the response.
    > But whan i want to do is to have a textbox and when i input a AD username
    > and click search
    > i would like to retrieve the groups they belong to.
    > But what you pointed me to uses the "WindowsIdentity" can iuse the
    > User.Identity.Name?
    > Thanks in Advance..
    > Also is it also possible to do the vice versa..i.e input the AD GROUPS
    > and then recieve the users?
    > PAtrick
    >
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    > message news:...
    >> Just use plain WindowsAuthentication - you can get all groups from the
    >> WindowsIdentity that hangs off Context.User...
    >>
    >> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >>
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> I used the WindowsTokenRoleProvider and i was able to input my
    >>> username and
    >>> i retrieved all the GROUPS i belong to on my PC.
    >>> I'm thinking of doing the same but against Active Directory.
    >>> How can i do the same against AD?
    >>> Will i have to use "AuthorizationStoreRoleProvider" and install Azman?
    >>> Or
    >>> iare they any other ways?
    >>> I have used ActiveDirectoryMembershipProvider before with my treeview
    >>> for
    >>> securitytimming can i use that?
    >>> Thanks in Advance

    >>
    >>

    >
    >
     
    Joe Kaplan, Feb 23, 2007
    #5
  6. Thanks Joe for th reply.
    What i have done from what Dominick adviced from
    http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    was to use
    WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
    and then passed it to the grtGroups(id)
    But with that i'm not passing the Logon user. i want to pass in
    grtGroups(logon_user).So that a user can come in and then inputs a username
    and then retrieve their AD GROUPS.
    But i don't really get what you wrote about using the "userPrincipalName as
    the only parameter"
    Also i looked at using the tokenGroups method listed below what would i
    have to do to pass logon_user
    Thanks in Advance

    StringBuilder sb = new StringBuilder();

    //we are building an '|' clause
    sb.Append("(|");

    foreach (byte[] sid in user.Properties["tokenGroups"])
    {
    //append each member into the filter
    sb.AppendFormat(
    "(objectSid={0})", BuildFilterOctetString(sid));
    }

    //end our initial filter
    sb.Append(")");

    DirectoryEntry searchRoot = new DirectoryEntry(
    "LDAP://DC=domain,DC=com",
    null,
    null,
    AuthenticationTypes.Secure
    );

    using (searchRoot)
    {
    //we now have our filter, we can just search for the groups
    DirectorySearcher ds = new DirectorySearcher(
    searchRoot,
    sb.ToString() //our filter
    );

    using (SearchResultCollection src = ds.FindAll())
    {
    foreach (SearchResult sr in src)
    {
    //Here is each group now...
    Console.WriteLine(
    sr.Properties["samAccountName"][0]);
    }
    }
    }






    "Joe Kaplan" <> wrote in message
    news:...
    > There are two options for this that I would consider using:
    >
    > If your AD is 2003 native mode and the machine that your app is running on
    > is 2003 or higher, you can use protocol transition to generate a
    > WindowsIdentity for a user and get their groups. Use the constructor on
    > WindowsIdentity that takes the userPrincipalName as the only parameter.
    > It just works. :)
    >
    > Alternately, you can use LDAP to look up the users groups. I recommend
    > the tokenGroups technique discussed at the end of ch 10 of my book, which
    > you can download from the site in my signature.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Patrick.O.Ige" <> wrote in message
    > news:...
    >> Thanks for the response.
    >> But whan i want to do is to have a textbox and when i input a AD username
    >> and click search
    >> i would like to retrieve the groups they belong to.
    >> But what you pointed me to uses the "WindowsIdentity" can iuse the
    >> User.Identity.Name?
    >> Thanks in Advance..
    >> Also is it also possible to do the vice versa..i.e input the AD GROUPS
    >> and then recieve the users?
    >> PAtrick
    >>
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    >> message news:...
    >>> Just use plain WindowsAuthentication - you can get all groups from the
    >>> WindowsIdentity that hangs off Context.User...
    >>>
    >>> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>>
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> I used the WindowsTokenRoleProvider and i was able to input my
    >>>> username and
    >>>> i retrieved all the GROUPS i belong to on my PC.
    >>>> I'm thinking of doing the same but against Active Directory.
    >>>> How can i do the same against AD?
    >>>> Will i have to use "AuthorizationStoreRoleProvider" and install Azman?
    >>>> Or
    >>>> iare they any other ways?
    >>>> I have used ActiveDirectoryMembershipProvider before with my treeview
    >>>> for
    >>>> securitytimming can i use that?
    >>>> Thanks in Advance
    >>>
    >>>

