System.DirectoryServices GetAuthorizationGroups() function Error

RE: System.Director yServices GetAuthorizatio nGroups() function Error

Hi Jerry,

From your description p.GetGroups() can work but p.GetAuthorizat ionGroups()
can't, right? However, I cannot reproduce this problem. My local machine is
a member of domain1 and I tried following code:

ArrayList results = new ArrayList();


PrincipalContex t context = new
PrincipalContex t(ContextType.D omain, null, "domain2"
, "myusername ","mypassword") ;
UserPrincipal p =
UserPrincipal.F indByIdentity(c ontext,
IdentityType.Sa mAccountName, "a user of the domain2");

var groups = p.GetAuthorizat ionGroups();

foreach (var group in groups)
{
results.Add(gro up.Name);
}

It worked fine. Could you provide the detailed exception message?

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsof t.com.

=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at

=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.


Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsof t.com.

=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at

=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: System.Director yServices GetAuthorizatio nGroups() function
Error
| thread-index: AclENE/5WkjxMs+pRWWgJZ OH/c5fQw==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?SmVycnkgQw= =?= <jerryed@nospam .nospam>
| Subject: System.Director yServices GetAuthorizatio nGroups() function Error
| Date: Tue, 11 Nov 2008 11:33:02 -0800
| Lines: 32
| Message-ID: <670E6300-5986-4E3B-8DDB-6EFFE21D7F73@mi crosoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| Path: TK2MSFTNGHUB02. phx.gbl
| Xref: TK2MSFTNGHUB02. phx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:7967 6
| NNTP-Posting-Host: tk2msftibfm01.p hx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| I am using this code to get groups for a user and getting a error (5) on
the
| GetAuthorizatio nGroups() function .
|
| There are two domains.
| This function works on the local domain but does not work on the other
domain.
| Other functions work on the other domain like get all the users and get
all
| the groups and I can validate users on the other domain so I think I am
| communciating with the other domain OK just not with the
| GetAuthorizatio nGroups() function.
|
| ArrayList results = new ArrayList();
|
| PrincipalContex t context = new PrincipalContex t(ContextType.D omain, null,
| _DomainDN, _UserName, _Password);
|
| UserPrincipal p =
| UserPrincipal.F indByIdentity(c ontext,Identity Type.SamAccount Name,
username);
|
| var groups = p.GetAuthorizat ionGroups();
|
| foreach (GroupPrincipal group in groups)
| {
| results.Add(gro up.SamAccountNa me);
| }
|
| I can use the p.GetGroups() function and it will work.
| I cannot find much on this GetAuthorizatio nGroups function and nothing on
| the error.
|
| Thank you,
| --
| Jerry
|

RE: System.Director yServices GetAuthorizatio nGroups() function Er

Allen,

Thank you for the reply.

Here is the error page:

While trying to retrieve the authorization groups, an error (5) occurred.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details:
System.Director yServices.Accou ntManagement.Pr incipalOperatio nException: While
trying to retrieve the authorization groups, an error (5) occurred.

Source Error:


Line 281: {
Line 282: UserPrincipal p =
UserPrincipal.F indByIdentity(c ontext,Identity Type.SamAccount Name, username);
Line 283: var groups = p.GetAuthorizat ionGroups();
Line 284: //var groups = p.GetGroups();
Line 285: foreach (GroupPrincipal group in groups)


Source File:
c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs
Line: 283

Stack Trace:


[PrincipalOperat ionException: While trying to retrieve the authorization
groups, an error (5) occurred.]
System.Director yServices.Accou ntManagement.Au thZSet..ctor(By te[] userSid,
NetCred credentials, ContextOptions contextOptions, String flatUserAuthori ty,
StoreCtx userStoreCtx, Object userCtxBase) +1355

System.Director yServices.Accou ntManagement.AD StoreCtx.GetGro upsMemberOfAZ(P rincipal p) +220

System.Director yServices.Accou ntManagement.Us erPrincipal.Get AuthorizationGr oupsHelper() +50

System.Director yServices.Accou ntManagement.Us erPrincipal.Get AuthorizationGr oups() +22
CDMem.Roles.ADR oleProvider.Get RolesForUser(St ring username) in
c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs:283

[ProviderExcepti on: Unable to query Active Directory.]
CDMem.Roles.ADR oleProvider.Get RolesForUser(St ring username) in
c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs:305
UserGroup.LoadU sersGroups(Stri ng UserId, String RoleProvider) in
c:\inetpub\wwwr oot\CDActiveDir ectory\App_Code \VBCode\UserGro up.vb:113
UserMaintenance .LoadUser() in
c:\inetpub\wwwr oot\CDActiveDir ectory\UserMain tenance.aspx.vb :656
UserMaintenance .ddlUsers_Selec tedIndexChanged (Object sender, EventArgs e)
in c:\inetpub\wwwr oot\CDActiveDir ectory\UserMain tenance.aspx.vb :1737
System.Web.UI.W ebControls.List Control.OnSelec tedIndexChanged (EventArgs e)
+111
System.Web.UI.W ebControls.Drop DownList.RaiseP ostDataChangedE vent() +134

System.Web.UI.W ebControls.Drop DownList.System .Web.UI.IPostBa ckDataHandler.R aisePostDataCha ngedEvent() +10
System.Web.UI.P age.RaiseChange dEvents() +165
System.Web.UI.P age.ProcessRequ estMain(Boolean
includeStagesBe foreAsyncPoint, Boolean includeStagesAf terAsyncPoint) +1485




--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.507 27.3053;
ASP.NET Version:2.0.507 27.3053
--

Maybe I am using the incorrect syntax for the domain;
I am using :
"10.13.1.11/DC=ad,DC=DdGrou p,DC=com"

What syntax are you using.


