Directory Programming .NET

We have an asp.net application which relies on getting back the tokengroups for an AD user using an LDAP query. This is installed at a number of client sites without any problems.

We have one client site where for a sub set of users we get no results back when attempting to populate tokengroups.

I have therefore been debugging this with dsquery for a particular user where there is a problem. Running "dsquery * "CN=etc" -scope base -attr *" returns no groups that the user is a member of but the primary group is set to 513 domain users. At the very least I would expect tokengroups to return this.

I know the user is a member of some groups and running the query "dsquery * "CN=groupdetails etc" -attr *" shows the user to be in the list of members for that group. I have obtained a list of the groups from the AD administrator to try and see if I can find a pattern but nothing seems obvious

Has anyone come accross this before? What can I do to get the tokengroups attribute to populate.

Relevant code snippet in (c#)
no exceptions are thrown and the userEntry is empty when refreshing the cache.

using (DirectoryEntry entry = new DirectoryEntry(LDAPPath))
{
// Initialise the searcher using the sid.
using (DirectorySearcher search = GetDirectorySearcher(entry, "(objectSid=" + convertedSidBuilder.ToString() + ")"))
{
using (new SwitchToApplicationPool())
{
// Find the result - if there is one.
SearchResult result = search.FindOne();

// not found any results.
if (result == null)
{
throw new Exception("");
}
else
{
// get details of the user
return result.GetDirectoryEntry();
}
}
}
}

// Now find out their groups
userEntry.RefreshCache(new string[] { "tokenGroups" });

Thanks

Stephen

There is a chance that you don't have read permission to tokenGroups for a specific set of users because the ACL on those objects does not have "pre Win2K" group granted read access and no other ACEs grant generic read either.  It may be that these users are either all admin users and have inheritance blocked on their objects or that it is the normal users that have this problem whereas the admin usrs in the directory DO have the pre-Win2K with the blocked security descriptor.

Either way, you'll need to ensure that your ID has read rights on tokenGroups for this to work.  The bottom line is that in typical AD installs, normal users have read rights on tokenGroups but it CAN be taken away with certain default ACL setups and that can cause your app to break because you take a dependency on a permission that you don't actually have.

Hopefully that provides some info.  If you need more detail on why some objects have ACL inheritance blocked by default, do some searches on adminSDHolder.

Best of luck!

We have managed to get to the bottom of this and as you suggested it was security. A set of users did not allow our application account read permissions. Thanks very much.

Hi

I have a question along the same lines. I have used the principal context Get Authorisation groups method and the tokenGroups Method for getting nested group membership details.

Both have worked fine for me apart from on a clients directory. I can retrieve both for a particular user but when i try to get the tokenGroups attribute for another user it returns nothing. I have tried tested using a user that is in the same level as the user that works.

I have used ldp.exe on the clients network and i get the same results.

If it is a case of permissions what do i need to get the client to check? i can only read the Directory and will need to ask the client to grant permissions for the attribute to be read.