    >>
    >>

    >
    >
     
    Patrick.O.Ige, Feb 23, 2007
    #6
  7. Thanks and i'm actually looking at it.
    Yes, I can use Windows Auth.
    Have you actually been able to pass on the logon user to retrieve AD GROUPS
    user belong to.
    If you have any info please let me know.
    Patrick

    "Craig Wagner" <> wrote in message
    news:...
    > I've been orking on this very thing. You might want to read the thread
    > titled
    > "WindowsTokenRoleProvider & Domain Groups" in this group.
    >
    > In short, if you can't use Windows Authentication for some reason,
    > download
    > the free chapter of Joe Kaplan's book available at
    > http://directoryprogramming.net/default.aspx and follow the instructions
    > near
    > the end of the chapter.
     
    Patrick.O.Ige, Feb 23, 2007
    #7
  8. Patrick.O.Ige

    Joe Kaplan Guest

    Patrick, the protocol transition code would look something like this:

    WindowsIdentity wi = new WindowsIdentity("");
    IdentityReferenceCollection groups = wi.Groups;

    The userPrincipalName is the user's logon name. You would prompt them for
    that. If they supply the name in a different format, you would have to
    translate it to the UPN.

    For the tokenGroups sample, the key is to get a DirectoryEntry object that
    is bound to the user. You might do this by prompting for the user name and
    then using a DirectorySearcher to find the user object in AD. Then, use
    that result to build the DirectoryEntry. Reading more in ch 10 may be of
    assistance here.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Patrick.O.Ige" <> wrote in message
    news:...
    > Thanks Joe for th reply.
    > What i have done from what Dominick adviced from
    > http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    > was to use
    > WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
    > and then passed it to the grtGroups(id)
    > But with that i'm not passing the Logon user. i want to pass in
    > grtGroups(logon_user).So that a user can come in and then inputs a
    > username
    > and then retrieve their AD GROUPS.
    > But i don't really get what you wrote about using the "userPrincipalName
    > as the only parameter"
    > Also i looked at using the tokenGroups method listed below what would i
    > have to do to pass logon_user
    > Thanks in Advance
    >
    > StringBuilder sb = new StringBuilder();
    >
    > //we are building an '|' clause
    > sb.Append("(|");
    >
    > foreach (byte[] sid in user.Properties["tokenGroups"])
    > {
    > //append each member into the filter
    > sb.AppendFormat(
    > "(objectSid={0})", BuildFilterOctetString(sid));
    > }
    >
    > //end our initial filter
    > sb.Append(")");
    >
    > DirectoryEntry searchRoot = new DirectoryEntry(
    > "LDAP://DC=domain,DC=com",
    > null,
    > null,
    > AuthenticationTypes.Secure
    > );
    >
    > using (searchRoot)
    > {
    > //we now have our filter, we can just search for the groups
    > DirectorySearcher ds = new DirectorySearcher(
    > searchRoot,
    > sb.ToString() //our filter
    > );
    >
    > using (SearchResultCollection src = ds.FindAll())
    > {
    > foreach (SearchResult sr in src)
    > {
    > //Here is each group now...
    > Console.WriteLine(
    > sr.Properties["samAccountName"][0]);
    > }
    > }
    > }
    >
    >
    >
    >
    >
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> There are two options for this that I would consider using:
    >>
    >> If your AD is 2003 native mode and the machine that your app is running
    >> on is 2003 or higher, you can use protocol transition to generate a
    >> WindowsIdentity for a user and get their groups. Use the constructor on
    >> WindowsIdentity that takes the userPrincipalName as the only parameter.
    >> It just works. :)
    >>
    >> Alternately, you can use LDAP to look up the users groups. I recommend
    >> the tokenGroups technique discussed at the end of ch 10 of my book, which
    >> you can download from the site in my signature.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Patrick.O.Ige" <> wrote in message
    >> news:...
    >>> Thanks for the response.
    >>> But whan i want to do is to have a textbox and when i input a AD
    >>> username and click search
    >>> i would like to retrieve the groups they belong to.
    >>> But what you pointed me to uses the "WindowsIdentity" can iuse the
    >>> User.Identity.Name?
    >>> Thanks in Advance..
    >>> Also is it also possible to do the vice versa..i.e input the AD GROUPS
    >>> and then recieve the users?
    >>> PAtrick
    >>>
    >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    >>> message news:...
    >>>> Just use plain WindowsAuthentication - you can get all groups from the
    >>>> WindowsIdentity that hangs off Context.User...
    >>>>
    >>>> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>
    >>>>> I used the WindowsTokenRoleProvider and i was able to input my
    >>>>> username and
    >>>>> i retrieved all the GROUPS i belong to on my PC.
    >>>>> I'm thinking of doing the same but against Active Directory.
    >>>>> How can i do the same against AD?
    >>>>> Will i have to use "AuthorizationStoreRoleProvider" and install Azman?
    >>>>> Or
    >>>>> iare they any other ways?
    >>>>> I have used ActiveDirectoryMembershipProvider before with my treeview
    >>>>> for
    >>>>> securitytimming can i use that?
    >>>>> Thanks in Advance
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan, Feb 23, 2007
    #8
  9. Yeah Joe..
    I tried you idea but 'm getting error SSPI status code error:
    SEC_E_NO_S4U_PROT_SUPPORT
    "The Kerberos subsystem encountered an error. A service for user protocol
    request was made against a domain controller which does not support service
    for a user."
    My only guess for now is that our domain is still on WINDOWS 2000.
    Could that be the reason and do you have any idea what might be wrong?
    Thanks in Advance
    Patrick.


