Getting GROUPS from Active Directory by inputing an AD username

P

Patrick.O.Ige

I used the WindowsTokenRoleProvider and i was able to input my username and
i retrieved all the GROUPS i belong to on my PC.
I'm thinking of doing the same but against Active Directory.
How can i do the same against AD?
Will i have to use "AuthorizationStoreRoleProvider" and install Azman? Or
iare they any other ways?
I have used ActiveDirectoryMembershipProvider before with my treeview for
securitytimming can i use that?
Thanks in Advance
 
C

Craig Wagner

I've been orking on this very thing. You might want to read the thread titled
"WindowsTokenRoleProvider & Domain Groups" in this group.

In short, if you can't use Windows Authentication for some reason, download
the free chapter of Joe Kaplan's book available at
http://directoryprogramming.net/default.aspx and follow the instructions near
the end of the chapter.
 
P

Patrick.O.Ige

Thanks for the response.
But whan i want to do is to have a textbox and when i input a AD username
and click search
i would like to retrieve the groups they belong to.
But what you pointed me to uses the "WindowsIdentity" can iuse the
User.Identity.Name?
Thanks in Advance..
Also is it also possible to do the vice versa..i.e input the AD GROUPS and
then recieve the users?
PAtrick
 
J

Joe Kaplan

There are two options for this that I would consider using:

If your AD is 2003 native mode and the machine that your app is running on
is 2003 or higher, you can use protocol transition to generate a
WindowsIdentity for a user and get their groups. Use the constructor on
WindowsIdentity that takes the userPrincipalName as the only parameter. It
just works. :)

Alternately, you can use LDAP to look up the users groups. I recommend the
tokenGroups technique discussed at the end of ch 10 of my book, which you
can download from the site in my signature.

Joe K.
 
P

Patrick.O.Ige

Thanks Joe for th reply.
What i have done from what Dominick adviced from
http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
was to use
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
and then passed it to the grtGroups(id)
But with that i'm not passing the Logon user. i want to pass in
grtGroups(logon_user).So that a user can come in and then inputs a username
and then retrieve their AD GROUPS.
But i don't really get what you wrote about using the "userPrincipalName as
the only parameter"
Also i looked at using the tokenGroups method listed below what would i
have to do to pass logon_user
Thanks in Advance

StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);

using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
 
P

Patrick.O.Ige

Thanks and i'm actually looking at it.
Yes, I can use Windows Auth.
Have you actually been able to pass on the logon user to retrieve AD GROUPS
user belong to.
If you have any info please let me know.
Patrick
 
J

Joe Kaplan

Patrick, the protocol transition code would look something like this:

WindowsIdentity wi = new WindowsIdentity("(e-mail address removed)");
IdentityReferenceCollection groups = wi.Groups;

The userPrincipalName is the user's logon name. You would prompt them for
that. If they supply the name in a different format, you would have to
translate it to the UPN.

For the tokenGroups sample, the key is to get a DirectoryEntry object that
is bound to the user. You might do this by prompting for the user name and
then using a DirectorySearcher to find the user object in AD. Then, use
that result to build the DirectoryEntry. Reading more in ch 10 may be of
assistance here.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Patrick.O.Ige said:
Thanks Joe for th reply.
What i have done from what Dominick adviced from
http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
was to use
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
and then passed it to the grtGroups(id)
But with that i'm not passing the Logon user. i want to pass in
grtGroups(logon_user).So that a user can come in and then inputs a
username
and then retrieve their AD GROUPS.
But i don't really get what you wrote about using the "userPrincipalName
as the only parameter"
Also i looked at using the tokenGroups method listed below what would i
have to do to pass logon_user
Thanks in Advance

StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);

using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}






Joe Kaplan said:
There are two options for this that I would consider using:

If your AD is 2003 native mode and the machine that your app is running
on is 2003 or higher, you can use protocol transition to generate a
WindowsIdentity for a user and get their groups. Use the constructor on
WindowsIdentity that takes the userPrincipalName as the only parameter.
It just works. :)

Alternately, you can use LDAP to look up the users groups. I recommend
the tokenGroups technique discussed at the end of ch 10 of my book, which
you can download from the site in my signature.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
Click to expand...
Click to expand...
 
P

Patrick.O.Ige

Yeah Joe..
I tried you idea but 'm getting error SSPI status code error:
SEC_E_NO_S4U_PROT_SUPPORT
"The Kerberos subsystem encountered an error. A service for user protocol
request was made against a domain controller which does not support service
for a user."
My only guess for now is that our domain is still on WINDOWS 2000.
Could that be the reason and do you have any idea what might be wrong?
Thanks in Advance
Patrick.


