Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 2 Jan 2008 08:48:26 -0600
Ch 10 of our book has a few samples on tokenGroups. You can download the
code samples from ch 10 and the whole chapter in pdf form from our website.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:%23csFyvQTIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
Joe the admin won't update it because they are damn too lazy.
I'm trying yo use this code here as a guide but its returning null when
passing a search result :
http://www.wwwcoder.com/main/parentid/260/site/2208/68/default.aspx
Any ideas..
Do you have a sample snipprt using tokenGroups somehwere on your site
been trying to find a guide from there but to success.
Thanks in advance..
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uWkU63NSIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, you would need to do an LDAP lookup for the user's groups using
tokenGroups to simulate what the protocol transition logon is doing. Or,
get the admin to upgrade the DC. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:u335DBFSIHA.5264@xxxxxxxxxxxxxxxxxxxxxxx
Thanks very much Joe for ther prompt reply
The DC is still in W2k windows 2000 server..arg.....
Are u talkng about this line below
WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;
It does work when i use that but i want users to type in a username and
hit the button to search other users..
Can i use DirectoryServices fr this sceanrio..
Thanks in advacne once again
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ufR$TaESIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
The error is exactly what you it says it is. The constructor you are
using on the WindowsIdentity object uses Kerberos protocol transition
(S4U or service for user) in order to generate the user's token. This
function requires that the client is 2003 or higher and that the domain
controller servicing the request is 2003 AD in 2003 forest functional
level. Apparently, it is not. If you don't know for sure that your DCs
are converted over, you can't safely use this feature.
The code you have commented out would probably work fine though if your
application was using Windows security in IIS (basic, digest or IWA).
Why not just use that?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"rote" <naijacoder@xxxxxxxxxxx> wrote in message
news:uM%23ecWESIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
I want users to be able to type a user name in a textox and when they
hit submit displays
groups the user belongs to from the Acive Directory.
the getGroupforUser uses the WindowsIdentity and i have a button even
below.
In the button event below i just want to send the username typed in in
the textbox but when i test the page i get error :-
"System.Security.SecurityException: The Kerberos subsystem encountered
an error. A service for user protocol request was made
against a domain controller which does not support service for user."
Any ideas??
List<string> getGroupsforUser(WindowsIdentity id)
{
List<string> groups = new List<string>();
IdentityReferenceCollection irc = id.Groups;
foreach (IdentityReference ir in irc)
{
NTAccount acc = (NTAccount)ir.Translate(typeof(NTAccount));
groups.Add(acc.Value);
}
return groups;
}
-----------------------------------------------------------------------------------
protected void LookupADBtn_Click(object sender, EventArgs e)
{
string username = aduser.Text;
Response.Write("You are logged in as " + username + " your GROUPS are:
");
//WindowsIdentity id =
(WindowsIdentity)HttpContext.Current.User.Identity;
WindowsIdentity id = new WindowsIdentity(username);
foreach (string roles in getGroupsforUser(id))
{
Label1.Text += "<br>" + roles.ToString();
}
}
.
- Follow-Ups:
- References:
- Prev by Date: Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Next by Date: Problem establishing SSL connection in code-behind
- Previous by thread: Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Next by thread: Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Index(es):