Thank you


Jerry

RE: System.Director yServices GetAuthorizatio nGroups() function Er

Hi Jerry,

Sorry for the late reply. Since I'm not dedicated to AD development I need
to communicate with other specialists to get some helpful information.

First the parameters used in the constructor method of PrincipalContex t are
incorrect.It would be better to use following method:

PrincipalContex t context = new
PrincipalContex t(ContextType.D omain,"ad.DdGro up.com", _UserName, _Password);

It's a coincidence that what we tried initially happens to work (due to the
string build in the method internal). However, this is not supported like
this.

Secondly, about this exception, the GetAuthorizatio nGroups function
actually uses the AuthZ APIs underneath to build the group list. The AuthZ
api requires access to read certain attributes from AD. See this note from
MSDN for the AuthZ API. ( error 5 is ACCESS_DENIED )

Important Applications should not assume that the calling context has
permission to use this function. The AuthzInitialize ContextFromSid function
reads the tokenGroupsGlob alAndUniversal attribute of the SID specified in
the call to determine the current user's group memberships. If the user's
object is in Active Directory, the calling context must have read access to
the tokenGroupsGlob alAndUniversal attribute on the user object. Read access
to the tokenGroupsGlob alAndUniversal attribute is granted to the
Pre-Windows 2000 Compatible Access group, but new domains contain an empty
Pre-Windows 2000 Compatible Access group by default because the default
setup selection is Permissions compatible with Windows 2000 and Windows
Server 2003. Therefore, applications may not have access to the
tokenGroupsGlob alAndUniversal attribute; in this case, the
AuthzInitialize ContextFromSid function fails with ACCESS_DENIED.
Applications that use this function should correctly handle this error and
provide supporting documentation. To simplify granting accounts permission
to query a user's group information, add accounts that need the ability to
look up group information to the Windows Authorization Access Group.



Are you running the code through a web browser? Can the same code work in a
WinForm application or when debugging this site in Visual Studio? Please
check if current user running the process has been added to the Windows
Authorization Access Group.

Please let me know if you made any progress on this issue.

