searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A

Discussion in 'ASP .Net Security' started by rote, Dec 27, 2007.

  1. rote

    rote Guest

    I want users to be able to type a user name in a textox and when they hit
    submit displays
    groups the user belongs to from the Acive Directory.
    the getGroupforUser uses the WindowsIdentity and i have a button even
    below.
    In the button event below i just want to send the username typed in in the
    textbox but when i test the page i get error :-

    "System.Security.SecurityException: The Kerberos subsystem encountered an
    error. A service for user protocol request was made
    against a domain controller which does not support service for user."

    Any ideas??


    List<string> getGroupsforUser(WindowsIdentity id)
    {
    List<string> groups = new List<string>();
    IdentityReferenceCollection irc = id.Groups;

    foreach (IdentityReference ir in irc)

    {

    NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

    groups.Add(acc.Value);

    }
    return groups;
    }

    -----------------------------------------------------------------------------------

    protected void LookupADBtn_Click(object sender, EventArgs e)

    {

    string username = aduser.Text;

    Response.Write("You are logged in as " + username + " your GROUPS are: ");

    //WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;

    WindowsIdentity id = new WindowsIdentity(username);

    foreach (string roles in getGroupsforUser(id))

    {



    Label1.Text += "<br>" + roles.ToString();

    }

    }
     
    rote, Dec 27, 2007
    #1
    1. Advertising

  2. rote

    Joe Kaplan Guest

    The error is exactly what you it says it is. The constructor you are using
    on the WindowsIdentity object uses Kerberos protocol transition (S4U or
    service for user) in order to generate the user's token. This function
    requires that the client is 2003 or higher and that the domain controller
    servicing the request is 2003 AD in 2003 forest functional level.
    Apparently, it is not. If you don't know for sure that your DCs are
    converted over, you can't safely use this feature.

    The code you have commented out would probably work fine though if your
    application was using Windows security in IIS (basic, digest or IWA). Why
    not just use that?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "rote" <> wrote in message
    news:uM%...
    >I want users to be able to type a user name in a textox and when they hit
    >submit displays
    > groups the user belongs to from the Acive Directory.
    > the getGroupforUser uses the WindowsIdentity and i have a button even
    > below.
    > In the button event below i just want to send the username typed in in the
    > textbox but when i test the page i get error :-
    >
    > "System.Security.SecurityException: The Kerberos subsystem encountered an
    > error. A service for user protocol request was made
    > against a domain controller which does not support service for user."
    >
    > Any ideas??
    >
    >
    > List<string> getGroupsforUser(WindowsIdentity id)
    > {
    > List<string> groups = new List<string>();
    > IdentityReferenceCollection irc = id.Groups;
    >
    > foreach (IdentityReference ir in irc)
    >
    > {
    >
    > NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >
    > groups.Add(acc.Value);
    >
    > }
    > return groups;
    > }
    >
    > -----------------------------------------------------------------------------------
    >
    > protected void LookupADBtn_Click(object sender, EventArgs e)
    >
    > {
    >
    > string username = aduser.Text;
    >
    > Response.Write("You are logged in as " + username + " your GROUPS are: ");
    >
    > //WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
    >
    > WindowsIdentity id = new WindowsIdentity(username);
    >
    > foreach (string roles in getGroupsforUser(id))
    >
    > {
    >
    >
    >
    > Label1.Text += "<br>" + roles.ToString();
    >
    > }
    >
    > }
    >
    >
     
    Joe Kaplan, Dec 27, 2007
    #2
    1. Advertising

  3. rote

    rote Guest

    Thanks very much Joe for ther prompt reply
    The DC is still in W2k windows 2000 server..arg.....
    Are u talkng about this line below
    WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
    It does work when i use that but i want users to type in a username and hit
    the button to search other users..

    Can i use DirectoryServices fr this sceanrio..
    Thanks in advacne once again



    "Joe Kaplan" <> wrote in message
    news:ufR$...
    > The error is exactly what you it says it is. The constructor you are
    > using on the WindowsIdentity object uses Kerberos protocol transition (S4U
    > or service for user) in order to generate the user's token. This function
    > requires that the client is 2003 or higher and that the domain controller
    > servicing the request is 2003 AD in 2003 forest functional level.
    > Apparently, it is not. If you don't know for sure that your DCs are
    > converted over, you can't safely use this feature.
    >
    > The code you have commented out would probably work fine though if your
    > application was using Windows security in IIS (basic, digest or IWA). Why
    > not just use that?
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "rote" <> wrote in message
    > news:uM%...
    >>I want users to be able to type a user name in a textox and when they hit
    >>submit displays
    >> groups the user belongs to from the Acive Directory.
    >> the getGroupforUser uses the WindowsIdentity and i have a button even
    >> below.
    >> In the button event below i just want to send the username typed in in
    >> the textbox but when i test the page i get error :-
    >>
    >> "System.Security.SecurityException: The Kerberos subsystem encountered an
    >> error. A service for user protocol request was made
    >> against a domain controller which does not support service for user."
    >>
    >> Any ideas??
    >>
    >>
    >> List<string> getGroupsforUser(WindowsIdentity id)
    >> {
    >> List<string> groups = new List<string>();
    >> IdentityReferenceCollection irc = id.Groups;
    >>
    >> foreach (IdentityReference ir in irc)
    >>
    >> {
    >>
    >> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>
    >> groups.Add(acc.Value);
    >>
    >> }
    >> return groups;
    >> }
    >>
    >> -----------------------------------------------------------------------------------
    >>
    >> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>
    >> {
    >>
    >> string username = aduser.Text;
    >>
    >> Response.Write("You are logged in as " + username + " your GROUPS are:
    >> ");
    >>
    >> //WindowsIdentity id =
    >> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>
    >> WindowsIdentity id = new WindowsIdentity(username);
    >>
    >> foreach (string roles in getGroupsforUser(id))
    >>
    >> {
    >>
    >>
    >>
    >> Label1.Text += "<br>" + roles.ToString();
    >>
    >> }
    >>
    >> }
    >>
    >>

