Patrick, the protocol transition code would look something like this:
WindowsIdentity wi = new WindowsIdentity("(e-mail address removed)");
IdentityReferenceCollection groups = wi.Groups;
The userPrincipalName is the user's logon name. You would prompt them
for that. If they supply the name in a different format, you would have
to translate it to the UPN.
For the tokenGroups sample, the key is to get a DirectoryEntry object
that is bound to the user. You might do this by prompting for the user
name and then using a DirectorySearcher to find the user object in AD.
Then, use that result to build the DirectoryEntry. Reading more in ch
10 may be of assistance here.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks Joe for th reply.
What i have done from what Dominick adviced from
http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
was to use
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity
and then passed it to the grtGroups(id)
But with that i'm not passing the Logon user. i want to pass in
grtGroups(logon_user).So that a user can come in and then inputs a
username
and then retrieve their AD GROUPS.
But i don't really get what you wrote about using the
"userPrincipalName as the only parameter"
Also i looked at using the tokenGroups method listed below what would
i have to do to pass logon_user
Thanks in Advance
StringBuilder sb = new StringBuilder();
//we are building an '|' clause
sb.Append("(|");
foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}
//end our initial filter
sb.Append(")");
DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);
using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);
using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
message There are two options for this that I would consider using:
If your AD is 2003 native mode and the machine that your app is
running on is 2003 or higher, you can use protocol transition to
generate a WindowsIdentity for a user and get their groups. Use the
constructor on WindowsIdentity that takes the userPrincipalName as the
only parameter. It just works.
Alternately, you can use LDAP to look up the users groups. I
recommend the tokenGroups technique discussed at the end of ch 10 of
my book, which you can download from the site in my signature.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks for the response.
But whan i want to do is to have a textbox and when i input a AD
username and click search
i would like to retrieve the groups they belong to.
But what you pointed me to uses the "WindowsIdentity" can iuse the
User.Identity.Name?
Thanks in Advance..
Also is it also possible to do the vice versa..i.e input the AD
GROUPS and then recieve the users?
PAtrick
in message Just use plain WindowsAuthentication - you can get all groups from
the WindowsIdentity that hangs off Context.User...
http://www.leastprivilege.com/GettingAllGroupsForAWindowsAccountInNET20.aspx
-----
Dominick Baier (
http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(
http://www.microsoft.com/mspress/books/9989.asp)
I used the WindowsTokenRoleProvider and i was able to input my
username and
i retrieved all the GROUPS i belong to on my PC.
I'm thinking of doing the same but against Active Directory.
How can i do the same against AD?
Will i have to use "AuthorizationStoreRoleProvider" and install
Azman?
Or
iare they any other ways?
I have used ActiveDirectoryMembershipProvider before with my
treeview
for
securitytimming can i use that?
Thanks in Advance