private List <GroupPrincipal> GetGroups(string userName)
{
var result = new List <GroupPrincipal>();
var ctx = GetContext();
var user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userName);
if (user != null)
{
PrincipalSearchResult <Principal> groups = user.GetGroups();
var iterGroup = groups.GetEnumerator();
using (iterGroup)
{
while (iterGroup.MoveNext())
{
try
{
Principal p = iterGroup.Current;
result.Add((GroupPrincipal)p);
}
catch (PrincipalOperationException)
{
continue;
}
}
}
}
return(result);
}
/// <summary>
/// Получить список ролей пользователя AD
/// </summary>
/// <param name="adLogin">логин AD</param>
/// <returns>Список ролей из AD</returns>
private string[] GetUsersADRoles(string adLogin)
{
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain)) {
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, adLogin);
if (user != null)
{
// Только такая реализация. ToArray() и подобное не подходят, из за бага, который MS исправлять
// не планируют в виду "разумного" способа обхода проблемы (игнорирования исключения???).
// А ведь на багу ещё наткнуться надо (плавающий баг) и понять от чего у пользователя проблемы. Козлы...
// FYI https://stackoverflow.com/questions/39525430/system-directoryservices-accountmanagement-nomatchingprincipalexception-an-erro
List <string> list = new List <string>();
PrincipalSearchResult <Principal> groups = user.GetAuthorizationGroups();
IEnumerator <Principal> itemGroup = groups.GetEnumerator();
using (itemGroup) {
while (itemGroup.MoveNext())
{
try {
Principal p = itemGroup.Current;
list.Add(p.Name);
}
catch (NoMatchingPrincipalException) {
// Это фишка решения...
continue;
}
}
return(list.ToArray());
}
}
}
return(new string[0]);
}
/// <summary>
/// This method receives a UserMembershipResult object containing a username to check
/// and get all of the AD groups the user is a member of
/// </summary>
/// <param name="membershipResult">A UserMembershipResult object containing a username
/// to check.</param>
/// <returns>A UserMembershipResult object containing the username to check, a result message,
/// a status code for the AD query and the list of groups the user is a member of.</returns>
public static UserMembershipResult GetAllGroupsByUser(UserMembershipResult membershipResult)
{
// Create output group names list.
membershipResult.groups = new List <string>();
membershipResult.message = string.Empty;
// Set up domain context.
PrincipalContext pc = new PrincipalContext(ContextType.Domain, Domain, Constants.adQueryUser, Constants.adQueryPassword);
// Find the user in AD.
UserPrincipal user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, membershipResult.user);
if (user != null)
{
PrincipalSearchResult <Principal> groups = user.GetAuthorizationGroups();
// Defining iterator object.
var iterator = groups.GetEnumerator();
using (iterator)
{
while (iterator.MoveNext())
{
try
{
Principal p = iterator.Current;
if (p is GroupPrincipal)
{
membershipResult.groups.Add(p.SamAccountName);
}
}
catch (NoMatchingPrincipalException pex)
{
if (membershipResult.code != 1)
{
membershipResult.message = pex.Message;
membershipResult.code = 1;
}
continue;
}
}
}
if (membershipResult.message == string.Empty)
{
membershipResult.message = "Group list generated successfully";
membershipResult.code = 0;
}
return(membershipResult);
}
membershipResult.message = "Input user not found in Active Directory";
membershipResult.code = 2;
return(membershipResult);
}
public IList <string> GetGroupsForADUser(string loginName, string domain)
{
Contract.Requires(!string.IsNullOrWhiteSpace(domain));
try
{
var groupList = new List <string>();
// PrincipalContext encapsulates the server or domain against which all operations are performed.
using (var pc = new PrincipalContext(ContextType.Domain, domain))
{
// Create a reference to the user account we are querying against.
UserPrincipal up = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, loginName);
if (up == null)
{
return(new List <string>());
}
//Get the user's security groups. This is necessary to return nested groups, but will NOT return distribution groups.
PrincipalSearchResult <Principal> groups = up.GetAuthorizationGroups();
// add each group to our groupList. We have to use the Enumerator pattern to iterate over the elements in the
// groups collection and ignore any NoMatchingPrincipalException because of a _bug in ActiveDirectory's GetAuthorizationGroups()
// method.