    >
    >
     
    rote, Dec 27, 2007
    #3
  4. rote

    Joe Kaplan Guest

    Yeah, you would need to do an LDAP lookup for the user's groups using
    tokenGroups to simulate what the protocol transition logon is doing. Or,
    get the admin to upgrade the DC. :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "rote" <> wrote in message
    news:...
    > Thanks very much Joe for ther prompt reply
    > The DC is still in W2k windows 2000 server..arg.....
    > Are u talkng about this line below
    > WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
    > It does work when i use that but i want users to type in a username and
    > hit the button to search other users..
    >
    > Can i use DirectoryServices fr this sceanrio..
    > Thanks in advacne once again
    >
    >
    >
    > "Joe Kaplan" <> wrote in message
    > news:ufR$...
    >> The error is exactly what you it says it is. The constructor you are
    >> using on the WindowsIdentity object uses Kerberos protocol transition
    >> (S4U or service for user) in order to generate the user's token. This
    >> function requires that the client is 2003 or higher and that the domain
    >> controller servicing the request is 2003 AD in 2003 forest functional
    >> level. Apparently, it is not. If you don't know for sure that your DCs
    >> are converted over, you can't safely use this feature.
    >>
    >> The code you have commented out would probably work fine though if your
    >> application was using Windows security in IIS (basic, digest or IWA).
    >> Why not just use that?
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "rote" <> wrote in message
    >> news:uM%...
    >>>I want users to be able to type a user name in a textox and when they hit
    >>>submit displays
    >>> groups the user belongs to from the Acive Directory.
    >>> the getGroupforUser uses the WindowsIdentity and i have a button even
    >>> below.
    >>> In the button event below i just want to send the username typed in in
    >>> the textbox but when i test the page i get error :-
    >>>
    >>> "System.Security.SecurityException: The Kerberos subsystem encountered
    >>> an error. A service for user protocol request was made
    >>> against a domain controller which does not support service for user."
    >>>
    >>> Any ideas??
    >>>
    >>>
    >>> List<string> getGroupsforUser(WindowsIdentity id)
    >>> {
    >>> List<string> groups = new List<string>();
    >>> IdentityReferenceCollection irc = id.Groups;
    >>>
    >>> foreach (IdentityReference ir in irc)
    >>>
    >>> {
    >>>
    >>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>>
    >>> groups.Add(acc.Value);
    >>>
    >>> }
    >>> return groups;
    >>> }
    >>>
    >>> -----------------------------------------------------------------------------------
    >>>
    >>> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>>
    >>> {
    >>>
    >>> string username = aduser.Text;
    >>>
    >>> Response.Write("You are logged in as " + username + " your GROUPS are:
    >>> ");
    >>>
    >>> //WindowsIdentity id =
    >>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>
    >>> WindowsIdentity id = new WindowsIdentity(username);
    >>>
    >>> foreach (string roles in getGroupsforUser(id))
    >>>
    >>> {
    >>>
    >>>
    >>>
    >>> Label1.Text += "<br>" + roles.ToString();
    >>>
    >>> }
    >>>
    >>> }
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan, Dec 27, 2007
    #4
  5. rote

    rote Guest

    Joe the admin won't update it because they are damn too lazy.
    I'm trying yo use this code here as a guide but its returning null when
    passing a search result :
    http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
    Any ideas..
    Do you have a sample snipprt using tokenGroups somehwere on your site been
    trying to find a guide from there but to success.
    Thanks in advance..


    "Joe Kaplan" <> wrote in message
    news:...
    > Yeah, you would need to do an LDAP lookup for the user's groups using
    > tokenGroups to simulate what the protocol transition logon is doing. Or,
    > get the admin to upgrade the DC. :)
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "rote" <> wrote in message
    > news:...
    >> Thanks very much Joe for ther prompt reply
    >> The DC is still in W2k windows 2000 server..arg.....
    >> Are u talkng about this line below
    >> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
    >> It does work when i use that but i want users to type in a username and
    >> hit the button to search other users..
    >>
    >> Can i use DirectoryServices fr this sceanrio..
    >> Thanks in advacne once again
    >>
    >>
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:ufR$...
    >>> The error is exactly what you it says it is. The constructor you are
    >>> using on the WindowsIdentity object uses Kerberos protocol transition
    >>> (S4U or service for user) in order to generate the user's token. This
    >>> function requires that the client is 2003 or higher and that the domain
    >>> controller servicing the request is 2003 AD in 2003 forest functional
    >>> level. Apparently, it is not. If you don't know for sure that your DCs
    >>> are converted over, you can't safely use this feature.
    >>>
    >>> The code you have commented out would probably work fine though if your
    >>> application was using Windows security in IIS (basic, digest or IWA).
    >>> Why not just use that?
    >>>
    >>> Joe K.
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> --
    >>> "rote" <> wrote in message
    >>> news:uM%...
    >>>>I want users to be able to type a user name in a textox and when they
    >>>>hit submit displays
    >>>> groups the user belongs to from the Acive Directory.
    >>>> the getGroupforUser uses the WindowsIdentity and i have a button even
    >>>> below.
    >>>> In the button event below i just want to send the username typed in in
    >>>> the textbox but when i test the page i get error :-
    >>>>
    >>>> "System.Security.SecurityException: The Kerberos subsystem encountered
    >>>> an error. A service for user protocol request was made
    >>>> against a domain controller which does not support service for user."
    >>>>
    >>>> Any ideas??
    >>>>
    >>>>
    >>>> List<string> getGroupsforUser(WindowsIdentity id)
    >>>> {
    >>>> List<string> groups = new List<string>();
    >>>> IdentityReferenceCollection irc = id.Groups;
    >>>>
    >>>> foreach (IdentityReference ir in irc)
    >>>>
    >>>> {
    >>>>
    >>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>>>
    >>>> groups.Add(acc.Value);
    >>>>
    >>>> }
    >>>> return groups;
    >>>> }
    >>>>
    >>>> -----------------------------------------------------------------------------------
    >>>>
    >>>> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>>>
    >>>> {
    >>>>
    >>>> string username = aduser.Text;
    >>>>
    >>>> Response.Write("You are logged in as " + username + " your GROUPS are:
    >>>> ");
    >>>>
    >>>> //WindowsIdentity id =
    >>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>
    >>>> WindowsIdentity id = new WindowsIdentity(username);
    >>>>
    >>>> foreach (string roles in getGroupsforUser(id))
    >>>>
    >>>> {
    >>>>
    >>>>
    >>>>
    >>>> Label1.Text += "<br>" + roles.ToString();
    >>>>
    >>>> }
    >>>>
    >>>> }
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    rote, Jan 2, 2008
    #5
  6. rote

