searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A

R

rote

I want users to be able to type a user name in a textox and when they hit
submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button even
below.
In the button event below i just want to send the username typed in in the
textbox but when i test the page i get error :-

"System.Security.SecurityException: The Kerberos subsystem encountered an
error. A service for user protocol request was made
against a domain controller which does not support service for user."

Any ideas??


List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;

foreach (IdentityReference ir in irc)

{

NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

groups.Add(acc.Value);

}
return groups;
}

-----------------------------------------------------------------------------------

protected void LookupADBtn_Click(object sender, EventArgs e)

{

string username = aduser.Text;

Response.Write("You are logged in as " + username + " your GROUPS are: ");

//WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;

WindowsIdentity id = new WindowsIdentity(username);

foreach (string roles in getGroupsforUser(id))

{



Label1.Text += "<br>" + roles.ToString();

}

}
 
J

Joe Kaplan

The error is exactly what you it says it is. The constructor you are using
on the WindowsIdentity object uses Kerberos protocol transition (S4U or
service for user) in order to generate the user's token. This function
requires that the client is 2003 or higher and that the domain controller
servicing the request is 2003 AD in 2003 forest functional level.
Apparently, it is not. If you don't know for sure that your DCs are
converted over, you can't safely use this feature.

The code you have commented out would probably work fine though if your
application was using Windows security in IIS (basic, digest or IWA). Why
not just use that?

Joe K.
 
R

rote

Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
It does work when i use that but i want users to type in a username and hit
the button to search other users..

Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again
 
J

Joe Kaplan

Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing. Or,
get the admin to upgrade the DC. :)

Joe K.
 
J

Joe Kaplan

Ch 10 of our book has a few samples on tokenGroups. You can download the
code samples from ch 10 and the whole chapter in pdf form from our website.

Joe K.
 
R

rote

Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes.ToString("X2")
);
}
return sb.ToString();
}
 
R

rote

Joe i have modified the code and i can get the TokenGroups based on a user..
But no groups are displayed ..
But i can see the filter query like so:-
(|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20
0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
and also see how many tokengroups are returned..
Any ideas?

rote said:
Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes.ToString("X2")
);
}
return sb.ToString();
}

Joe Kaplan said:
Ch 10 of our book has a few samples on tokenGroups. You can download the
code samples from ch 10 and the whole chapter in pdf form from our
website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
Click to expand...
Click to expand...
 
J

Joe Kaplan

That query filter does not look right. The SIDs should look like:

\xx\xx\xx\xx\xx

I can't see how your call to BuildFilterOctetString produced the output that
you got. Are you sure you called it right?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
rote said:
Joe i have modified the code and i can get the TokenGroups based on a
user..
But no groups are displayed ..
But i can see the filter query like so:-
(|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
and also see how many tokengroups are returned..
Any ideas?

rote said:
Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes.ToString("X2")
);
}
return sb.ToString();
}

Joe Kaplan said:
Ch 10 of our book has a few samples on tokenGroups. You can download
the code samples from ch 10 and the whole chapter in pdf form from our
website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Joe the admin won't update it because they are damn too lazy.
I'm trying yo use this code here as a guide but its returning null when
passing a search result :
http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
Any ideas..
Do you have a sample snipprt using tokenGroups somehwere on your site
been trying to find a guide from there but to success.
Thanks in advance..


message Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing.
Or, get the admin to upgrade the DC. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;
It does work when i use that but i want users to type in a username
and hit the button to search other users..

Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again



message The error is exactly what you it says it is. The constructor you
are using on the WindowsIdentity object uses Kerberos protocol
transition (S4U or service for user) in order to generate the user's
token. This function requires that the client is 2003 or higher and
that the domain controller servicing the request is 2003 AD in 2003
forest functional level. Apparently, it is not. If you don't know
for sure that your DCs are converted over, you can't safely use this
feature.

The code you have commented out would probably work fine though if
your application was using Windows security in IIS (basic, digest or
IWA). Why not just use that?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
I want users to be able to type a user name in a textox and when
they hit submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button
even below.
In the button event below i just want to send the username typed in
in the textbox but when i test the page i get error :-

"System.Security.SecurityException: The Kerberos subsystem
encountered an error. A service for user protocol request was made
against a domain controller which does not support service for
user."

Any ideas??


List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;

foreach (IdentityReference ir in irc)

{

NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

groups.Add(acc.Value);

}
return groups;
}

-----------------------------------------------------------------------------------

protected void LookupADBtn_Click(object sender, EventArgs e)

{

string username = aduser.Text;

Response.Write("You are logged in as " + username + " your GROUPS
are: ");

//WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;

WindowsIdentity id = new WindowsIdentity(username);

foreach (string roles in getGroupsforUser(id))

{



Label1.Text += "<br>" + roles.ToString();

}

}
Click to expand...
Click to expand...
Click to expand...
 