Regards,
Allen Chen
Microsoft Online Support

--------------------
| Thread-Topic: System.Director yServices GetAuthorizatio nGroups() function
Er
| thread-index: AclEyTpuGzAipJm hTI+vAAYsZSwPgg ==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?SmVycnkgQw= =?= <jerryed@nospam .nospam>
| References: <670E6300-5986-4E3B-8DDB-6EFFE21D7F73@mi crosoft.com>
<SO90fAKRJHA.34 40@TK2MSFTNGHUB 02.phx.gbl>
| Subject: RE: System.Director yServices GetAuthorizatio nGroups() function
Er
| Date: Wed, 12 Nov 2008 05:19:01 -0800
| Lines: 86
| Message-ID: <55C786E6-A009-4CF6-BD7C-F84F830CECA4@mi crosoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| Path: TK2MSFTNGHUB02. phx.gbl
| Xref: TK2MSFTNGHUB02. phx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:7972 7
| NNTP-Posting-Host: tk2msftibfm01.p hx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| Allen,
|
| Thank you for the reply.
|
| Here is the error page:
|
| While trying to retrieve the authorization groups, an error (5) occurred.
| Description: An unhandled exception occurred during the execution of the
| current web request. Please review the stack trace for more information
about
| the error and where it originated in the code.
|
| Exception Details:
| System.Director yServices.Accou ntManagement.Pr incipalOperatio nException:
While
| trying to retrieve the authorization groups, an error (5) occurred.
|
| Source Error:
|
|
| Line 281: {
| Line 282: UserPrincipal p =
| UserPrincipal.F indByIdentity(c ontext,Identity Type.SamAccount Name,
username);
| Line 283: var groups = p.GetAuthorizat ionGroups();
| Line 284: //var groups = p.GetGroups();
| Line 285: foreach (GroupPrincipal group in groups)
|
|
| Source File:
| c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs
| Line: 283
|
| Stack Trace:
|
|
| [PrincipalOperat ionException: While trying to retrieve the authorization
| groups, an error (5) occurred.]
| System.Director yServices.Accou ntManagement.Au thZSet..ctor(By te[]
userSid,
| NetCred credentials, ContextOptions contextOptions, String
flatUserAuthori ty,
| StoreCtx userStoreCtx, Object userCtxBase) +1355
|
|
System.Director yServices.Accou ntManagement.AD StoreCtx.GetGro upsMemberOfAZ(P r
incipal p) +220
|
|
System.Director yServices.Accou ntManagement.Us erPrincipal.Get AuthorizationGr o
upsHelper() +50
|
|
System.Director yServices.Accou ntManagement.Us erPrincipal.Get AuthorizationGr o
ups() +22
| CDMem.Roles.ADR oleProvider.Get RolesForUser(St ring username) in
| c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs:283
|
| [ProviderExcepti on: Unable to query Active Directory.]
| CDMem.Roles.ADR oleProvider.Get RolesForUser(St ring username) in
| c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs:305
| UserGroup.LoadU sersGroups(Stri ng UserId, String RoleProvider) in
| c:\inetpub\wwwr oot\CDActiveDir ectory\App_Code \VBCode\UserGro up.vb:113
| UserMaintenance .LoadUser() in
| c:\inetpub\wwwr oot\CDActiveDir ectory\UserMain tenance.aspx.vb :656
| UserMaintenance .ddlUsers_Selec tedIndexChanged (Object sender, EventArgs
e)
| in c:\inetpub\wwwr oot\CDActiveDir ectory\UserMain tenance.aspx.vb :1737
| System.Web.UI.W ebControls.List Control.OnSelec tedIndexChanged (EventArgs
e)
| +111
| System.Web.UI.W ebControls.Drop DownList.RaiseP ostDataChangedE vent() +134
|
|
System.Web.UI.W ebControls.Drop DownList.System .Web.UI.IPostBa ckDataHandler.R a
isePostDataChan gedEvent() +10
| System.Web.UI.P age.RaiseChange dEvents() +165
| System.Web.UI.P age.ProcessRequ estMain(Boolean
| includeStagesBe foreAsyncPoint, Boolean includeStagesAf terAsyncPoint) +1485
|
|
|
|
----------------------------------------------------------------------------
----
| Version Information: Microsoft .NET Framework Version:2.0.507 27.3053;
| ASP.NET Version:2.0.507 27.3053
| --
|
| Maybe I am using the incorrect syntax for the domain;
| I am using :
| "10.13.1.11/DC=ad,DC=DdGrou p,DC=com"
|
| What syntax are you using.
|
|
| Thank you
|
|
| Jerry
|
|
|

RE: System.Director yServices GetAuthorizatio nGroups() function Er

Allen,

Thank you for your reply.

I probably do not understand how to grant the calling context the permissions.

I placed the user mentioned in PrincipalContex t function call _UserName and
_Password ,which is a user in the other domain , in the Windows authorization
Access Group. on the other domain.
I still get the error.

The code is running in iis 6.0 on a windows 2003 server.

The domain I am accessing is not the local domain but a other domain. The
local machine is in a DMZ and a member of the DMZ (local) domain and the
other domain is the internal network domain. the DMZ domain trusts the
internal domain

The question is now who is the "current user". The application pool for the
app is NETWORK SERVICE from the local machine, is that the current user or is
it the the anonymous user, which is the iusr. The app uses forms auth so is
it the user there, which is not a user on any machine or domain. or is it the
user used in the PrincipalContex t function call. if it is a user on the local
machine how do I put that user in the Windows Authorization Access Group and
even at that which machine's/domain's Windows Authorization Access Group
does it go in.

As you can tell by now I do not understand Microsoft security.

Thank you for your help
--
Jerry

RE: System.Director yServices GetAuthorizatio nGroups() function Er

Allen,

I set up a Test Domain in my office and I still am getting errors on the
GetAuthorizatio nGroups.

I put the user used in the PrincipalContex t context = new PrincipalContex t(
ContextType.Dom ain, _DomainDN, _UserName, _Password call in the Windows
Authorization Access Group but I am still getting errors.

The error now is:
Information about the domain could not be retrieved (1355).

Other functions work with the AD like:
searcher.Search Root = new DirectoryEntry( ConnectionStrin g, _UserName,
_Password);

This works so I am communicating with the AD.

Hope this helps

Thank You,




--
Jerry

RE: System.Director yServices GetAuthorizatio nGroups() function Er

Hi Jerry,

First I would suggest you add Anonymous Logon to the Windows Authorization
Access Group of the AD server to test if it works. Or try to use
impersonate in ASP.NET:

<system.web>
<identity impersonate="tr ue" userName="usern ame" password="passw ord"/>
</system.web>

The username specifies the account that accesses the Active Directory. Try
to add this account to Windows Authorization Access Group to see if it
works.

From your description I would predict it's related to AD settings and
troubleshooting . Since this group is dedicated to ASP.NET I suggest you
contact CSS for incident based support:



Our dedicated support engineer will work with you on this issue.

Regards,
Allen Chen
Microsoft Online Community Support

RE: System.Director yServices GetAuthorizatio nGroups() function Er

Hi Jerry,

Do you have any progress on this issue?

Regards,
Allen Chen
Microsoft Online Community Support