Joe Kaplan said:
Patrick, the protocol transition code would look something like this:

WindowsIdentity wi = new WindowsIdentity("(e-mail address removed)");
IdentityReferenceCollection groups = wi.Groups;

The userPrincipalName is the user's logon name. You would prompt them for
that. If they supply the name in a different format, you would have to
translate it to the UPN.

For the tokenGroups sample, the key is to get a DirectoryEntry object that
is bound to the user. You might do this by prompting for the user name
and then using a DirectorySearcher to find the user object in AD. Then,
use that result to build the DirectoryEntry. Reading more in ch 10 may be
of assistance here.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Patrick.O.Ige said:
Thanks Joe for th reply.
What i have done from what Dominick adviced from
http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
was to use
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
and then passed it to the grtGroups(id)
But with that i'm not passing the Logon user. i want to pass in
grtGroups(logon_user).So that a user can come in and then inputs a
username
and then retrieve their AD GROUPS.
But i don't really get what you wrote about using the "userPrincipalName
as the only parameter"
Also i looked at using the tokenGroups method listed below what would i
have to do to pass logon_user
Thanks in Advance

StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);

using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}






Joe Kaplan said:
There are two options for this that I would consider using:

If your AD is 2003 native mode and the machine that your app is running
on is 2003 or higher, you can use protocol transition to generate a
WindowsIdentity for a user and get their groups. Use the constructor on
WindowsIdentity that takes the userPrincipalName as the only parameter.
It just works. :)

Alternately, you can use LDAP to look up the users groups. I recommend
the tokenGroups technique discussed at the end of ch 10 of my book,
which you can download from the site in my signature.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks for the response.
But whan i want to do is to have a textbox and when i input a AD
username and click search
i would like to retrieve the groups they belong to.
But what you pointed me to uses the "WindowsIdentity" can iuse the
User.Identity.Name?
Thanks in Advance..
Also is it also possible to do the vice versa..i.e input the AD GROUPS
and then recieve the users?
PAtrick

in message Just use plain WindowsAuthentication - you can get all groups from the
WindowsIdentity that hangs off Context.User...

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I used the WindowsTokenRoleProvider and i was able to input my
username and
i retrieved all the GROUPS i belong to on my PC.
I'm thinking of doing the same but against Active Directory.
How can i do the same against AD?
Will i have to use "AuthorizationStoreRoleProvider" and install
Azman?
Or
iare they any other ways?
I have used ActiveDirectoryMembershipProvider before with my treeview
for
securitytimming can i use that?
Thanks in Advance
Click to expand...
Click to expand...
Click to expand...
 
J

Joe Kaplan

That sounds like the reason. Ask your admins or use ldp.exe to do a rootDSE
query to see what the domain and forest functional levels are.

It sounds like you'll need to do an LDAP query, so better check out that
tokenGroups code. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Patrick.O.Ige said:
Yeah Joe..
I tried you idea but 'm getting error SSPI status code error:
SEC_E_NO_S4U_PROT_SUPPORT
"The Kerberos subsystem encountered an error. A service for user protocol
request was made against a domain controller which does not support
service for a user."
My only guess for now is that our domain is still on WINDOWS 2000.
Could that be the reason and do you have any idea what might be wrong?
Thanks in Advance
Patrick.


Joe Kaplan said:
Patrick, the protocol transition code would look something like this:

WindowsIdentity wi = new WindowsIdentity("(e-mail address removed)");
IdentityReferenceCollection groups = wi.Groups;

The userPrincipalName is the user's logon name. You would prompt them
for that. If they supply the name in a different format, you would have
to translate it to the UPN.

For the tokenGroups sample, the key is to get a DirectoryEntry object
that is bound to the user. You might do this by prompting for the user
name and then using a DirectorySearcher to find the user object in AD.
Then, use that result to build the DirectoryEntry. Reading more in ch 10
may be of assistance here.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Patrick.O.Ige said:
Thanks Joe for th reply.
What i have done from what Dominick adviced from
http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
was to use
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
and then passed it to the grtGroups(id)
But with that i'm not passing the Logon user. i want to pass in
grtGroups(logon_user).So that a user can come in and then inputs a
username
and then retrieve their AD GROUPS.
But i don't really get what you wrote about using the "userPrincipalName
as the only parameter"
Also i looked at using the tokenGroups method listed below what would i
have to do to pass logon_user
Thanks in Advance

StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);

using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}






There are two options for this that I would consider using:

If your AD is 2003 native mode and the machine that your app is running
on is 2003 or higher, you can use protocol transition to generate a
WindowsIdentity for a user and get their groups. Use the constructor
on WindowsIdentity that takes the userPrincipalName as the only
parameter. It just works. :)

Alternately, you can use LDAP to look up the users groups. I recommend
the tokenGroups technique discussed at the end of ch 10 of my book,
which you can download from the site in my signature.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks for the response.
But whan i want to do is to have a textbox and when i input a AD
username and click search
i would like to retrieve the groups they belong to.
But what you pointed me to uses the "WindowsIdentity" can iuse the
User.Identity.Name?
Thanks in Advance..
Also is it also possible to do the vice versa..i.e input the AD
GROUPS and then recieve the users?
PAtrick

in message Just use plain WindowsAuthentication - you can get all groups from
the WindowsIdentity that hangs off Context.User...

