User Management with Active Directory—Technique 2: Using DsCrackNames
Microsoft .NET Framework, ASP.NET, Visual C# (CSharp, C Sharp, C-Sharp) Developer Training, Visual Studio
| CSharp-Online.NET:Articles |
| C# Articles |
|
© 2006 Pearson Education, Inc. |
Technique #2: Using DsCrackNames
A more advanced technique exists that relies on the DsCrackNames API and forgoes searching the directory completely. The basic premise is that we will convert all of the byte-format SIDs into their string-readable Security Descriptor Description Language (SDDL)–format equivalents and pass an entire array of them into the DsCrackNames API, which can convert them into another format of our choosing (DN, NT Account format, etc.).
For .NET version 1.1, this requires using P/Invoke in order to convert the SID into SDDL format. It also involves wrapping the DsCrackNames API. Getting everything set up requires a bit of work, but it works well once it is done.
We have included all of the P/Invoke code and wrappers needed to use this functionality in the sample code included on this book’s web site. For reference purposes, Listing 10.20 includes some of the important bits.
Listing 10.20: Using DsCrackNames to Convert TokenGroups
//convert to array of string SIDs int size = this.Properties["tokenGroups"].Count; PropertyValueCollection pvc = this.Properties["tokenGroups"]; string[] sids = new string[size]; for (int i=0; i < size; i++) { sids[i] = AdUtils.ConvertSidToSidString((byte[])pvc[i]); } //we want to pass in the SID format and retrieve //the NT Format names. This utility class is //included in our web site library samples //groupNames contains all the converted groups now string[] groupNames = AdUtils.DsCrackNamesWrapper( sids, this.Context.Handle, DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME, DS_NAME_FORMAT.DS_NT4_ACCOUNT_NAME );
Listing 10.20 uses two wrapper classes that help us convert a binary SID to the SDDL-format SID, and wraps our call to DsCrackNames. We are omitting this wrapper code because it would take several pages to present and it contains mostly P/Invoke declarations. We are also going to gloss over how we came to get the RPC handle necessary for DsCrackNames, for similar reasons. We wish we could dive into this code, as it is interesting, but it just takes too much book space and is irrelevant for this discussion. As usual, the complete listing is available on the book’s web site. We should also note that developers more familiar with the IADsNameTranslate ADSI interface are free to substitute this method for DsCrackNames. They are actually one and the same.
For version 2.0, we no longer need to use P/Invoke for converting the SID, as we can do this using the SecurityIdentifier class. However, if we are already using version 2.0, then we should use technique #3 instead.
 
|