// See: https://social.msdn.microsoft.com/Forums/vstudio/en-US/9dd81553-3539-4281-addd-3eb75e6e4d5d/getauthorizationgroups-fails-with-nomatchingprincipalexception?forum=csharpgeneral
var groupsEnumerator = groups.GetEnumerator();
while (groupsEnumerator.MoveNext())
{
try
{
var group = groupsEnumerator.Current;
if (group != null && !string.IsNullOrWhiteSpace(group.SamAccountName))
{
groupList.Add(group.SamAccountName);
}
}
catch (NoMatchingPrincipalException)
{
}
}
}
return(groupList);
}
catch (PrincipalServerDownException ex)
{
Exception innerMostEx = ex.GetBaseException();
throw new AuthenticationException("Could not authenticate against the Active Directory server. The AD server could not be contacted.", innerMostEx);
}
}
protected void getGrupos(UserPrincipal usuario)
{
PrincipalSearchResult <Principal> coleccionGrupos = usuario.GetGroups();
var enumerador = coleccionGrupos.GetEnumerator();
{
lstGrupos.Items.Clear();
while (enumerador.MoveNext())
{
lstGrupos.Items.Add(new ListItem(enumerador.Current.ToString()));
}
}
}
protected void getUsuarios(PrincipalContext contexto)
{
if (usuario.Name.Trim() == "Administrator")
{
UserPrincipal usuario = new UserPrincipal(contexto);
PrincipalSearcher buscador = new PrincipalSearcher(usuario);
PrincipalSearchResult <Principal> coleccionUsuarios = buscador.FindAll();
Apodo2.Text = "Usted es el Administrator";
var enumerador = coleccionUsuarios.GetEnumerator();
{
downListUsuarios.Items.Clear();
while (enumerador.MoveNext())
{
downListUsuarios.Items.Add(new ListItem(enumerador.Current.ToString()));
}
}
}
else
{
downListUsuarios.Items.Clear();
downListUsuarios.Items.Add(this.usuario.DisplayName.ToString());
}
}
//add application specific Claims to user's identity
private static ClaimsPrincipal AddCustomClaimsToPrincipal(String userName)
{
PrincipalContext princiContxt = null;
UserPrincipal thePrincipal = null;
//get the Domain context for the Directory Services
princiContxt = new PrincipalContext(ContextType.Domain);
//get the user-principal object from the Domain context using the specified username
thePrincipal = UserPrincipal.FindByIdentity(princiContxt, userName);
var customClaims = new List <System.Security.Claims.Claim> {
new System.Security.Claims.Claim(ClaimTypes.Email, userName),
new System.Security.Claims.Claim(ClaimTypes.Name, userName)
};
if (userName == "*****@*****.**")
{
var findItem = customClaims.Find(c => c.Value == "SuperAdmin");
if (findItem == null)
{
customClaims.Add(new System.Security.Claims.Claim("Group", "SuperAdmin"));
}
}
if (thePrincipal != null)
{
if (thePrincipal.Surname != null)
{
customClaims.Add(new System.Security.Claims.Claim(ClaimTypes.WindowsAccountName, thePrincipal.SamAccountName));
customClaims.Add(new System.Security.Claims.Claim(ClaimTypes.Surname, thePrincipal.Surname));
}
// get all groups the user is a member of
////
//// Todo for a weird error on crm dev server. uncomment the below line if you can solve it!
////
//customClaims.AddRange(thePrincipal.GetAuthorizationGroups().Select(group =>
// new System.Security.Claims.Claim("AD_Group", group.Name)));
PrincipalSearchResult <Principal> adGroup = thePrincipal.GetAuthorizationGroups();
var iterGroup = adGroup.GetEnumerator();
using (iterGroup)
{
while (iterGroup.MoveNext())
{
try
{
var p = iterGroup.Current;
if (string.IsNullOrEmpty(p.Name))
{
continue;
}
customClaims.Add(new System.Security.Claims.Claim("AD_Group", p.Name));
}
catch
{
continue;
}
}
}
//here you can add any claim type-value pairs, maybe some user settings read from DB.
