Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Dec 2007 23:08:45 -0600
The error is exactly what you it says it is. The constructor you are using
on the WindowsIdentity object uses Kerberos protocol transition (S4U or
service for user) in order to generate the user's token. This function
requires that the client is 2003 or higher and that the domain controller
servicing the request is 2003 AD in 2003 forest functional level.
Apparently, it is not. If you don't know for sure that your DCs are
converted over, you can't safely use this feature.
The code you have commented out would probably work fine though if your
application was using Windows security in IIS (basic, digest or IWA). Why
not just use that?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:uM%23ecWESIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
I want users to be able to type a user name in a textox and when they hit
submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button even
below.
In the button event below i just want to send the username typed in in the
textbox but when i test the page i get error :-
"System.Security.SecurityException: The Kerberos subsystem encountered an
error. A service for user protocol request was made
against a domain controller which does not support service for user."
Any ideas??
List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;
foreach (IdentityReference ir in irc)
{
NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
groups.Add(acc.Value);
}
return groups;
}
-----------------------------------------------------------------------------------
protected void LookupADBtn_Click(object sender, EventArgs e)
{
string username = aduser.Text;
Response.Write("You are logged in as " + username + " your GROUPS are: ");
//WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsIdentity id = new WindowsIdentity(username);
foreach (string roles in getGroupsforUser(id))
{
Label1.Text += "<br>" + roles.ToString();
}
}
.
- Follow-Ups:
- References:
- Prev by Date: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Next by Date: Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Previous by thread: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Next by thread: Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Index(es):