    "Joe Kaplan" <> wrote in message
    news:...
    > Patrick, the protocol transition code would look something like this:
    >
    > WindowsIdentity wi = new WindowsIdentity("");
    > IdentityReferenceCollection groups = wi.Groups;
    >
    > The userPrincipalName is the user's logon name. You would prompt them for
    > that. If they supply the name in a different format, you would have to
    > translate it to the UPN.
    >
    > For the tokenGroups sample, the key is to get a DirectoryEntry object that
    > is bound to the user. You might do this by prompting for the user name
    > and then using a DirectorySearcher to find the user object in AD. Then,
    > use that result to build the DirectoryEntry. Reading more in ch 10 may be
    > of assistance here.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Patrick.O.Ige" <> wrote in message
    > news:...
    >> Thanks Joe for th reply.
    >> What i have done from what Dominick adviced from
    >> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >> was to use
    >> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
    >> and then passed it to the grtGroups(id)
    >> But with that i'm not passing the Logon user. i want to pass in
    >> grtGroups(logon_user).So that a user can come in and then inputs a
    >> username
    >> and then retrieve their AD GROUPS.
    >> But i don't really get what you wrote about using the "userPrincipalName
    >> as the only parameter"
    >> Also i looked at using the tokenGroups method listed below what would i
    >> have to do to pass logon_user
    >> Thanks in Advance
    >>
    >> StringBuilder sb = new StringBuilder();
    >>
    >> //we are building an '|' clause
    >> sb.Append("(|");
    >>
    >> foreach (byte[] sid in user.Properties["tokenGroups"])
    >> {
    >> //append each member into the filter
    >> sb.AppendFormat(
    >> "(objectSid={0})", BuildFilterOctetString(sid));
    >> }
    >>
    >> //end our initial filter
    >> sb.Append(")");
    >>
    >> DirectoryEntry searchRoot = new DirectoryEntry(
    >> "LDAP://DC=domain,DC=com",
    >> null,
    >> null,
    >> AuthenticationTypes.Secure
    >> );
    >>
    >> using (searchRoot)
    >> {
    >> //we now have our filter, we can just search for the groups
    >> DirectorySearcher ds = new DirectorySearcher(
    >> searchRoot,
    >> sb.ToString() //our filter
    >> );
    >>
    >> using (SearchResultCollection src = ds.FindAll())
    >> {
    >> foreach (SearchResult sr in src)
    >> {
    >> //Here is each group now...
    >> Console.WriteLine(
    >> sr.Properties["samAccountName"][0]);
    >> }
    >> }
    >> }
    >>
    >>
    >>
    >>
    >>
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:...
    >>> There are two options for this that I would consider using:
    >>>
    >>> If your AD is 2003 native mode and the machine that your app is running
    >>> on is 2003 or higher, you can use protocol transition to generate a
    >>> WindowsIdentity for a user and get their groups. Use the constructor on
    >>> WindowsIdentity that takes the userPrincipalName as the only parameter.
    >>> It just works. :)
    >>>
    >>> Alternately, you can use LDAP to look up the users groups. I recommend
    >>> the tokenGroups technique discussed at the end of ch 10 of my book,
    >>> which you can download from the site in my signature.
    >>>
    >>> Joe K.
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> --
    >>> "Patrick.O.Ige" <> wrote in message
    >>> news:...
    >>>> Thanks for the response.
    >>>> But whan i want to do is to have a textbox and when i input a AD
    >>>> username and click search
    >>>> i would like to retrieve the groups they belong to.
    >>>> But what you pointed me to uses the "WindowsIdentity" can iuse the
    >>>> User.Identity.Name?
    >>>> Thanks in Advance..
    >>>> Also is it also possible to do the vice versa..i.e input the AD GROUPS
    >>>> and then recieve the users?
    >>>> PAtrick
    >>>>
    >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >>>> in message news:...
    >>>>> Just use plain WindowsAuthentication - you can get all groups from the
    >>>>> WindowsIdentity that hangs off Context.User...
    >>>>>
    >>>>> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>>>>
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>
    >>>>>> I used the WindowsTokenRoleProvider and i was able to input my
    >>>>>> username and
    >>>>>> i retrieved all the GROUPS i belong to on my PC.
    >>>>>> I'm thinking of doing the same but against Active Directory.
    >>>>>> How can i do the same against AD?
    >>>>>> Will i have to use "AuthorizationStoreRoleProvider" and install
    >>>>>> Azman?
    >>>>>> Or
    >>>>>> iare they any other ways?
    >>>>>> I have used ActiveDirectoryMembershipProvider before with my treeview
    >>>>>> for
    >>>>>> securitytimming can i use that?
    >>>>>> Thanks in Advance
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Patrick.O.Ige, Feb 26, 2007
    #9
  10. Patrick.O.Ige

