Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made

Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com";,
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes[i].ToString("X2")
);
}
return sb.ToString();
}

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23QtMQ6UTIHA.3916@xxxxxxxxxxxxxxxxxxxxxxx
Ch 10 of our book has a few samples on tokenGroups. You can download the
code samples from ch 10 and the whole chapter in pdf form from our
website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:%23csFyvQTIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
Joe the admin won't update it because they are damn too lazy.
I'm trying yo use this code here as a guide but its returning null when
passing a search result :
http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
Any ideas..
Do you have a sample snipprt using tokenGroups somehwere on your site
been trying to find a guide from there but to success.
Thanks in advance..


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uWkU63NSIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing.
Or, get the admin to upgrade the DC. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:u335DBFSIHA.5264@xxxxxxxxxxxxxxxxxxxxxxx
Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;
It does work when i use that but i want users to type in a username and
hit the button to search other users..

Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again



"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:ufR$TaESIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
The error is exactly what you it says it is. The constructor you are
using on the WindowsIdentity object uses Kerberos protocol transition
(S4U or service for user) in order to generate the user's token. This
function requires that the client is 2003 or higher and that the
domain controller servicing the request is 2003 AD in 2003 forest
functional level. Apparently, it is not. If you don't know for sure
that your DCs are converted over, you can't safely use this feature.

The code you have commented out would probably work fine though if
your application was using Windows security in IIS (basic, digest or
IWA). Why not just use that?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:uM%23ecWESIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
I want users to be able to type a user name in a textox and when they
hit submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button
even below.
In the button event below i just want to send the username typed in
in the textbox but when i test the page i get error :-

"System.Security.SecurityException: The Kerberos subsystem
encountered an error. A service for user protocol request was made
against a domain controller which does not support service for user."

Any ideas??


List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;

foreach (IdentityReference ir in irc)

{

NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

groups.Add(acc.Value);

}
return groups;
}

-----------------------------------------------------------------------------------

protected void LookupADBtn_Click(object sender, EventArgs e)

{

string username = aduser.Text;

Response.Write("You are logged in as " + username + " your GROUPS
are: ");

//WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;

WindowsIdentity id = new WindowsIdentity(username);

foreach (string roles in getGroupsforUser(id))

{



Label1.Text += "<br>" + roles.ToString();

}

}














.