Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made

I was just about to write back Joe.
I was using :-

private string BuildFilterOctetString(byte[] bytes)

{

StringBuilder sb = new StringBuilder();

for (int i = 0; i < bytes.Length; i++)

{

sb.AppendFormat("0x{0} ", bytes[i].ToString("X2"));

}

return sb.ToString();

}

Instead of

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes[i].ToString("X2")
);
}
return sb.ToString();
}

After i changed that it worked like a charm.And by the way congrats on your
new born baby.
One more question is can i do group names to return me users that belongs to
those groups?
Thanka alot


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uJJBT2bTIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
That query filter does not look right. The SIDs should look like:

\xx\xx\xx\xx\xx

I can't see how your call to BuildFilterOctetString produced the output
that you got. Are you sure you called it right?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:OA3aYRbTIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
Joe i have modified the code and i can get the TokenGroups based on a
user..
But no groups are displayed ..
But i can see the filter query like so:-
(|(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05 0x20 0x00 0x00 0x00
0x21 0x02 0x00 0x00 )(objectSid=0x01 0x02 0x00 0x00 0x00 0x00 0x00 0x05
0x20 0x00 0x00 0x00 0x20 0x02 0x00 0x00 )
and also see how many tokengroups are returned..
Any ideas?

"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:e2FzUcZTIHA.5404@xxxxxxxxxxxxxxxxxxxxxxx
Joe are you talking about this snippet code below ?
Is it this one?
On the line "foreach (byte[] sid in user.Properties["tokenGroups"])
whats the user? Is it the DirectoryEntry object.
The code doesn;t look complete or something..
Thanks



public void theGurusCode()

{


StringBuilder sb = new StringBuilder();

//we are building an '|' clause
sb.Append("(|");

foreach (byte[] sid in user.Properties["tokenGroups"])
{
//append each member into the filter
sb.AppendFormat(
"(objectSid={0})", BuildFilterOctetString(sid));
}

//end our initial filter
sb.Append(")");

DirectoryEntry searchRoot = new DirectoryEntry(
"LDAP://DC=domain,DC=com";,
null,
null,
AuthenticationTypes.Secure
);



using (searchRoot)
{
//we now have our filter, we can just search for the groups
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sb.ToString() //our filter
);

using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
//Here is each group now...
Console.WriteLine(
sr.Properties["samAccountName"][0]);
}
}
}
}

private string BuildFilterOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();

for(int i=0; i < bytes.Length; i++)
{
sb.AppendFormat(
"\\{0}",
bytes[i].ToString("X2")
);
}
return sb.ToString();
}

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23QtMQ6UTIHA.3916@xxxxxxxxxxxxxxxxxxxxxxx
Ch 10 of our book has a few samples on tokenGroups. You can download
the code samples from ch 10 and the whole chapter in pdf form from our
website.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:%23csFyvQTIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
Joe the admin won't update it because they are damn too lazy.
I'm trying yo use this code here as a guide but its returning null
when passing a search result :
http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
Any ideas..
Do you have a sample snipprt using tokenGroups somehwere on your site
been trying to find a guide from there but to success.
Thanks in advance..


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uWkU63NSIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing.
Or, get the admin to upgrade the DC. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:u335DBFSIHA.5264@xxxxxxxxxxxxxxxxxxxxxxx
Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;
It does work when i use that but i want users to type in a username
and hit the button to search other users..

Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again



"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:ufR$TaESIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
The error is exactly what you it says it is. The constructor you
are using on the WindowsIdentity object uses Kerberos protocol
transition (S4U or service for user) in order to generate the
user's token. This function requires that the client is 2003 or
higher and that the domain controller servicing the request is 2003
AD in 2003 forest functional level. Apparently, it is not. If you
don't know for sure that your DCs are converted over, you can't
safely use this feature.

The code you have commented out would probably work fine though if
your application was using Windows security in IIS (basic, digest
or IWA). Why not just use that?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:uM%23ecWESIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
I want users to be able to type a user name in a textox and when
they hit submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button
even below.
In the button event below i just want to send the username typed
in in the textbox but when i test the page i get error :-

"System.Security.SecurityException: The Kerberos subsystem
encountered an error. A service for user protocol request was
made
against a domain controller which does not support service for
user."

Any ideas??


List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;

foreach (IdentityReference ir in irc)

{

NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));

groups.Add(acc.Value);

}
return groups;
}

-----------------------------------------------------------------------------------

protected void LookupADBtn_Click(object sender, EventArgs e)

{

string username = aduser.Text;

Response.Write("You are logged in as " + username + " your GROUPS
are: ");

//WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;

WindowsIdentity id = new WindowsIdentity(username);

foreach (string roles in getGroupsforUser(id))

{



Label1.Text += "<br>" + roles.ToString();

}

}




















.