System.DirectoryServices GetAuthorizationGroups() function Error

[Jerry C]

I am using this code to get groups for a user and getting a error (5) on the
GetAuthorizationGroups() function .

There are two domains.
This function works on the local domain but does not work on the other domain.
Other functions work on the other domain like get all the users and get all
the groups and I can validate users on the other domain so I think I am
communciating with the other domain OK just not with the
GetAuthorizationGroups() function.

ArrayList results = new ArrayList();

PrincipalContext context = new PrincipalContext(ContextType.Domain, null,
_DomainDN, _UserName, _Password);

UserPrincipal p =
UserPrincipal.FindByIdentity(context,IdentityType.SamAccountName, username);

var groups = p.GetAuthorizationGroups();

foreach (GroupPrincipal group in groups)
{
results.Add(group.SamAccountName);
}

I can use the p.GetGroups() function and it will work.
I cannot find much on this GetAuthorizationGroups function and nothing on
the error.

Thank you,

 

[Allen Chen [MSFT]]

Hi Jerry,

From your description p.GetGroups() can work but p.GetAuthorizationGroups()
can't, right? However, I cannot reproduce this problem. My local machine is
a member of domain1 and I tried following code:

ArrayList results = new ArrayList();


PrincipalContext context = new
PrincipalContext(ContextType.Domain, null, "domain2"
, "myusername ","mypassword");
UserPrincipal p =
UserPrincipal.FindByIdentity(context,
IdentityType.SamAccountName, "a user of the domain2");

var groups = p.GetAuthorizationGroups();

foreach (var group in groups)
{
results.Add(group.Name);
}

It worked fine. Could you provide the detailed exception message?

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: System.DirectoryServices GetAuthorizationGroups() function
Error
| thread-index: AclENE/5WkjxMs+pRWWgJZOH/c5fQw==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?SmVycnkgQw==?= <[email protected]>
| Subject: System.DirectoryServices GetAuthorizationGroups() function Error
| Date: Tue, 11 Nov 2008 11:33:02 -0800
| Lines: 32
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:79676
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I am using this code to get groups for a user and getting a error (5) on
the
| GetAuthorizationGroups() function .
|
| There are two domains.
| This function works on the local domain but does not work on the other
domain.
| Other functions work on the other domain like get all the users and get
all
| the groups and I can validate users on the other domain so I think I am
| communciating with the other domain OK just not with the
| GetAuthorizationGroups() function.
|
| ArrayList results = new ArrayList();
|
| PrincipalContext context = new PrincipalContext(ContextType.Domain, null,
| _DomainDN, _UserName, _Password);
|
| UserPrincipal p =
| UserPrincipal.FindByIdentity(context,IdentityType.SamAccountName,
username);
|
| var groups = p.GetAuthorizationGroups();
|
| foreach (GroupPrincipal group in groups)
| {
| results.Add(group.SamAccountName);
| }
|
| I can use the p.GetGroups() function and it will work.
| I cannot find much on this GetAuthorizationGroups function and nothing on
| the error.
|
| Thank you,
| --
| Jerry
|

 

[Jerry C]

Allen,

Thank you for the reply.

Here is the error page:

While trying to retrieve the authorization groups, an error (5) occurred.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details:
System.DirectoryServices.AccountManagement.PrincipalOperationException: While
trying to retrieve the authorization groups, an error (5) occurred.

Source Error:


Line 281: {
Line 282: UserPrincipal p =
UserPrincipal.FindByIdentity(context,IdentityType.SamAccountName, username);
Line 283: var groups = p.GetAuthorizationGroups();
Line 284: //var groups = p.GetGroups();
Line 285: foreach (GroupPrincipal group in groups)


Source File:
c:\Inetpub\wwwroot\CDActiveDirectory\App_Code\CSCode\ADRoleProvider.cs
Line: 283

Stack Trace:


[PrincipalOperationException: While trying to retrieve the authorization
groups, an error (5) occurred.]
System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid,
NetCred credentials, ContextOptions contextOptions, String flatUserAuthority,
StoreCtx userStoreCtx, Object userCtxBase) +1355

System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p) +220

System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper() +50

System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups() +22
CDMem.Roles.ADRoleProvider.GetRolesForUser(String username) in
c:\Inetpub\wwwroot\CDActiveDirectory\App_Code\CSCode\ADRoleProvider.cs:283