    Joe Kaplan Guest

    Ch 10 of our book has a few samples on tokenGroups. You can download the
    code samples from ch 10 and the whole chapter in pdf form from our website.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "rote" <> wrote in message
    news:%...
    > Joe the admin won't update it because they are damn too lazy.
    > I'm trying yo use this code here as a guide but its returning null when
    > passing a search result :
    > http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
    > Any ideas..
    > Do you have a sample snipprt using tokenGroups somehwere on your site
    > been trying to find a guide from there but to success.
    > Thanks in advance..
    >
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> Yeah, you would need to do an LDAP lookup for the user's groups using
    >> tokenGroups to simulate what the protocol transition logon is doing. Or,
    >> get the admin to upgrade the DC. :)
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "rote" <> wrote in message
    >> news:...
    >>> Thanks very much Joe for ther prompt reply
    >>> The DC is still in W2k windows 2000 server..arg.....
    >>> Are u talkng about this line below
    >>> WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
    >>> It does work when i use that but i want users to type in a username and
    >>> hit the button to search other users..
    >>>
    >>> Can i use DirectoryServices fr this sceanrio..
    >>> Thanks in advacne once again
    >>>
    >>>
    >>>
    >>> "Joe Kaplan" <> wrote in message
    >>> news:ufR$...
    >>>> The error is exactly what you it says it is. The constructor you are
    >>>> using on the WindowsIdentity object uses Kerberos protocol transition
    >>>> (S4U or service for user) in order to generate the user's token. This
    >>>> function requires that the client is 2003 or higher and that the domain
    >>>> controller servicing the request is 2003 AD in 2003 forest functional
    >>>> level. Apparently, it is not. If you don't know for sure that your DCs
    >>>> are converted over, you can't safely use this feature.
    >>>>
    >>>> The code you have commented out would probably work fine though if your
    >>>> application was using Windows security in IIS (basic, digest or IWA).
    >>>> Why not just use that?
    >>>>
    >>>> Joe K.
    >>>>
    >>>> --
    >>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>> Programming"
    >>>> http://www.directoryprogramming.net
    >>>> --
    >>>> "rote" <> wrote in message
    >>>> news:uM%...
    >>>>>I want users to be able to type a user name in a textox and when they
    >>>>>hit submit displays
    >>>>> groups the user belongs to from the Acive Directory.
    >>>>> the getGroupforUser uses the WindowsIdentity and i have a button even
    >>>>> below.
    >>>>> In the button event below i just want to send the username typed in in
    >>>>> the textbox but when i test the page i get error :-
    >>>>>
    >>>>> "System.Security.SecurityException: The Kerberos subsystem encountered
    >>>>> an error. A service for user protocol request was made
    >>>>> against a domain controller which does not support service for user."
    >>>>>
    >>>>> Any ideas??
    >>>>>
    >>>>>
    >>>>> List<string> getGroupsforUser(WindowsIdentity id)
    >>>>> {
    >>>>> List<string> groups = new List<string>();
    >>>>> IdentityReferenceCollection irc = id.Groups;
    >>>>>
    >>>>> foreach (IdentityReference ir in irc)
    >>>>>
    >>>>> {
    >>>>>
    >>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>>>>
    >>>>> groups.Add(acc.Value);
    >>>>>
    >>>>> }
    >>>>> return groups;
    >>>>> }
    >>>>>
    >>>>> -----------------------------------------------------------------------------------
    >>>>>
    >>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>>>>
    >>>>> {
    >>>>>
    >>>>> string username = aduser.Text;
    >>>>>
    >>>>> Response.Write("You are logged in as " + username + " your GROUPS are:
    >>>>> ");
    >>>>>
    >>>>> //WindowsIdentity id =
    >>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>>
    >>>>> WindowsIdentity id = new WindowsIdentity(username);
    >>>>>
    >>>>> foreach (string roles in getGroupsforUser(id))
    >>>>>
    >>>>> {
    >>>>>
    >>>>>
    >>>>>
    >>>>> Label1.Text += "<br>" + roles.ToString();
    >>>>>
    >>>>> }
    >>>>>
    >>>>> }
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan, Jan 2, 2008
    #6
  7. rote

    rote Guest

    Joe are you talking about this snippet code below ?
    Is it this one?
    On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
    whats the user? Is it the DirectoryEntry object.
    The code doesn;t look complete or something..
    Thanks



    public void theGurusCode()

    {


    StringBuilder sb = new StringBuilder();

    //we are building an '|' clause
    sb.Append("(|");

    foreach (byte[] sid in user.Properties["tokenGroups"])
    {
    //append each member into the filter
    sb.AppendFormat(
    "(objectSid={0})", BuildFilterOctetString(sid));
    }

    //end our initial filter
    sb.Append(")");

    DirectoryEntry searchRoot = new DirectoryEntry(
    "LDAP://DC=domain,DC=com",
    null,
    null,
    AuthenticationTypes.Secure
    );



    using (searchRoot)
    {
    //we now have our filter, we can just search for the groups
    DirectorySearcher ds = new DirectorySearcher(
    searchRoot,
    sb.ToString() //our filter
    );

    using (SearchResultCollection src = ds.FindAll())
    {
    foreach (SearchResult sr in src)
    {
    //Here is each group now...
    Console.WriteLine(
    sr.Properties["samAccountName"][0]);
    }
    }
    }
    }

    private string BuildFilterOctetString(byte[] bytes)
    {
    StringBuilder sb = new StringBuilder();

    for(int i=0; i < bytes.Length; i++)
    {
    sb.AppendFormat(
    "\\{0}",
    bytes.ToString("X2")
    );
    }
    return sb.ToString();
    }

