Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / October 2005

Tip: Looking for answers? Try searching our database.

Retrieve User Roles

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
randy - 24 Oct 2005 15:04 GMT
Hello all,

Is it possible to retrieve a list of Roles for a user with only a Username
in ASP.NET?  I have searched and searched and continually come across using
System.Security.Principal.WindowsIdentity object.  When I supply a UPN
(domain\user or user@domain.com), I'm handed a "Unable to login" error.  I
have been tasked to create a report displaying Active Directory users and
their current permissions (roles).

Any code would help, please.
Reply to this Message
Jas - 26 Oct 2005 07:13 GMT
WindowsIdentity is not going to help you.  

I'm not sure about this but just an idea -  could DirectorySearcher help you?
Or maybe calling native code to get this information?  

-jas

> Hello all,
>
[quoted text clipped - 6 lines]
>
> Any code would help, please.
Reply to this Message
Joe Kaplan (MVP - ADSI) - 26 Oct 2005 12:13 GMT
WindowsIdentity in .NET 2.0 actually helps a lot as it now as a Groups
property.  However, that is hidden in the internal class state in .NET 1.x.
You can use reflection to hack it out though.

If you want to retrieve group membership via LDAP, then you want to use
System.DirectoryServices.  Ryan's blog posting has a pretty good sample on
the right way to do transitive group membership expansion.

http://dunnry.com/blog/CategoryView.aspx?category=DirectoryServices#a4174a2c1-d1
05-4fbb-ab86-40bd2ab53da6

The reason the WindowsIdentity "UPN" constructor probably isn't working is
that it requires 2003 domain controllers and must be executed on a 2003
server as well.  It is uses a new feature called Protocol Transition, or S4U
Kerberos, to create the WindowsIdentity, and those APIs only exist in 2003.

Joe K.

> WindowsIdentity is not going to help you.
>
[quoted text clipped - 17 lines]
>>
>> Any code would help, please.
Reply to this Message
Dominick Baier [DevelopMentor] - 26 Oct 2005 12:36 GMT
Hello Joe,

yeah - there is a hack available for 1.1

you can find it here:
http://weblogs.asp.net/pglavich/archive/2004/09/29/235670.aspx

the code shown there does not work under 2.0 anymore, so be careful - or
use P/Invoke directly.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> WindowsIdentity in .NET 2.0 actually helps a lot as it now as a Groups
> property.  However, that is hidden in the internal class state in .NET
[quoted text clipped - 39 lines]
>>> their current permissions (roles).
>>> Any code would help, please.
Reply to this Message
richlm - 26 Oct 2005 12:53 GMT
There are some examples - including the one you are looking for - at:
http://www.codeproject.com/dotnet/QueryADwithDotNet.asp
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.