var db = new ApplicationDbContext();
var userManager = new ApplicationUserStore(db);
var user = userManager.Users.FirstOrDefault(u => u.Email == thePrincipal.UserPrincipalName);
if (user != null)
{
customClaims.Add(new System.Security.Claims.Claim("UserId", user.Id.ToString()));
var claims = user.ApplicationClaims;
var groups = user.ApplicationGroups;
var rowFilters = user.ApplicationPrincipalRowFilters.Where(x => x.PrincipalType == "U");
var groupManager = new ApplicationGroupStore(db);
var claimManager = new ApplicationClaimStore(db);
var rowFilterManager = new RowFilterStore(db);
customClaims.AddRange(groups.Select(group => groupManager.FindById(group.ApplicationGroupId)).Select(g =>
new System.Security.Claims.Claim("Group", g.Name)));
customClaims.AddRange(claims.Select(claim => claimManager.FindById(claim.ApplicationClaimId)).Select(c =>
new System.Security.Claims.Claim(c.Key, c.Value)));
customClaims.AddRange(rowFilters.Select(r => rowFilterManager.FindById(r.Id)).Select(c =>
new System.Security.Claims.Claim(c.ApplicationRowFilterType.Name, c.RowFilterValue.ToString())));
var appgroupManager = new ApplicationGroupManager();
var groupList = groups.Select(group => groupManager.FindById(group.ApplicationGroupId));
foreach (var item in groupList)
{
var groupRowFilters = item.ApplicationPrincipalRowFilters.Where(x => x.PrincipalType == "G");
customClaims.AddRange(groupRowFilters.Select(r => rowFilterManager.FindById(r.Id)).Select(c =>
new System.Security.Claims.Claim(c.ApplicationRowFilterType.Name, c.RowFilterValue.ToString())));
foreach (var appclaim in appgroupManager.GetGroupClaims(item.Id))
{
var claim = new System.Security.Claims.Claim(appclaim.Key, appclaim.Value);
var findItem = customClaims.Find(c => c.Value == claim.Value && c.Type == claim.Type);
if (findItem == null)
{
customClaims.Add(claim);
}
}
}
}
}
//https://msdn.microsoft.com/en-us/library/system.security.claims.authenticationtypes(v=vs.110).aspx
var theCustomClaimsIdentity = new ClaimsIdentity(customClaims, authenticationType: "Negotiate");//Negotiate | Signing | Sealing
return(new ClaimsPrincipal(theCustomClaimsIdentity));
}
private static IList <Claim> GetOutputClaims(string userName, PrincipalContext context)
{
List <Claim> claims = new List <Claim>();
UserPrincipal user = UserPrincipal.FindByIdentity(context, GetUserNoDomain(userName));
string upn = GetUserPrincipalName(user);
claims.Add(new Claim(ClaimTypes.Upn, upn));
claims.Add(new Claim(ClaimTypes.Sid, user.Sid.ToString()));
LogEntry entry;
bool foundGroups = false;
if (context.ContextType != ContextType.Machine)
{
entry = new LogEntry();
entry.Severity = TraceEventType.Information;
entry.Priority = -1;
if (Logger.ShouldLog(entry))
{
entry.Message = "Getting authorization groups from WindowsIdentity...";
Logger.Write(entry);
}
try
{
using (WindowsIdentity identity = new WindowsIdentity(upn))
{
foreach (IdentityReference group in identity.Groups)
{
claims.Add(new Claim(ClaimTypes.GroupSid, group.Value));
}
}
foundGroups = true;
}
catch (UnauthorizedAccessException ex)
{
entry = new LogEntry();
entry.Severity = TraceEventType.Error;
entry.Priority = -1;
if (Logger.ShouldLog(entry))
{
entry.Message = ex.ToString();
Logger.Write(entry);
}
}
catch (SecurityException ex)
{
entry = new LogEntry();
entry.Severity = TraceEventType.Error;
entry.Priority = -1;
if (Logger.ShouldLog(entry))
{
entry.Message = ex.ToString();
Logger.Write(entry);
}
}
}
if (!foundGroups)
{
entry = new LogEntry();
entry.Severity = TraceEventType.Information;
entry.Priority = -1;
if (Logger.ShouldLog(entry))
{
entry.Message = "Getting authorization groups from UserPrincipal...";
Logger.Write(entry);
}
try
{
using (PrincipalSearchResult <Principal> groups = user.GetAuthorizationGroups())
{
var enumerator = groups.GetEnumerator();
while (enumerator.MoveNext())
{
try
{
using (Principal p = enumerator.Current)
{
if (p.Sid != null)
{
claims.Add(new Claim(ClaimTypes.GroupSid, p.Sid.ToString()));
}
}
}
catch (NoMatchingPrincipalException)
{
}
catch (PrincipalOperationException)
{
}
}
}
}
catch (PrincipalOperationException ex)
{
entry = new LogEntry();
entry.Severity = TraceEventType.Error;
entry.Priority = -1;
if (Logger.ShouldLog(entry))
{
entry.Message = ex.ToString();
Logger.Write(entry);
}
}
}
entry = new LogEntry();
entry.Severity = TraceEventType.Verbose;
entry.Priority = -1;
if (Logger.ShouldLog(entry))
{
StringBuilder sb = new StringBuilder();
foreach (Claim claim in claims)
{
if (claim.ClaimType == ClaimTypes.GroupSid)
{
sb.AppendLine(string.Format("Found Group SID: {0}", claim.Value));
}
}
entry.Message = sb.ToString();
Logger.Write(entry);
}
return(claims);
}