    "Joe Kaplan" <> wrote in message
    news:%...
    > Ch 10 of our book has a few samples on tokenGroups. You can download the
    > code samples from ch 10 and the whole chapter in pdf form from our
    > website.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "rote" <> wrote in message
    > news:%...
    >> Joe the admin won't update it because they are damn too lazy.
    >> I'm trying yo use this code here as a guide but its returning null when
    >> passing a search result :
    >> http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
    >> Any ideas..
    >> Do you have a sample snipprt using tokenGroups somehwere on your site
    >> been trying to find a guide from there but to success.
    >> Thanks in advance..
    >>
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:...
    >>> Yeah, you would need to do an LDAP lookup for the user's groups using
    >>> tokenGroups to simulate what the protocol transition logon is doing.
    >>> Or, get the admin to upgrade the DC. :)
    >>>
    >>> Joe K.
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> --
    >>> "rote" <> wrote in message
    >>> news:...
    >>>> Thanks very much Joe for ther prompt reply
    >>>> The DC is still in W2k windows 2000 server..arg.....
    >>>> Are u talkng about this line below
    >>>> WindowsIdentity id =
    >>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>> It does work when i use that but i want users to type in a username and
    >>>> hit the button to search other users..
    >>>>
    >>>> Can i use DirectoryServices fr this sceanrio..
    >>>> Thanks in advacne once again
    >>>>
    >>>>
    >>>>
    >>>> "Joe Kaplan" <> wrote in
    >>>> message news:ufR$...
    >>>>> The error is exactly what you it says it is. The constructor you are
    >>>>> using on the WindowsIdentity object uses Kerberos protocol transition
    >>>>> (S4U or service for user) in order to generate the user's token. This
    >>>>> function requires that the client is 2003 or higher and that the
    >>>>> domain controller servicing the request is 2003 AD in 2003 forest
    >>>>> functional level. Apparently, it is not. If you don't know for sure
    >>>>> that your DCs are converted over, you can't safely use this feature.
    >>>>>
    >>>>> The code you have commented out would probably work fine though if
    >>>>> your application was using Windows security in IIS (basic, digest or
    >>>>> IWA). Why not just use that?
    >>>>>
    >>>>> Joe K.
    >>>>>
    >>>>> --
    >>>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>>> Programming"
    >>>>> http://www.directoryprogramming.net
    >>>>> --
    >>>>> "rote" <> wrote in message
    >>>>> news:uM%...
    >>>>>>I want users to be able to type a user name in a textox and when they
    >>>>>>hit submit displays
    >>>>>> groups the user belongs to from the Acive Directory.
    >>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
    >>>>>> even below.
    >>>>>> In the button event below i just want to send the username typed in
    >>>>>> in the textbox but when i test the page i get error :-
    >>>>>>
    >>>>>> "System.Security.SecurityException: The Kerberos subsystem
    >>>>>> encountered an error. A service for user protocol request was made
    >>>>>> against a domain controller which does not support service for user."
    >>>>>>
    >>>>>> Any ideas??
    >>>>>>
    >>>>>>
    >>>>>> List<string> getGroupsforUser(WindowsIdentity id)
    >>>>>> {
    >>>>>> List<string> groups = new List<string>();
    >>>>>> IdentityReferenceCollection irc = id.Groups;
    >>>>>>
    >>>>>> foreach (IdentityReference ir in irc)
    >>>>>>
    >>>>>> {
    >>>>>>
    >>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>>>>>
    >>>>>> groups.Add(acc.Value);
    >>>>>>
    >>>>>> }
    >>>>>> return groups;
    >>>>>> }
    >>>>>>
    >>>>>> -----------------------------------------------------------------------------------
    >>>>>>
    >>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>>>>>
    >>>>>> {
    >>>>>>
    >>>>>> string username = aduser.Text;
    >>>>>>
    >>>>>> Response.Write("You are logged in as " + username + " your GROUPS
    >>>>>> are: ");
    >>>>>>
    >>>>>> //WindowsIdentity id =
    >>>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>>>
    >>>>>> WindowsIdentity id = new WindowsIdentity(username);
    >>>>>>
    >>>>>> foreach (string roles in getGroupsforUser(id))
    >>>>>>
    >>>>>> {
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> Label1.Text += "<br>" + roles.ToString();
    >>>>>>
    >>>>>> }
    >>>>>>
    >>>>>> }
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    rote, Jan 2, 2008
    #7
  8. rote

    rote Guest

    Joe i have modified the code and i can get the TokenGroups based on a user..
    But no groups are displayed ..
    But i can see the filter query like so:-
    (|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
    0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20
    0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
    and also see how many tokengroups are returned..
    Any ideas?

