Last post Apr 19, 2006 07:52 AM by Loretta
Apr 18, 2006 09:57 AM|Loretta|LINK
I am using the tokenGroups attribute on a user object to determine the users group memberships. I am using tokenGroups instead of memberof because I need to see nested memberships as well. I was successfully returning the groups for users on my local development
machine (ASP.NET), and when I deployed to our staging web server, the application did not work as expected. The application would retreive the tokenGroups attribute without error, however, the count of the property array was 0, indicating that no values were
being returned. Then suddenly one day the application just started work on the staging server. I'm not sure what changed but it wasn't my code. Now, just as suddenly as it started working, the application does not work in either my local development environment
or my staging environment. The application does not error out, it simply returns nothing in the attribute being requested. I have the following setting in my web.config:
<identity impersonate="true" userName="domain\user" password="password" />
And I am binding to active directory using the following:
where my ADUser is set to the userPrincipalName of the user I am using for impersonation. Does anyone have any ideas on what could be going wrong here?
Apr 18, 2006 10:12 AM|dunnry|LINK
Apr 18, 2006 12:59 PM|Loretta|LINK
That is great advice on using the application pool and setting the domain credentials using that. I will change the app to do that for sure.
I agree that it is odd that the code would work in one environment and not another. Are special permissions needed to access the tokenGroups attribute or is that a setting that is specific to our Active Directory instance?
Apr 18, 2006 04:10 PM|dunnry|LINK
Apr 18, 2006 04:25 PM|Loretta|LINK
I think I may have figured out what the problem is, but it still doesn't seem quite right to me. I was using the Global Catalog to find the user in Active Directory. Once I found the user I would return the searchresult.GetDirectoryEntry. From there I
would do the refresh as you mentioned above and try to access the attribute. But there was nothing in there.
When I changed the code to query for the user using straight LDAP for my path, the problem corrected itself. I don't understand why that would happen. Wouldn't searchresult.GetDirectoryEntry based on a GC path result in the same object as searchresult.GetDirectoryEntry based
on an LDAP path?
Apr 18, 2006 04:47 PM|dunnry|LINK
Apr 19, 2006 07:52 AM|Loretta|LINK
Thank you for all your help. I really love these forums! I just stumbled across them yesterday and you can guarentee I will be using them again in the future. Just to complete this post for others who may be reading through it looking for help, this is
what I ended up doing.
I used the global catelog (GC://) to find my user. Once I had the user, I was able to determine the path to the object. I then used straight LDAP to bind directly to the user object. From there all the attributes were available that I needed. I refreshed
the tokenGroups attribute and everything worked as I expected.