public override string[] GetRolesForUser(string username)
{
this.Log("username:"******"SELECT Roles.Rolename FROM Roles INNER JOIN UsersRoles ON Roles.Id = UsersRoles.IdRole INNER JOIN Users ON UsersRoles.IdUser = Users.Id WHERE Users.Username = @Username ORDER BY Roles.Rolename", connection))
{
cmd.Parameters.Add("@Username", SqlDbType.NVarChar).Value = username;
connection.Open();
using (SqlDataReader reader = cmd.ExecuteReader())
{
if (reader.HasRows)
{
while (reader.Read())
{
roles.Add(reader.GetString(0));
}
}
}
}
}
}
catch (Exception e)
{
this.Log(e.Message, MethodBase.GetCurrentMethod().Name);
throw new ProviderException(e.Message);
}
this.Log("Roles:" + string.Join(",", roles.ToArray()), MethodBase.GetCurrentMethod().Name);
return(roles.ToArray());
}
string domain = null;
string name = null;
LinkedList <string> source = new LinkedList <string>();
try
{
ADUtil.splitDomainAndName(username, out domain, out name);
if ((domain == null) || domain.Equals(""))
{
domain = this.dnsroot2NETBIOSName[this.currentDomainName];
}
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, null, domain, this.userNameAD, this.passwordAD))
{
using (UserPrincipal principal = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, name))
{
if (principal == null)
{
throw new ProviderException("Unable to find user '" + username + "'.");
}
using (PrincipalSearchResult <Principal> result = principal.GetAuthorizationGroups())
{
using (IEnumerator <Principal> enumerator = result.GetEnumerator())
{
while (enumerator.MoveNext())
{
try
{
using (Principal principal2 = enumerator.Current)
{
if ((principal2 != null) && (principal2 is GroupPrincipal))
{
using (GroupPrincipal principal3 = (GroupPrincipal)principal2)
{
if ((principal3.DistinguishedName != null) && principal3.IsSecurityGroup.Value)
{
source.AddLast(this.ncname2NETBIOSName[ADUtil.getDCcomponent(principal3.DistinguishedName)] + @"\" + principal3.SamAccountName);
}
}
}
}
continue;
}
catch (Exception)
{
continue;
}
}
}
}
}
}
}
catch (Exception exception)
{
this.Log(exception.Message, MethodBase.GetCurrentMethod().Name);
throw new ProviderException("Getting roles for user '" + username + "' failed.", exception);
}
if (this.useRolesDBforAD)
{
try
{
using (SqlConnection connection = new SqlConnection(this.connectionString))
{
using (SqlCommand cmd = new SqlCommand("SELECT Roles.Rolename FROM Roles INNER JOIN UsersRolesAD ON Roles.Id = UsersRolesAD.IdRole WHERE UsersRolesAD.Username = @Username ORDER BY Roles.Rolename", connection))
{
cmd.Parameters.Add("@Username", SqlDbType.NVarChar).Value = username;
connection.Open();
using (SqlDataReader reader = cmd.ExecuteReader())
{
if (reader.HasRows)
{
while (reader.Read())
{
source.AddLast(reader.GetString(0));
}
}
}
}
}
}
catch (Exception e)
{
this.Log(e.Message, MethodBase.GetCurrentMethod().Name);
throw new ProviderException("Getting roles for user '" + username + "' failed.", e);
}
}
this.Log("Roles:" + string.Join(",", source.ToArray <string>()), MethodBase.GetCurrentMethod().Name);
return(source.ToArray <string>());
}
static void Main(string[] args)
{
// Test for secrets file or just use
// string domain = "domain.local";
string domain = null;
try
{
domain = System.IO.File.ReadAllText(@"C:\temp\secrets\domain.txt");
}
catch
{
Console.WriteLine("\nThere's a problem with the domain file.");
}
if (!(string.IsNullOrEmpty(domain)))
{
Console.Write("\nEnter user name: ");
string userName = Console.ReadLine();
Console.WriteLine("\nSearching domain " + domain);
List <string> userGroupList = new List <string>();
using (var context = new PrincipalContext(ContextType.Domain, domain))
{
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, userName))
{
if (userPrincipal != null)
{
PrincipalSearchResult <Principal> list = userPrincipal.GetAuthorizationGroups();
int count = 1;
var iterGroup = list.GetEnumerator();
using (iterGroup)
{
Console.WriteLine();
while (iterGroup.MoveNext())
{
try
{
Principal p = iterGroup.Current;
if (!(string.IsNullOrEmpty(p.SamAccountName)))
{
Console.WriteLine(count + ": " + p.SamAccountName.ToLower().Trim());
userGroupList.Add(p.SamAccountName.ToLower().Trim());
count++;
}
else
{
Console.WriteLine("\n* NULL encountered; group " + p.Name + " *\n");
}
}
catch (NoMatchingPrincipalException pex)
{
Console.WriteLine("\n* NoMatchingPrincipalException encountered *\n");
continue;
}
}
}
// Just test that this operation does not fail
userGroupList.Sort();
Console.WriteLine("\nEnd of list of groups.");
}
else
{
Console.WriteLine("\nUser was not found.");
}
}
}
}
else
{
Console.WriteLine("\nDomain string is missing.");
}
Console.WriteLine("\nEnd of program. Press enter to exit.");
Console.ReadLine();
}
