Hi Jerry,
Sorry for the late reply. Since I'm not dedicated to AD development I need
to communicate with other specialists to get some helpful information.
First the parameters used in the constructor method of PrincipalContex t are
incorrect.It would be better to use following method:
PrincipalContex t context = new
PrincipalContex t(ContextType.D omain,"ad.DdGro up.com", _UserName, _Password);
It's a coincidence that what we tried initially happens to work (due to the
string build in the method internal). However, this is not supported like
this.
Secondly, about this exception, the GetAuthorizatio nGroups function
actually uses the AuthZ APIs underneath to build the group list. The AuthZ
api requires access to read certain attributes from AD. See this note from
MSDN for the AuthZ API. ( error 5 is ACCESS_DENIED )
Important Applications should not assume that the calling context has
permission to use this function. The AuthzInitialize ContextFromSid function
reads the tokenGroupsGlob alAndUniversal attribute of the SID specified in
the call to determine the current user's group memberships. If the user's
object is in Active Directory, the calling context must have read access to
the tokenGroupsGlob alAndUniversal attribute on the user object. Read access
to the tokenGroupsGlob alAndUniversal attribute is granted to the
Pre-Windows 2000 Compatible Access group, but new domains contain an empty
Pre-Windows 2000 Compatible Access group by default because the default
setup selection is Permissions compatible with Windows 2000 and Windows
Server 2003. Therefore, applications may not have access to the
tokenGroupsGlob alAndUniversal attribute; in this case, the
AuthzInitialize ContextFromSid function fails with ACCESS_DENIED.
Applications that use this function should correctly handle this error and
provide supporting documentation. To simplify granting accounts permission
to query a user's group information, add accounts that need the ability to
look up group information to the Windows Authorization Access Group.
http://msdn.microsoft.com/en-us/libr...09(VS.85).aspx
Are you running the code through a web browser? Can the same code work in a
WinForm application or when debugging this site in Visual Studio? Please
check if current user running the process has been added to the Windows
Authorization Access Group.
Please let me know if you made any progress on this issue.
Regards,
Allen Chen
Microsoft Online Support
--------------------
| Thread-Topic: System.Director yServices GetAuthorizatio nGroups() function
Er
| thread-index: AclEyTpuGzAipJm hTI+vAAYsZSwPgg ==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?SmVycnkgQw= =?= <je*****@nospam .nospam>
| References: <67************ *************** *******@microso ft.com>
<SO************ **@TK2MSFTNGHUB 02.phx.gbl>
| Subject: RE: System.Director yServices GetAuthorizatio nGroups() function
Er
| Date: Wed, 12 Nov 2008 05:19:01 -0800
| Lines: 86
| Message-ID: <55************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| Path: TK2MSFTNGHUB02. phx.gbl
| Xref: TK2MSFTNGHUB02. phx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:7972 7
| NNTP-Posting-Host: tk2msftibfm01.p hx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| Allen,
|
| Thank you for the reply.
|
| Here is the error page:
|
| While trying to retrieve the authorization groups, an error (5) occurred.
| Description: An unhandled exception occurred during the execution of the
| current web request. Please review the stack trace for more information
about
| the error and where it originated in the code.
|
| Exception Details:
| System.Director yServices.Accou ntManagement.Pr incipalOperatio nException:
While
| trying to retrieve the authorization groups, an error (5) occurred.
|
| Source Error:
|
|
| Line 281: {
| Line 282: UserPrincipal p =
| UserPrincipal.F indByIdentity(c ontext,Identity Type.SamAccount Name,
username);
| Line 283: var groups = p.GetAuthorizat ionGroups();
| Line 284: //var groups = p.GetGroups();
| Line 285: foreach (GroupPrincipal group in groups)
|
|
| Source File:
| c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs
| Line: 283
|
| Stack Trace:
|
|
| [PrincipalOperat ionException: While trying to retrieve the authorization
| groups, an error (5) occurred.]
| System.Director yServices.Accou ntManagement.Au thZSet..ctor(By te[]
userSid,
| NetCred credentials, ContextOptions contextOptions, String
flatUserAuthori ty,
| StoreCtx userStoreCtx, Object userCtxBase) +1355
|
|
System.Director yServices.Accou ntManagement.AD StoreCtx.GetGro upsMemberOfAZ(P r
incipal p) +220
|
|
System.Director yServices.Accou ntManagement.Us erPrincipal.Get AuthorizationGr o
upsHelper() +50
|
|
System.Director yServices.Accou ntManagement.Us erPrincipal.Get AuthorizationGr o
ups() +22
| CDMem.Roles.ADR oleProvider.Get RolesForUser(St ring username) in
| c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs:283
|
| [ProviderExcepti on: Unable to query Active Directory.]
| CDMem.Roles.ADR oleProvider.Get RolesForUser(St ring username) in
| c:\Inetpub\wwwr oot\CDActiveDir ectory\App_Code \CSCode\ADRoleP rovider.cs:305
| UserGroup.LoadU sersGroups(Stri ng UserId, String RoleProvider) in
| c:\inetpub\wwwr oot\CDActiveDir ectory\App_Code \VBCode\UserGro up.vb:113
| UserMaintenance .LoadUser() in
| c:\inetpub\wwwr oot\CDActiveDir ectory\UserMain tenance.aspx.vb :656
| UserMaintenance .ddlUsers_Selec tedIndexChanged (Object sender, EventArgs
e)
| in c:\inetpub\wwwr oot\CDActiveDir ectory\UserMain tenance.aspx.vb :1737
| System.Web.UI.W ebControls.List Control.OnSelec tedIndexChanged (EventArgs
e)
| +111
| System.Web.UI.W ebControls.Drop DownList.RaiseP ostDataChangedE vent() +134
|
|
System.Web.UI.W ebControls.Drop DownList.System .Web.UI.IPostBa ckDataHandler.R a
isePostDataChan gedEvent() +10
| System.Web.UI.P age.RaiseChange dEvents() +165
| System.Web.UI.P age.ProcessRequ estMain(Boolean
| includeStagesBe foreAsyncPoint, Boolean includeStagesAf terAsyncPoint) +1485
|
|
|
|
----------------------------------------------------------------------------
----
| Version Information: Microsoft .NET Framework Version:2.0.507 27.3053;
| ASP.NET Version:2.0.507 27.3053
| --
|
| Maybe I am using the incorrect syntax for the domain;
| I am using :
| "10.13.1.11/DC=ad,DC=DdGrou p,DC=com"
|
| What syntax are you using.
|
|
| Thank you
|
|
| Jerry
|
|
|