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I used the WindowsTokenRoleProvider and i was able to input my
username and
i retrieved all the GROUPS i belong to on my PC.
I'm thinking of doing the same but against Active Directory.
How can i do the same against AD?
Will i have to use "AuthorizationStoreRoleProvider" and install
Azman?
Or
iare they any other ways?
I have used ActiveDirectoryMembershipProvider before with my
treeview
for
securitytimming can i use that?
Thanks in Advance
Click to expand...
Click to expand...
Click to expand...
 
P

Patrick.O.Ige

Thanks Joe.
I will see to that.If i remember i know you like watching sport alot.
Was it Baseball ?.. can't remember
Patrick

Joe Kaplan said:
That sounds like the reason. Ask your admins or use ldp.exe to do a
rootDSE query to see what the domain and forest functional levels are.

It sounds like you'll need to do an LDAP query, so better check out that
tokenGroups code. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Patrick.O.Ige said:
Yeah Joe..
I tried you idea but 'm getting error SSPI status code error:
SEC_E_NO_S4U_PROT_SUPPORT
"The Kerberos subsystem encountered an error. A service for user protocol
request was made against a domain controller which does not support
service for a user."
My only guess for now is that our domain is still on WINDOWS 2000.
Could that be the reason and do you have any idea what might be wrong?
Thanks in Advance
Patrick.


Joe Kaplan said:
Patrick, the protocol transition code would look something like this:

WindowsIdentity wi = new WindowsIdentity("(e-mail address removed)");
IdentityReferenceCollection groups = wi.Groups;

The userPrincipalName is the user's logon name. You would prompt them
for that. If they supply the name in a different format, you would have
to translate it to the UPN.

For the tokenGroups sample, the key is to get a DirectoryEntry object
that is bound to the user. You might do this by prompting for the user
name and then using a DirectorySearcher to find the user object in AD.
Then, use that result to build the DirectoryEntry. Reading more in ch
10 may be of assistance here.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks Joe for th reply.
What i have done from what Dominick adviced from
http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
was to use
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
and then passed it to the grtGroups(id)
But with that i'm not passing the Logon user. i want to pass in
grtGroups(logon_user).So that a user can come in and then inputs a
username
and then retrieve their AD GROUPS.
But i don't really get what you wrote about using the
"userPrincipalName as the only parameter"
Also i looked at using the tokenGroups method listed below what would
i have to do to pass logon_user
Thanks in Advance

StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);

using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}






message There are two options for this that I would consider using:

If your AD is 2003 native mode and the machine that your app is
running on is 2003 or higher, you can use protocol transition to
generate a WindowsIdentity for a user and get their groups. Use the
constructor on WindowsIdentity that takes the userPrincipalName as the
only parameter. It just works. :)

Alternately, you can use LDAP to look up the users groups. I
recommend the tokenGroups technique discussed at the end of ch 10 of
my book, which you can download from the site in my signature.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks for the response.
But whan i want to do is to have a textbox and when i input a AD
username and click search
i would like to retrieve the groups they belong to.
But what you pointed me to uses the "WindowsIdentity" can iuse the
User.Identity.Name?
Thanks in Advance..
Also is it also possible to do the vice versa..i.e input the AD
GROUPS and then recieve the users?
PAtrick

in message Just use plain WindowsAuthentication - you can get all groups from
the WindowsIdentity that hangs off Context.User...

http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I used the WindowsTokenRoleProvider and i was able to input my
username and
i retrieved all the GROUPS i belong to on my PC.
I'm thinking of doing the same but against Active Directory.
How can i do the same against AD?
Will i have to use "AuthorizationStoreRoleProvider" and install
Azman?
Or
iare they any other ways?
I have used ActiveDirectoryMembershipProvider before with my
treeview
for
securitytimming can i use that?
Thanks in Advance
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Defining Groups with AD users 8
Does 'IsInRole()' check against Active Directory groups? 5
Forms Authentication - Active Directory 5
authenticating username/password against Active Directory 1
Getting AD Groups 3
RoleProvider for AD Group membership 7
problem getting User Group Memebership in Active Directory 2
Azman with SQL Datastore does not work with LDAP Query Dynamic Gro 1

Members online

Total: 26 (members: 1, guests: 25)
Robots: 442

Forum statistics

Threads
473,769
Messages
2,569,576
Members
45,054
Latest member
LucyCarper

Latest Threads

Top