    Joe Kaplan Guest

    That sounds like the reason. Ask your admins or use ldp.exe to do a rootDSE
    query to see what the domain and forest functional levels are.

    It sounds like you'll need to do an LDAP query, so better check out that
    tokenGroups code. :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Patrick.O.Ige" <> wrote in message
    news:...
    > Yeah Joe..
    > I tried you idea but 'm getting error SSPI status code error:
    > SEC_E_NO_S4U_PROT_SUPPORT
    > "The Kerberos subsystem encountered an error. A service for user protocol
    > request was made against a domain controller which does not support
    > service for a user."
    > My only guess for now is that our domain is still on WINDOWS 2000.
    > Could that be the reason and do you have any idea what might be wrong?
    > Thanks in Advance
    > Patrick.
    >
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> Patrick, the protocol transition code would look something like this:
    >>
    >> WindowsIdentity wi = new WindowsIdentity("");
    >> IdentityReferenceCollection groups = wi.Groups;
    >>
    >> The userPrincipalName is the user's logon name. You would prompt them
    >> for that. If they supply the name in a different format, you would have
    >> to translate it to the UPN.
    >>
    >> For the tokenGroups sample, the key is to get a DirectoryEntry object
    >> that is bound to the user. You might do this by prompting for the user
    >> name and then using a DirectorySearcher to find the user object in AD.
    >> Then, use that result to build the DirectoryEntry. Reading more in ch 10
    >> may be of assistance here.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Patrick.O.Ige" <> wrote in message
    >> news:...
    >>> Thanks Joe for th reply.
    >>> What i have done from what Dominick adviced from
    >>> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>> was to use
    >>> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
    >>> and then passed it to the grtGroups(id)
    >>> But with that i'm not passing the Logon user. i want to pass in
    >>> grtGroups(logon_user).So that a user can come in and then inputs a
    >>> username
    >>> and then retrieve their AD GROUPS.
    >>> But i don't really get what you wrote about using the "userPrincipalName
    >>> as the only parameter"
    >>> Also i looked at using the tokenGroups method listed below what would i
    >>> have to do to pass logon_user
    >>> Thanks in Advance
    >>>
    >>> StringBuilder sb = new StringBuilder();
    >>>
    >>> //we are building an '|' clause
    >>> sb.Append("(|");
    >>>
    >>> foreach (byte[] sid in user.Properties["tokenGroups"])
    >>> {
    >>> //append each member into the filter
    >>> sb.AppendFormat(
    >>> "(objectSid={0})", BuildFilterOctetString(sid));
    >>> }
    >>>
    >>> //end our initial filter
    >>> sb.Append(")");
    >>>
    >>> DirectoryEntry searchRoot = new DirectoryEntry(
    >>> "LDAP://DC=domain,DC=com",
    >>> null,
    >>> null,
    >>> AuthenticationTypes.Secure
    >>> );
    >>>
    >>> using (searchRoot)