    "rote" <> wrote in message
    news:...
    > Joe are you talking about this snippet code below ?
    > Is it this one?
    > On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
    > whats the user? Is it the DirectoryEntry object.
    > The code doesn;t look complete or something..
    > Thanks
    >
    >
    >
    > public void theGurusCode()
    >
    > {
    >
    >
    > StringBuilder sb = new StringBuilder();
    >
    > //we are building an '|' clause
    > sb.Append("(|");
    >
    > foreach (byte[] sid in user.Properties["tokenGroups"])
    > {
    > //append each member into the filter
    > sb.AppendFormat(
    > "(objectSid={0})", BuildFilterOctetString(sid));
    > }
    >
    > //end our initial filter
    > sb.Append(")");
    >
    > DirectoryEntry searchRoot = new DirectoryEntry(
    > "LDAP://DC=domain,DC=com",
    > null,
    > null,
    > AuthenticationTypes.Secure
    > );
    >
    >
    >
    > using (searchRoot)
    > {
    > //we now have our filter, we can just search for the groups
    > DirectorySearcher ds = new DirectorySearcher(
    > searchRoot,
    > sb.ToString() //our filter
    > );
    >
    > using (SearchResultCollection src = ds.FindAll())
    > {
    > foreach (SearchResult sr in src)
    > {
    > //Here is each group now...
    > Console.WriteLine(
    > sr.Properties["samAccountName"][0]);
    > }
    > }
    > }
    > }
    >
    > private string BuildFilterOctetString(byte[] bytes)
    > {
    > StringBuilder sb = new StringBuilder();
    >
    > for(int i=0; i < bytes.Length; i++)
    > {
    > sb.AppendFormat(
    > "\\{0}",
    > bytes.ToString("X2")
    > );
    > }
    > return sb.ToString();
    > }
    >
    > "Joe Kaplan" <> wrote in message
    > news:%...
    >> Ch 10 of our book has a few samples on tokenGroups. You can download the
    >> code samples from ch 10 and the whole chapter in pdf form from our
    >> website.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "rote" <> wrote in message
    >> news:%...
    >>> Joe the admin won't update it because they are damn too lazy.
    >>> I'm trying yo use this code here as a guide but its returning null when
    >>> passing a search result :
    >>> http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
    >>> Any ideas..
    >>> Do you have a sample snipprt using tokenGroups somehwere on your site
    >>> been trying to find a guide from there but to success.
    >>> Thanks in advance..
    >>>
    >>>
    >>> "Joe Kaplan" <> wrote in message
    >>> news:...
    >>>> Yeah, you would need to do an LDAP lookup for the user's groups using
    >>>> tokenGroups to simulate what the protocol transition logon is doing.
    >>>> Or, get the admin to upgrade the DC. :)
    >>>>
    >>>> Joe K.
    >>>>
    >>>> --
    >>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>> Programming"
    >>>> http://www.directoryprogramming.net
    >>>> --
    >>>> "rote" <> wrote in message
    >>>> news:...
    >>>>> Thanks very much Joe for ther prompt reply
    >>>>> The DC is still in W2k windows 2000 server..arg.....
    >>>>> Are u talkng about this line below
    >>>>> WindowsIdentity id =
    >>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>> It does work when i use that but i want users to type in a username
    >>>>> and hit the button to search other users..
    >>>>>
    >>>>> Can i use DirectoryServices fr this sceanrio..
    >>>>> Thanks in advacne once again
    >>>>>
    >>>>>
    >>>>>
    >>>>> "Joe Kaplan" <> wrote in
    >>>>> message news:ufR$...
    >>>>>> The error is exactly what you it says it is. The constructor you are
    >>>>>> using on the WindowsIdentity object uses Kerberos protocol transition
    >>>>>> (S4U or service for user) in order to generate the user's token.
    >>>>>> This function requires that the client is 2003 or higher and that the
    >>>>>> domain controller servicing the request is 2003 AD in 2003 forest
    >>>>>> functional level. Apparently, it is not. If you don't know for sure
    >>>>>> that your DCs are converted over, you can't safely use this feature.
    >>>>>>
    >>>>>> The code you have commented out would probably work fine though if
    >>>>>> your application was using Windows security in IIS (basic, digest or
    >>>>>> IWA). Why not just use that?
    >>>>>>
    >>>>>> Joe K.
    >>>>>>
    >>>>>> --
    >>>>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>>>> Programming"
    >>>>>> http://www.directoryprogramming.net
    >>>>>> --
    >>>>>> "rote" <> wrote in message
    >>>>>> news:uM%...
    >>>>>>>I want users to be able to type a user name in a textox and when they
    >>>>>>>hit submit displays
    >>>>>>> groups the user belongs to from the Acive Directory.
    >>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
    >>>>>>> even below.
    >>>>>>> In the button event below i just want to send the username typed in
    >>>>>>> in the textbox but when i test the page i get error :-
    >>>>>>>
    >>>>>>> "System.Security.SecurityException: The Kerberos subsystem
    >>>>>>> encountered an error. A service for user protocol request was made
    >>>>>>> against a domain controller which does not support service for
    >>>>>>> user."
    >>>>>>>
    >>>>>>> Any ideas??
    >>>>>>>
    >>>>>>>
    >>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
    >>>>>>> {
    >>>>>>> List<string> groups = new List<string>();
    >>>>>>> IdentityReferenceCollection irc = id.Groups;
    >>>>>>>
    >>>>>>> foreach (IdentityReference ir in irc)
    >>>>>>>
    >>>>>>> {
    >>>>>>>
    >>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>>>>>>
    >>>>>>> groups.Add(acc.Value);
    >>>>>>>
    >>>>>>> }
    >>>>>>> return groups;
    >>>>>>> }
    >>>>>>>
    >>>>>>> -----------------------------------------------------------------------------------
    >>>>>>>
    >>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>>>>>>
    >>>>>>> {
    >>>>>>>
    >>>>>>> string username = aduser.Text;
    >>>>>>>
    >>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
    >>>>>>> are: ");
    >>>>>>>
    >>>>>>> //WindowsIdentity id =
    >>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>>>>
    >>>>>>> WindowsIdentity id = new WindowsIdentity(username);
    >>>>>>>
    >>>>>>> foreach (string roles in getGroupsforUser(id))
    >>>>>>>
    >>>>>>> {
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>> Label1.Text += "<br>" + roles.ToString();
    >>>>>>>
    >>>>>>> }
    >>>>>>>
    >>>>>>> }
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    rote, Jan 3, 2008
    #8
  9. rote

    Joe Kaplan Guest

    That query filter does not look right. The SIDs should look like:

