Finding the NTLM group of a user

[cognosrebel]

How can I find the NTLM group of a user "steve" ?

Is there a function I can use to do this?

If I search for steve in NTLM namespace I could find him but I cannot know which group he belongs to. Am I right?

[JoeBass]

I've been trying to unravel the content store.  The questions I asked here were deleted in the last server crash. 

Are you working without the SDK?  There are some straight forward looking function calls to give you what you're looking for.  They appear to be well documented within the SDK developers doc.  I don't have the SDK, so I can't really tell you how well documented they really are.

We authenticate with Active Directory here.  I've gotten to a point that I haven't been able to solve: the username is encrypted within the content store.  Cognos insists that its a Windows function that produces the 32 character string.  They will not, however, reveal what it is.  They told me to call Microsoft support.   ???  "Hello, Microsoft?  Have you heard of Cognos?  Well, they store encrypted windows usernames in their undocumented database.  Can you tell me how Cognos encrypted my username?  Sure, I'll hold."

I haven't been able to reverse engineer the encryption.  I'd be happy to hear of any suggestions on this.  Once I figure that out, I will be able to re-use the Cognos data-row level security hierarchy that we've built for another in-house application.

[cognosrebel]

I am working without SDK.

I was thinking if there is any  functions like "ServerName()" which returns the reportnet server name to find the NTLM user group of a person(Say STEVE )

its really weird that cognos does not have this functionality

[JoeBass]

What are you trying to accomplish?

[cognosrebel]

hmm...One of the active directory group which has  "Steve Thompson" needs to be added as a professional report author. If I just want to add him...I could easily do it.

What I am trying to do is to find which AD group he belongs to and then add that AD group to one of the cognos roles in Cognos Namespace.

[JoeBass]

I can't think of how you could do what you want to do from within ReportNet.  If you can get outside, here is some C# that I'm using to return a list of groups that the user belongs to.  Maybe it will help.

        public string GetGroups()
        {
            DirectorySearcher search = new DirectorySearcher(_path);
            search.Filter = "(cn=" + _filterAttribute + ")";
            search.PropertiesToLoad.Add("memberOf");
            StringBuilder groupNames = new StringBuilder();
            groupNames.Append("'");
            try
            {
                SearchResult result = search.FindOne();
                int propertyCount = result.Properties["memberOf"].Count;
                string dn;
                int equalsIndex, commaIndex;

                for (int propertyCounter = 0; propertyCounter < propertyCount; propertyCounter++)
                {
                    dn = (string)result.Properties["memberOf"][propertyCounter];
                    equalsIndex = dn.IndexOf("=", 1);
                    commaIndex = dn.IndexOf(",", 1);
                    if (-1 == equalsIndex)
                    {
                        return null;
                    }
                    groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1));
                    if (propertyCounter < propertyCount - 1)
                    {
                        groupNames.Append("', '");
                    }
                    else
                    {
                        groupNames.Append("'");
                    }
                }
            }
            catch (Exception ex)
            {
                throw new Exception("Error obtaining group names. " + ex.Message);
            }
            return groupNames.ToString();
        }

[mikewalker]

JoeBass

I dare say if Cognos (Support) could provide you with the Windows function name they use to encrypt passwords, documentation may be available online somewhere (like MS TechNet or MSDN).

In saying this, though, I'm sure MS doesn't want people reverse engineering their password encryption routines, letalone providing detailed documentation on how to do it!

[CoginAustin]

If it is 32 characters they are probably using an MD5 hash.

[JoeBass]

Thanks for the replies.  Yeah Mike, they just won't tell me how they go about encrypting it.  Frustrating.

CogninAustin, great idea - I tried http://md5.rednoize.com but didn't get a match, although the format looks identical.  The string I'm trying to decrypt is in the CMOBJPROPS1 table - OBJID column.