    >>> {
    >>> //we now have our filter, we can just search for the groups
    >>> DirectorySearcher ds = new DirectorySearcher(
    >>> searchRoot,
    >>> sb.ToString() //our filter
    >>> );
    >>>
    >>> using (SearchResultCollection src = ds.FindAll())
    >>> {
    >>> foreach (SearchResult sr in src)
    >>> {
    >>> //Here is each group now...
    >>> Console.WriteLine(
    >>> sr.Properties["samAccountName"][0]);
    >>> }
    >>> }
    >>> }
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> "Joe Kaplan" <> wrote in message
    >>> news:...
    >>>> There are two options for this that I would consider using:
    >>>>
    >>>> If your AD is 2003 native mode and the machine that your app is running
    >>>> on is 2003 or higher, you can use protocol transition to generate a
    >>>> WindowsIdentity for a user and get their groups. Use the constructor
    >>>> on WindowsIdentity that takes the userPrincipalName as the only
    >>>> parameter. It just works. :)
    >>>>
    >>>> Alternately, you can use LDAP to look up the users groups. I recommend
    >>>> the tokenGroups technique discussed at the end of ch 10 of my book,
    >>>> which you can download from the site in my signature.
    >>>>
    >>>> Joe K.
    >>>>
    >>>> --
    >>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>> Programming"
    >>>> http://www.directoryprogramming.net
    >>>> --
    >>>> "Patrick.O.Ige" <> wrote in message
    >>>> news:...
    >>>>> Thanks for the response.
    >>>>> But whan i want to do is to have a textbox and when i input a AD
    >>>>> username and click search
    >>>>> i would like to retrieve the groups they belong to.
    >>>>> But what you pointed me to uses the "WindowsIdentity" can iuse the
    >>>>> User.Identity.Name?
    >>>>> Thanks in Advance..
    >>>>> Also is it also possible to do the vice versa..i.e input the AD
    >>>>> GROUPS and then recieve the users?
    >>>>> PAtrick
    >>>>>
    >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >>>>> in message news:...
    >>>>>> Just use plain WindowsAuthentication - you can get all groups from
    >>>>>> the WindowsIdentity that hangs off Context.User...
    >>>>>>
    >>>>>> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>
    >>>>>>> I used the WindowsTokenRoleProvider and i was able to input my
    >>>>>>> username and
    >>>>>>> i retrieved all the GROUPS i belong to on my PC.
    >>>>>>> I'm thinking of doing the same but against Active Directory.
    >>>>>>> How can i do the same against AD?
    >>>>>>> Will i have to use "AuthorizationStoreRoleProvider" and install
    >>>>>>> Azman?
    >>>>>>> Or
    >>>>>>> iare they any other ways?
    >>>>>>> I have used ActiveDirectoryMembershipProvider before with my
    >>>>>>> treeview
    >>>>>>> for
    >>>>>>> securitytimming can i use that?
    >>>>>>> Thanks in Advance
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan, Feb 26, 2007
    #10
  11. Thanks Joe.
    I will see to that.If i remember i know you like watching sport alot.
    Was it Baseball ?.. can't remember
    Patrick