    \xx\xx\xx\xx\xx

    I can't see how your call to BuildFilterOctetString produced the output that
    you got. Are you sure you called it right?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "rote" <> wrote in message
    news:...
    > Joe i have modified the code and i can get the TokenGroups based on a
    > user..
    > But no groups are displayed ..
    > But i can see the filter query like so:-
    > (|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
    > 0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
    > 0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
    > and also see how many tokengroups are returned..
    > Any ideas?
    >
    > "rote" <> wrote in message
    > news:...
    >> Joe are you talking about this snippet code below ?
    >> Is it this one?
    >> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
    >> whats the user? Is it the DirectoryEntry object.
    >> The code doesn;t look complete or something..
    >> Thanks
    >>
    >>
    >>
    >> public void theGurusCode()
    >>
    >> {
    >>
    >>
    >> StringBuilder sb = new StringBuilder();
    >>
    >> //we are building an '|' clause
    >> sb.Append("(|");
    >>
    >> foreach (byte[] sid in user.Properties["tokenGroups"])
    >> {
    >> //append each member into the filter
    >> sb.AppendFormat(
    >> "(objectSid={0})", BuildFilterOctetString(sid));
    >> }
    >>
    >> //end our initial filter
    >> sb.Append(")");
    >>
    >> DirectoryEntry searchRoot = new DirectoryEntry(
    >> "LDAP://DC=domain,DC=com",
    >> null,
    >> null,
    >> AuthenticationTypes.Secure
    >> );
    >>
    >>
    >>
    >> using (searchRoot)
    >> {
    >> //we now have our filter, we can just search for the groups
    >> DirectorySearcher ds = new DirectorySearcher(
    >> searchRoot,
    >> sb.ToString() //our filter
    >> );
    >>
    >> using (SearchResultCollection src = ds.FindAll())
    >> {
    >> foreach (SearchResult sr in src)
    >> {
    >> //Here is each group now...
    >> Console.WriteLine(
    >> sr.Properties["samAccountName"][0]);
    >> }
    >> }
    >> }
    >> }
    >>
    >> private string BuildFilterOctetString(byte[] bytes)
    >> {
    >> StringBuilder sb = new StringBuilder();
    >>
    >> for(int i=0; i < bytes.Length; i++)
    >> {
    >> sb.AppendFormat(
    >> "\\{0}",
    >> bytes.ToString("X2")
    >> );
    >> }
    >> return sb.ToString();
    >> }
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:%...
    >>> Ch 10 of our book has a few samples on tokenGroups. You can download
    >>> the code samples from ch 10 and the whole chapter in pdf form from our
    >>> website.
    >>>
    >>> Joe K.
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> --
    >>> "rote" <> wrote in message
    >>> news:%...
    >>>> Joe the admin won't update it because they are damn too lazy.
    >>>> I'm trying yo use this code here as a guide but its returning null when
    >>>> passing a search result :
    >>>> http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
    >>>> Any ideas..
    >>>> Do you have a sample snipprt using tokenGroups somehwere on your site
    >>>> been trying to find a guide from there but to success.
    >>>> Thanks in advance..
    >>>>
    >>>>
    >>>> "Joe Kaplan" <> wrote in
    >>>> message news:...
    >>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
    >>>>> tokenGroups to simulate what the protocol transition logon is doing.
    >>>>> Or, get the admin to upgrade the DC. :)
    >>>>>
    >>>>> Joe K.
    >>>>>
    >>>>> --
    >>>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>>> Programming"
    >>>>> http://www.directoryprogramming.net
    >>>>> --
    >>>>> "rote" <> wrote in message
    >>>>> news:...
    >>>>>> Thanks very much Joe for ther prompt reply
    >>>>>> The DC is still in W2k windows 2000 server..arg.....
    >>>>>> Are u talkng about this line below
    >>>>>> WindowsIdentity id =
    >>>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>>> It does work when i use that but i want users to type in a username
    >>>>>> and hit the button to search other users..
    >>>>>>
    >>>>>> Can i use DirectoryServices fr this sceanrio..
    >>>>>> Thanks in advacne once again
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> "Joe Kaplan" <> wrote in
    >>>>>> message news:ufR$...
    >>>>>>> The error is exactly what you it says it is. The constructor you
    >>>>>>> are using on the WindowsIdentity object uses Kerberos protocol
    >>>>>>> transition (S4U or service for user) in order to generate the user's
    >>>>>>> token. This function requires that the client is 2003 or higher and
    >>>>>>> that the domain controller servicing the request is 2003 AD in 2003
    >>>>>>> forest functional level. Apparently, it is not. If you don't know
    >>>>>>> for sure that your DCs are converted over, you can't safely use this
    >>>>>>> feature.
    >>>>>>>
    >>>>>>> The code you have commented out would probably work fine though if
    >>>>>>> your application was using Windows security in IIS (basic, digest or
    >>>>>>> IWA). Why not just use that?
    >>>>>>>
    >>>>>>> Joe K.
    >>>>>>>
    >>>>>>> --
    >>>>>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>>>>> Programming"
    >>>>>>> http://www.directoryprogramming.net
    >>>>>>> --
    >>>>>>> "rote" <> wrote in message
    >>>>>>> news:uM%...
    >>>>>>>>I want users to be able to type a user name in a textox and when
    >>>>>>>>they hit submit displays
    >>>>>>>> groups the user belongs to from the Acive Directory.
    >>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
    >>>>>>>> even below.
    >>>>>>>> In the button event below i just want to send the username typed in
    >>>>>>>> in the textbox but when i test the page i get error :-
    >>>>>>>>
    >>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
    >>>>>>>> encountered an error. A service for user protocol request was made
    >>>>>>>> against a domain controller which does not support service for
    >>>>>>>> user."
    >>>>>>>>
    >>>>>>>> Any ideas??
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
    >>>>>>>> {
    >>>>>>>> List<string> groups = new List<string>();
    >>>>>>>> IdentityReferenceCollection irc = id.Groups;
    >>>>>>>>
    >>>>>>>> foreach (IdentityReference ir in irc)
    >>>>>>>>
    >>>>>>>> {
    >>>>>>>>
    >>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>>>>>>>
    >>>>>>>> groups.Add(acc.Value);
    >>>>>>>>
    >>>>>>>> }
    >>>>>>>> return groups;
    >>>>>>>> }
    >>>>>>>>
    >>>>>>>> -----------------------------------------------------------------------------------
    >>>>>>>>
    >>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>>>>>>>
    >>>>>>>> {
    >>>>>>>>
    >>>>>>>> string username = aduser.Text;
    >>>>>>>>
    >>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
    >>>>>>>> are: ");
    >>>>>>>>
    >>>>>>>> //WindowsIdentity id =
    >>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>>>>>
    >>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
    >>>>>>>>
    >>>>>>>> foreach (string roles in getGroupsforUser(id))
    >>>>>>>>
    >>>>>>>> {
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> Label1.Text += "<br>" + roles.ToString();
    >>>>>>>>
    >>>>>>>> }
    >>>>>>>>
    >>>>>>>> }
    >>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan, Jan 3, 2008
    #9
  10. rote

    rote Guest

    I was just about to write back Joe.
    I was using :-

    private string BuildFilterOctetString(byte[] bytes)

    {

    StringBuilder sb = new StringBuilder();

    for (int i = 0; i < bytes.Length; i++)

    {

    sb.AppendFormat("0x{0} ", bytes.ToString("X2"));

    }

    return sb.ToString();

    }

    Instead of

    private string BuildFilterOctetString(byte[] bytes)
    {
    StringBuilder sb = new StringBuilder();

    for(int i=0; i < bytes.Length; i++)
    {
    sb.AppendFormat(
    "\\{0}",
    bytes.ToString("X2")
    );
    }
    return sb.ToString();
    }

    After i changed that it worked like a charm.And by the way congrats on your
    new born baby.
    One more question is can i do group names to return me users that belongs to
    those groups?
    Thanka alot