[ProviderException: Unable to query Active Directory.]
CDMem.Roles.ADRoleProvider.GetRolesForUser(String username) in
c:\Inetpub\wwwroot\CDActiveDirectory\App_Code\CSCode\ADRoleProvider.cs:305
UserGroup.LoadUsersGroups(String UserId, String RoleProvider) in
c:\inetpub\wwwroot\CDActiveDirectory\App_Code\VBCode\UserGroup.vb:113
UserMaintenance.LoadUser() in
c:\inetpub\wwwroot\CDActiveDirectory\UserMaintenance.aspx.vb:656
UserMaintenance.ddlUsers_SelectedIndexChanged(Object sender, EventArgs e)
in c:\inetpub\wwwroot\CDActiveDirectory\UserMaintenance.aspx.vb:1737
System.Web.UI.WebControls.ListControl.OnSelectedIndexChanged(EventArgs e)
+111
System.Web.UI.WebControls.DropDownList.RaisePostDataChangedEvent() +134

System.Web.UI.WebControls.DropDownList.System.Web.UI.IPostBackDataHandler.RaisePostDataChangedEvent() +10
System.Web.UI.Page.RaiseChangedEvents() +165
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1485




--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.3053;
ASP.NET Version:2.0.50727.3053
--

Maybe I am using the incorrect syntax for the domain;
I am using :
"10.13.1.11/DC=ad,DC=DdGroup,DC=com"

What syntax are you using.


Thank you


Jerry

 

[Allen Chen [MSFT]]

Hi Jerry,

Sorry for the late reply. Since I'm not dedicated to AD development I need
to communicate with other specialists to get some helpful information.

First the parameters used in the constructor method of PrincipalContext are
incorrect.It would be better to use following method:

PrincipalContext context = new
PrincipalContext(ContextType.Domain,"ad.DdGroup.com", _UserName, _Password);

It's a coincidence that what we tried initially happens to work (due to the
string build in the method internal). However, this is not supported like
this.

Secondly, about this exception, the GetAuthorizationGroups function
actually uses the AuthZ APIs underneath to build the group list. The AuthZ
api requires access to read certain attributes from AD. See this note from
MSDN for the AuthZ API. ( error 5 is ACCESS_DENIED )

Important Applications should not assume that the calling context has
permission to use this function. The AuthzInitializeContextFromSid function
reads the tokenGroupsGlobalAndUniversal attribute of the SID specified in
the call to determine the current user's group memberships. If the user's
object is in Active Directory, the calling context must have read access to
the tokenGroupsGlobalAndUniversal attribute on the user object. Read access
to the tokenGroupsGlobalAndUniversal attribute is granted to the
Pre-Windows 2000 Compatible Access group, but new domains contain an empty
Pre-Windows 2000 Compatible Access group by default because the default
setup selection is Permissions compatible with Windows 2000 and Windows
Server 2003. Therefore, applications may not have access to the
tokenGroupsGlobalAndUniversal attribute; in this case, the
AuthzInitializeContextFromSid function fails with ACCESS_DENIED.
Applications that use this function should correctly handle this error and
provide supporting documentation. To simplify granting accounts permission
to query a user's group information, add accounts that need the ability to
look up group information to the Windows Authorization Access Group.

http://msdn.microsoft.com/en-us/library/aa376309(VS.85).aspx

Are you running the code through a web browser? Can the same code work in a
WinForm application or when debugging this site in Visual Studio? Please
check if current user running the process has been added to the Windows
Authorization Access Group.

Please let me know if you made any progress on this issue.