R

rote

I was just about to write back Joe.
I was using :-

private string BuildFilterOctetString(byte[] bytes)

{

StringBuilder sb = new StringBuilder();

for (int i = 0; i < bytes.Length; i++)

{

sb.AppendFormat("0x{0} ", bytes.ToString("X2"));

}

return sb.ToString();

}

Instead of

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes.ToString("X2")
);
}
return sb.ToString();
}

After i changed that it worked like a charm.And by the way congrats on your
new born baby.
One more question is can i do group names to return me users that belongs to
those groups?
Thanka alot


Joe Kaplan said:
That query filter does not look right. The SIDs should look like:

\xx\xx\xx\xx\xx

I can't see how your call to BuildFilterOctetString produced the output
that you got. Are you sure you called it right?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
rote said:
Joe i have modified the code and i can get the TokenGroups based on a
user..
But no groups are displayed ..
But i can see the filter query like so:-
(|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
and also see how many tokengroups are returned..
Any ideas?

rote said:
Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com",
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes.ToString("X2")
);
}
return sb.ToString();
}

Ch 10 of our book has a few samples on tokenGroups. You can download
the code samples from ch 10 and the whole chapter in pdf form from our
website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Joe the admin won't update it because they are damn too lazy.
I'm trying yo use this code here as a guide but its returning null
when passing a search result :
http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
Any ideas..
Do you have a sample snipprt using tokenGroups somehwere on your site
been trying to find a guide from there but to success.
Thanks in advance..


message Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing.
Or, get the admin to upgrade the DC. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;
It does work when i use that but i want users to type in a username
and hit the button to search other users..

Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again



message The error is exactly what you it says it is. The constructor you
are using on the WindowsIdentity object uses Kerberos protocol
transition (S4U or service for user) in order to generate the
user's token. This function requires that the client is 2003 or
higher and that the domain controller servicing the request is 2003
AD in 2003 forest functional level. Apparently, it is not. If you
don't know for sure that your DCs are converted over, you can't
safely use this feature.

The code you have commented out would probably work fine though if
your application was using Windows security in IIS (basic, digest
or IWA). Why not just use that?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
I want users to be able to type a user name in a textox and when
they hit submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button
even below.
In the button event below i just want to send the username typed
in in the textbox but when i test the page i get error :-

"System.Security.SecurityException: The Kerberos subsystem
encountered an error. A service for user protocol request was
made
against a domain controller which does not support service for
user."

Any ideas??


List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;

foreach (IdentityReference ir in irc)

{

NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

groups.Add(acc.Value);

}
return groups;
}

-----------------------------------------------------------------------------------

protected void LookupADBtn_Click(object sender, EventArgs e)

{

string username = aduser.Text;

Response.Write("You are logged in as " + username + " your GROUPS
are: ");

//WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;

WindowsIdentity id = new WindowsIdentity(username);

foreach (string roles in getGroupsforUser(id))

{



Label1.Text += "<br>" + roles.ToString();

}

}
Click to expand...
Click to expand...
Click to expand...
 
J

Joe Kaplan

Thanks a bunch. :)

Can you explain what you mean by this? I don't quite follow:
One more question is can i do group names to return me users that belongs
to those groups?
Click to expand...

It is possible to get the members of a group as well if you want, but I
don't see how that is relevant to what you were originally trying to do.

Joe K.
 
R

rote

Sorry Joe.
What i meant is i want users to type an Active Directory Group and then when
they click submit they get users who belong to that group.
Currently i can type in a user using the CN or userid and then it returns
their AD groups
changing my filter to:
searcher.Filter = "(&(objectCategory=group)(sAMAccountName=" + groupnames+
"))";

I can type in a group name and i get groups that are under the group name i
typed in does that make sense



..
 
J

Joe Kaplan

You need to use a different approach for doing this. Our book covers group
membership expansion in ch 11, so I'd start with those samples. I think
Ryan has written a few improved versions of the code as well which are
available in the full samples from the website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
rote said:
Sorry Joe.
What i meant is i want users to type an Active Directory Group and then
when they click submit they get users who belong to that group.
Currently i can type in a user using the CN or userid and then it returns
their AD groups
changing my filter to:
searcher.Filter = "(&(objectCategory=group)(sAMAccountName=" + groupnames+
"))";

I can type in a group name and i get groups that are under the group name
i typed in does that make sense



.
Click to expand...
 
R

rote

Thanks Joe.I would have a look at this.
Let me know if you have more hints
Thanks


Joe Kaplan said:
You need to use a different approach for doing this. Our book covers
group membership expansion in ch 11, so I'd start with those samples. I
think Ryan has written a few improved versions of the code as well which
are available in the full samples from the website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

S4U Kerberos for calling WCF services 4
Problem running .IsInRole XP vs 2003 0
Hostname of remote user 0
Get List of Roles and Translate(typeof(NTAccount)) 1
ADSI - Able to authenticate but unable to get memberOf information 7
Retrieve a users groups from AD 0
enumerate roles a user belongs to ? (seek vb.net sample) 1
Active Directory 9

Members online

Total: 39 (members: 2, guests: 37)
Robots: 213

Forum statistics

Threads
473,764
Messages
2,569,566
Members
45,041
Latest member
RomeoFarnh

Latest Threads

Top