    "Joe Kaplan" <> wrote in message
    news:...
    > That query filter does not look right. The SIDs should look like:
    >
    > \xx\xx\xx\xx\xx
    >
    > I can't see how your call to BuildFilterOctetString produced the output
    > that you got. Are you sure you called it right?
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "rote" <> wrote in message
    > news:...
    >> Joe i have modified the code and i can get the TokenGroups based on a
    >> user..
    >> But no groups are displayed ..
    >> But i can see the filter query like so:-
    >> (|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
    >> 0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
    >> 0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
    >> and also see how many tokengroups are returned..
    >> Any ideas?
    >>
    >> "rote" <> wrote in message
    >> news:...
    >>> Joe are you talking about this snippet code below ?
    >>> Is it this one?
    >>> On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
    >>> whats the user? Is it the DirectoryEntry object.
    >>> The code doesn;t look complete or something..
    >>> Thanks
    >>>
    >>>
    >>>
    >>> public void theGurusCode()
    >>>
    >>> {
    >>>
    >>>
    >>> StringBuilder sb = new StringBuilder();
    >>>
    >>> //we are building an '|' clause
    >>> sb.Append("(|");
    >>>
    >>> foreach (byte[] sid in user.Properties["tokenGroups"])
    >>> {
    >>> //append each member into the filter
    >>> sb.AppendFormat(
    >>> "(objectSid={0})", BuildFilterOctetString(sid));
    >>> }
    >>>
    >>> //end our initial filter
    >>> sb.Append(")");
    >>>
    >>> DirectoryEntry searchRoot = new DirectoryEntry(
    >>> "LDAP://DC=domain,DC=com",
    >>> null,
    >>> null,
    >>> AuthenticationTypes.Secure
    >>> );
    >>>
    >>>
    >>>
    >>> using (searchRoot)
    >>> {
    >>> //we now have our filter, we can just search for the groups
    >>> DirectorySearcher ds = new DirectorySearcher(
    >>> searchRoot,
    >>> sb.ToString() //our filter
    >>> );
    >>>
    >>> using (SearchResultCollection src = ds.FindAll())
    >>> {
    >>> foreach (SearchResult sr in src)
    >>> {
    >>> //Here is each group now...
    >>> Console.WriteLine(
    >>> sr.Properties["samAccountName"][0]);
    >>> }
    >>> }
    >>> }
    >>> }
    >>>
    >>> private string BuildFilterOctetString(byte[] bytes)
    >>> {
    >>> StringBuilder sb = new StringBuilder();
    >>>
    >>> for(int i=0; i < bytes.Length; i++)
    >>> {
    >>> sb.AppendFormat(
    >>> "\\{0}",
    >>> bytes.ToString("X2")
    >>> );
    >>> }
    >>> return sb.ToString();
    >>> }
    >>>
    >>> "Joe Kaplan" <> wrote in message
    >>> news:%...
    >>>> Ch 10 of our book has a few samples on tokenGroups. You can download
    >>>> the code samples from ch 10 and the whole chapter in pdf form from our
    >>>> website.
    >>>>
    >>>> Joe K.
    >>>>
    >>>> --
    >>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>> Programming"
    >>>> http://www.directoryprogramming.net
    >>>> --
    >>>> "rote" <> wrote in message
    >>>> news:%...
    >>>>> Joe the admin won't update it because they are damn too lazy.
    >>>>> I'm trying yo use this code here as a guide but its returning null
    >>>>> when passing a search result :
    >>>>> http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
    >>>>> Any ideas..
    >>>>> Do you have a sample snipprt using tokenGroups somehwere on your site
    >>>>> been trying to find a guide from there but to success.
    >>>>> Thanks in advance..
    >>>>>
    >>>>>
    >>>>> "Joe Kaplan" <> wrote in
    >>>>> message news:...
    >>>>>> Yeah, you would need to do an LDAP lookup for the user's groups using
    >>>>>> tokenGroups to simulate what the protocol transition logon is doing.
    >>>>>> Or, get the admin to upgrade the DC. :)
    >>>>>>
    >>>>>> Joe K.
    >>>>>>
    >>>>>> --
    >>>>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>>>> Programming"
    >>>>>> http://www.directoryprogramming.net
    >>>>>> --
    >>>>>> "rote" <> wrote in message
    >>>>>> news:...
    >>>>>>> Thanks very much Joe for ther prompt reply
    >>>>>>> The DC is still in W2k windows 2000 server..arg.....
    >>>>>>> Are u talkng about this line below
    >>>>>>> WindowsIdentity id =
    >>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>>>> It does work when i use that but i want users to type in a username
    >>>>>>> and hit the button to search other users..
    >>>>>>>
    >>>>>>> Can i use DirectoryServices fr this sceanrio..
    >>>>>>> Thanks in advacne once again
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>> "Joe Kaplan" <> wrote in
    >>>>>>> message news:ufR$...
    >>>>>>>> The error is exactly what you it says it is. The constructor you
    >>>>>>>> are using on the WindowsIdentity object uses Kerberos protocol
    >>>>>>>> transition (S4U or service for user) in order to generate the
    >>>>>>>> user's token. This function requires that the client is 2003 or
    >>>>>>>> higher and that the domain controller servicing the request is 2003
    >>>>>>>> AD in 2003 forest functional level. Apparently, it is not. If you
    >>>>>>>> don't know for sure that your DCs are converted over, you can't
    >>>>>>>> safely use this feature.
    >>>>>>>>
    >>>>>>>> The code you have commented out would probably work fine though if
    >>>>>>>> your application was using Windows security in IIS (basic, digest
    >>>>>>>> or IWA). Why not just use that?
    >>>>>>>>
    >>>>>>>> Joe K.
    >>>>>>>>
    >>>>>>>> --
    >>>>>>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>>>>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>>>>>> Programming"
    >>>>>>>> http://www.directoryprogramming.net
    >>>>>>>> --
    >>>>>>>> "rote" <> wrote in message
    >>>>>>>> news:uM%...
    >>>>>>>>>I want users to be able to type a user name in a textox and when
    >>>>>>>>>they hit submit displays
    >>>>>>>>> groups the user belongs to from the Acive Directory.
    >>>>>>>>> the getGroupforUser uses the WindowsIdentity and i have a button
    >>>>>>>>> even below.
    >>>>>>>>> In the button event below i just want to send the username typed
    >>>>>>>>> in in the textbox but when i test the page i get error :-
    >>>>>>>>>
    >>>>>>>>> "System.Security.SecurityException: The Kerberos subsystem
    >>>>>>>>> encountered an error. A service for user protocol request was
    >>>>>>>>> made
    >>>>>>>>> against a domain controller which does not support service for
    >>>>>>>>> user."
    >>>>>>>>>
    >>>>>>>>> Any ideas??
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>> List<string> getGroupsforUser(WindowsIdentity id)
    >>>>>>>>> {
    >>>>>>>>> List<string> groups = new List<string>();
    >>>>>>>>> IdentityReferenceCollection irc = id.Groups;
    >>>>>>>>>
    >>>>>>>>> foreach (IdentityReference ir in irc)
    >>>>>>>>>
    >>>>>>>>> {
    >>>>>>>>>
    >>>>>>>>> NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
    >>>>>>>>>
    >>>>>>>>> groups.Add(acc.Value);
    >>>>>>>>>
    >>>>>>>>> }
    >>>>>>>>> return groups;
    >>>>>>>>> }
    >>>>>>>>>
    >>>>>>>>> -----------------------------------------------------------------------------------
    >>>>>>>>>
    >>>>>>>>> protected void LookupADBtn_Click(object sender, EventArgs e)
    >>>>>>>>>
    >>>>>>>>> {
    >>>>>>>>>
    >>>>>>>>> string username = aduser.Text;
    >>>>>>>>>
    >>>>>>>>> Response.Write("You are logged in as " + username + " your GROUPS
    >>>>>>>>> are: ");
    >>>>>>>>>
    >>>>>>>>> //WindowsIdentity id =
    >>>>>>>>> (WindowsIdentity)HttpContext.Current.User.Identity;
    >>>>>>>>>
    >>>>>>>>> WindowsIdentity id = new WindowsIdentity(username);
    >>>>>>>>>
    >>>>>>>>> foreach (string roles in getGroupsforUser(id))
    >>>>>>>>>
    >>>>>>>>> {
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>> Label1.Text += "<br>" + roles.ToString();
    >>>>>>>>>
    >>>>>>>>> }
    >>>>>>>>>
    >>>>>>>>> }
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    rote, Jan 3, 2008
    #10
  11. rote