Regards,
Allen Chen
Microsoft Online Support

--------------------
| Thread-Topic: System.DirectoryServices GetAuthorizationGroups() function
Er
| thread-index: AclEyTpuGzAipJmhTI+vAAYsZSwPgg==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?SmVycnkgQw==?= <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: RE: System.DirectoryServices GetAuthorizationGroups() function
Er
| Date: Wed, 12 Nov 2008 05:19:01 -0800
| Lines: 86
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:79727
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Allen,
|
| Thank you for the reply.
|
| Here is the error page:
|
| While trying to retrieve the authorization groups, an error (5) occurred.
| Description: An unhandled exception occurred during the execution of the
| current web request. Please review the stack trace for more information
about
| the error and where it originated in the code.
|
| Exception Details:
| System.DirectoryServices.AccountManagement.PrincipalOperationException:
While
| trying to retrieve the authorization groups, an error (5) occurred.
|
| Source Error:
|
|
| Line 281: {
| Line 282: UserPrincipal p =
| UserPrincipal.FindByIdentity(context,IdentityType.SamAccountName,
username);
| Line 283: var groups = p.GetAuthorizationGroups();
| Line 284: //var groups = p.GetGroups();
| Line 285: foreach (GroupPrincipal group in groups)
|
|
| Source File:
| c:\Inetpub\wwwroot\CDActiveDirectory\App_Code\CSCode\ADRoleProvider.cs
| Line: 283
|
| Stack Trace:
|
|
| [PrincipalOperationException: While trying to retrieve the authorization
| groups, an error (5) occurred.]
| System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[]
userSid,
| NetCred credentials, ContextOptions contextOptions, String
flatUserAuthority,
| StoreCtx userStoreCtx, Object userCtxBase) +1355
|
|
System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Pr
incipal p) +220
|
|
System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGro
upsHelper() +50
|
|
System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGro
ups() +22
| CDMem.Roles.ADRoleProvider.GetRolesForUser(String username) in
| c:\Inetpub\wwwroot\CDActiveDirectory\App_Code\CSCode\ADRoleProvider.cs:283
|
| [ProviderException: Unable to query Active Directory.]
| CDMem.Roles.ADRoleProvider.GetRolesForUser(String username) in
| c:\Inetpub\wwwroot\CDActiveDirectory\App_Code\CSCode\ADRoleProvider.cs:305
| UserGroup.LoadUsersGroups(String UserId, String RoleProvider) in
| c:\inetpub\wwwroot\CDActiveDirectory\App_Code\VBCode\UserGroup.vb:113
| UserMaintenance.LoadUser() in
| c:\inetpub\wwwroot\CDActiveDirectory\UserMaintenance.aspx.vb:656
| UserMaintenance.ddlUsers_SelectedIndexChanged(Object sender, EventArgs
e)
| in c:\inetpub\wwwroot\CDActiveDirectory\UserMaintenance.aspx.vb:1737
| System.Web.UI.WebControls.ListControl.OnSelectedIndexChanged(EventArgs
e)
| +111
| System.Web.UI.WebControls.DropDownList.RaisePostDataChangedEvent() +134
|
|
System.Web.UI.WebControls.DropDownList.System.Web.UI.IPostBackDataHandler.Ra
isePostDataChangedEvent() +10
| System.Web.UI.Page.RaiseChangedEvents() +165
| System.Web.UI.Page.ProcessRequestMain(Boolean
| includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1485
|
|
|
|
----------------------------------------------------------------------------
----
| Version Information: Microsoft .NET Framework Version:2.0.50727.3053;
| ASP.NET Version:2.0.50727.3053
| --
|
| Maybe I am using the incorrect syntax for the domain;
| I am using :
| "10.13.1.11/DC=ad,DC=DdGroup,DC=com"
|
| What syntax are you using.
|
|
| Thank you
|
|
| Jerry
|
|
|

 

[Jerry C]

Allen,

Thank you for your reply.

I probably do not understand how to grant the calling context the permissions.

I placed the user mentioned in PrincipalContext function call _UserName and
_Password ,which is a user in the other domain , in the Windows authorization
Access Group. on the other domain.
I still get the error.

The code is running in iis 6.0 on a windows 2003 server.

The domain I am accessing is not the local domain but a other domain. The
local machine is in a DMZ and a member of the DMZ (local) domain and the
other domain is the internal network domain. the DMZ domain trusts the
internal domain

The question is now who is the "current user". The application pool for the
app is NETWORK SERVICE from the local machine, is that the current user or is
it the the anonymous user, which is the iusr. The app uses forms auth so is
it the user there, which is not a user on any machine or domain. or is it the
user used in the PrincipalContext function call. if it is a user on the local
machine how do I put that user in the Windows Authorization Access Group and
even at that which machine's/domain's Windows Authorization Access Group
does it go in.

As you can tell by now I do not understand Microsoft security.

Thank you for your help

 

[Jerry C]

Allen,

I set up a Test Domain in my office and I still am getting errors on the
GetAuthorizationGroups.

I put the user used in the PrincipalContext context = new PrincipalContext(
ContextType.Domain, _DomainDN, _UserName, _Password call in the Windows
Authorization Access Group but I am still getting errors.

The error now is:
Information about the domain could not be retrieved (1355).

Other functions work with the AD like:
searcher.SearchRoot = new DirectoryEntry(ConnectionString, _UserName,
_Password);

This works so I am communicating with the AD.

Hope this helps

Thank You,

 

[Allen Chen [MSFT]]

Hi Jerry,

First I would suggest you add Anonymous Logon to the Windows Authorization
Access Group of the AD server to test if it works. Or try to use
impersonate in ASP.NET:

<system.web>
<identity impersonate="true" userName="username" password="password"/>
</system.web>

The username specifies the account that accesses the Active Directory. Try
to add this account to Windows Authorization Access Group to see if it
works.

From your description I would predict it's related to AD settings and
troubleshooting. Since this group is dedicated to ASP.NET I suggest you
contact CSS for incident based support:

http://support.microsoft.com/select/default.aspx?target=assistance&ln=en-us

Our dedicated support engineer will work with you on this issue.

Regards,
Allen Chen
Microsoft Online Community Support

 

[Allen Chen [MSFT]]

Hi Jerry,

Do you have any progress on this issue?

Regards,
Allen Chen
Microsoft Online Community Support