    "Joe Kaplan" <> wrote in message
    news:...
    > That sounds like the reason. Ask your admins or use ldp.exe to do a
    > rootDSE query to see what the domain and forest functional levels are.
    >
    > It sounds like you'll need to do an LDAP query, so better check out that
    > tokenGroups code. :)
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Patrick.O.Ige" <> wrote in message
    > news:...
    >> Yeah Joe..
    >> I tried you idea but 'm getting error SSPI status code error:
    >> SEC_E_NO_S4U_PROT_SUPPORT
    >> "The Kerberos subsystem encountered an error. A service for user protocol
    >> request was made against a domain controller which does not support
    >> service for a user."
    >> My only guess for now is that our domain is still on WINDOWS 2000.
    >> Could that be the reason and do you have any idea what might be wrong?
    >> Thanks in Advance
    >> Patrick.
    >>
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:...
    >>> Patrick, the protocol transition code would look something like this:
    >>>
    >>> WindowsIdentity wi = new WindowsIdentity("");
    >>> IdentityReferenceCollection groups = wi.Groups;
    >>>
    >>> The userPrincipalName is the user's logon name. You would prompt them
    >>> for that. If they supply the name in a different format, you would have
    >>> to translate it to the UPN.
    >>>
    >>> For the tokenGroups sample, the key is to get a DirectoryEntry object
    >>> that is bound to the user. You might do this by prompting for the user
    >>> name and then using a DirectorySearcher to find the user object in AD.
    >>> Then, use that result to build the DirectoryEntry. Reading more in ch
    >>> 10 may be of assistance here.
    >>>
    >>> Joe K.
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> --
    >>> "Patrick.O.Ige" <> wrote in message
    >>> news:...
    >>>> Thanks Joe for th reply.
    >>>> What i have done from what Dominick adviced from
    >>>> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>>> was to use
    >>>> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
    >>>> and then passed it to the grtGroups(id)
    >>>> But with that i'm not passing the Logon user. i want to pass in
    >>>> grtGroups(logon_user).So that a user can come in and then inputs a
    >>>> username
    >>>> and then retrieve their AD GROUPS.
    >>>> But i don't really get what you wrote about using the
    >>>> "userPrincipalName as the only parameter"
    >>>> Also i looked at using the tokenGroups method listed below what would
    >>>> i have to do to pass logon_user
    >>>> Thanks in Advance
    >>>>
    >>>> StringBuilder sb = new StringBuilder();
    >>>>
    >>>> //we are building an '|' clause
    >>>> sb.Append("(|");
    >>>>
    >>>> foreach (byte[] sid in user.Properties["tokenGroups"])
    >>>> {
    >>>> //append each member into the filter
    >>>> sb.AppendFormat(
    >>>> "(objectSid={0})", BuildFilterOctetString(sid));
    >>>> }
    >>>>
    >>>> //end our initial filter
    >>>> sb.Append(")");
    >>>>
    >>>> DirectoryEntry searchRoot = new DirectoryEntry(
    >>>> "LDAP://DC=domain,DC=com",
    >>>> null,
    >>>> null,
    >>>> AuthenticationTypes.Secure
    >>>> );
    >>>>
    >>>> using (searchRoot)
    >>>> {
    >>>> //we now have our filter, we can just search for the groups
    >>>> DirectorySearcher ds = new DirectorySearcher(
    >>>> searchRoot,
    >>>> sb.ToString() //our filter