    Joe Kaplan Guest

    Thanks a bunch. :)

    Can you explain what you mean by this? I don't quite follow:

    > One more question is can i do group names to return me users that belongs
    > to those groups?


    It is possible to get the members of a group as well if you want, but I
    don't see how that is relevant to what you were originally trying to do.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
     
    Joe Kaplan, Jan 3, 2008
    #11
  12. rote

    rote Guest

    Sorry Joe.
    What i meant is i want users to type an Active Directory Group and then when
    they click submit they get users who belong to that group.
    Currently i can type in a user using the CN or userid and then it returns
    their AD groups
    changing my filter to:
    searcher.Filter = "(&(objectCategory=group)(sAMAccountName=" + groupnames+
    "))";

    I can type in a group name and i get groups that are under the group name i
    typed in does that make sense



    ..

    "Joe Kaplan" <> wrote in message
    news:...
    > Thanks a bunch. :)
    >
    > Can you explain what you mean by this? I don't quite follow:
    >
    >> One more question is can i do group names to return me users that belongs
    >> to those groups?

    >
    > It is possible to get the members of a group as well if you want, but I
    > don't see how that is relevant to what you were originally trying to do.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    >
    >
     
    rote, Jan 3, 2008
    #12
  13. rote

    Joe Kaplan Guest

    You need to use a different approach for doing this. Our book covers group
    membership expansion in ch 11, so I'd start with those samples. I think
    Ryan has written a few improved versions of the code as well which are
    available in the full samples from the website.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "rote" <> wrote in message
    news:%...
    > Sorry Joe.
    > What i meant is i want users to type an Active Directory Group and then
    > when they click submit they get users who belong to that group.
    > Currently i can type in a user using the CN or userid and then it returns
    > their AD groups
    > changing my filter to:
    > searcher.Filter = "(&(objectCategory=group)(sAMAccountName=" + groupnames+
    > "))";
    >
    > I can type in a group name and i get groups that are under the group name
    > i typed in does that make sense
    >
    >
    >
    > .
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> Thanks a bunch. :)
    >>
    >> Can you explain what you mean by this? I don't quite follow:
    >>
    >>> One more question is can i do group names to return me users that
    >>> belongs to those groups?

    >>
    >> It is possible to get the members of a group as well if you want, but I
    >> don't see how that is relevant to what you were originally trying to do.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >>
    >>

    >
    >
     
    Joe Kaplan, Jan 3, 2008
    #13
  14. rote

    rote Guest

    Thanks Joe.I would have a look at this.
    Let me know if you have more hints
    Thanks


    "Joe Kaplan" <> wrote in message
    news:%...
    > You need to use a different approach for doing this. Our book covers
    > group membership expansion in ch 11, so I'd start with those samples. I
    > think Ryan has written a few improved versions of the code as well which
    > are available in the full samples from the website.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "rote" <> wrote in message
    > news:%...
    >> Sorry Joe.
    >> What i meant is i want users to type an Active Directory Group and then
    >> when they click submit they get users who belong to that group.
    >> Currently i can type in a user using the CN or userid and then it returns
    >> their AD groups
    >> changing my filter to:
    >> searcher.Filter = "(&(objectCategory=group)(sAMAccountName=" +
    >> groupnames+ "))";
    >>
    >> I can type in a group name and i get groups that are under the group name
    >> i typed in does that make sense
    >>
    >>
    >>
    >> .
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:...
    >>> Thanks a bunch. :)
    >>>
    >>> Can you explain what you mean by this? I don't quite follow:
    >>>
    >>>> One more question is can i do group names to return me users that
    >>>> belongs to those groups?
    >>>
    >>> It is possible to get the members of a group as well if you want, but I
    >>> don't see how that is relevant to what you were originally trying to do.
    >>>
    >>> Joe K.
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> --
    >>>
    >>>

    >>
    >>

    >
    >
     
    rote, Jan 4, 2008
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?U3R1YXJ0?=

    I know this does not belong here... but....

    =?Utf-8?B?U3R1YXJ0?=, Jun 29, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    489
    Kevin Spencer
    Jun 29, 2005
  2. Jim Crowell

    Subject: 1.4 Focus Subsystem Help...

    Jim Crowell, Jul 22, 2004, in forum: Java
    Replies:
    0
    Views:
    379
    Jim Crowell
    Jul 22, 2004
  3. Tahir Hashmi
    Replies:
    8
    Views:
    406
    John Carson
    Nov 19, 2003
  4. babak
    Replies:
    1
    Views:
    1,163
    Victor Bazarov
    Sep 30, 2005
  5. Satish Appasani
    Replies:
    2
    Views:
    220
    Nick Hertl
    Dec 14, 2003
Loading...

Share This Page