    >>>> );
    >>>>
    >>>> using (SearchResultCollection src = ds.FindAll())
    >>>> {
    >>>> foreach (SearchResult sr in src)
    >>>> {
    >>>> //Here is each group now...
    >>>> Console.WriteLine(
    >>>> sr.Properties["samAccountName"][0]);
    >>>> }
    >>>> }
    >>>> }
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>> "Joe Kaplan" <> wrote in
    >>>> message news:...
    >>>>> There are two options for this that I would consider using:
    >>>>>
    >>>>> If your AD is 2003 native mode and the machine that your app is
    >>>>> running on is 2003 or higher, you can use protocol transition to
    >>>>> generate a WindowsIdentity for a user and get their groups. Use the
    >>>>> constructor on WindowsIdentity that takes the userPrincipalName as the
    >>>>> only parameter. It just works. :)
    >>>>>
    >>>>> Alternately, you can use LDAP to look up the users groups. I
    >>>>> recommend the tokenGroups technique discussed at the end of ch 10 of
    >>>>> my book, which you can download from the site in my signature.
    >>>>>
    >>>>> Joe K.
    >>>>>
    >>>>> --
    >>>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>>> Programming"
    >>>>> http://www.directoryprogramming.net
    >>>>> --
    >>>>> "Patrick.O.Ige" <> wrote in message
    >>>>> news:...
    >>>>>> Thanks for the response.
    >>>>>> But whan i want to do is to have a textbox and when i input a AD
    >>>>>> username and click search
    >>>>>> i would like to retrieve the groups they belong to.
    >>>>>> But what you pointed me to uses the "WindowsIdentity" can iuse the
    >>>>>> User.Identity.Name?
    >>>>>> Thanks in Advance..
    >>>>>> Also is it also possible to do the vice versa..i.e input the AD
    >>>>>> GROUPS and then recieve the users?
    >>>>>> PAtrick
    >>>>>>
    >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >>>>>> in message news:...
    >>>>>>> Just use plain WindowsAuthentication - you can get all groups from
    >>>>>>> the WindowsIdentity that hangs off Context.User...
    >>>>>>>
    >>>>>>> http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
    >>>>>>>
    >>>>>>> -----
    >>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>
    >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>
    >>>>>>>> I used the WindowsTokenRoleProvider and i was able to input my
    >>>>>>>> username and
    >>>>>>>> i retrieved all the GROUPS i belong to on my PC.
    >>>>>>>> I'm thinking of doing the same but against Active Directory.
    >>>>>>>> How can i do the same against AD?
    >>>>>>>> Will i have to use "AuthorizationStoreRoleProvider" and install
    >>>>>>>> Azman?
    >>>>>>>> Or
    >>>>>>>> iare they any other ways?
    >>>>>>>> I have used ActiveDirectoryMembershipProvider before with my
    >>>>>>>> treeview
    >>>>>>>> for
    >>>>>>>> securitytimming can i use that?
    >>>>>>>> Thanks in Advance
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Patrick.O.Ige, Feb 28, 2007
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. anonymous
    Replies:
    1
    Views:
    4,662
    Francisco Padron
    May 8, 2005
  2. Pmb
    Replies:
    2
    Views:
    528
    Mike Wahler
    May 29, 2004
  3. Kelly
    Replies:
    10
    Views:
    481
    Victor Bazarov
    Dec 23, 2004
  4. JJ
    Replies:
    13
    Views:
    533
  5. Keith Hughitt
    Replies:
    4
    Views:
    374
    Sion Arrowsmith
    Jul 10, 2008
Loading...

Share This Page