Request user roles in AD when the caller is not in the domain

Question

Request user roles in AD when the caller is not in the domain

I would like to get membership in a user group in ActiveDirectory without being in a domain. When I run this inside the domain, everything is fine.

var context = new PrincipalContext(ContextType.Domain); var principal = UserPrincipal.FindByIdentity(context, IdentityType.Name, "administrator"); foreach (var authorizationGroup in principal.GetAuthorizationGroups()) { Console.WriteLine(authorizationGroup.Name); }

However, when I run outside the domain, I have to specify PrincipalContext:

 var context = new PrincipalContext(ContextType.Domain, "10.0.1.255", "DC=test,DC=ad,DC=be", "administrator", "password");

When I run this code, I get an exception when I execute principal.GetAuthorizationGroups() . An exception I get:

 System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355). at System.DirectoryServices.AccountManagement.Utils.GetDcName(String computerName, String domainName, String siteName, Int32 flags) at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo() at System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName() at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p) at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper() at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()

+6

security .net active-directory directoryservices

grootjans Feb 04 '09 at 13:39

source share

3 answers

Osa e · Answer 1 · 2013-04-05T17:47:41+0000

I just had to deal with the same problem. Hope this helps someone else.

 /*Argument*/ string username; /*Global settings*/ string ADHost = "dc.abc"; /*Or ip address*/ string ADUsername = "username"; string ADPassword = "password"; string ADDomain = "abc"; string ADContainer = "DC=A,DC=B,DC=C"; /*I have a function to do the translation*/ /*Global settings*/ var list = new List<string>(); var path = "LDAP://" + ADHost + "/" + ADContainer; var deDomain = new DirectoryEntry(path, ADUsername, ADPassword); var ds = new DirectorySearcher(deDomain, "(&(objectClass=User)(sAMAccountName=" + username + "))"); ds.SearchScope = SearchScope.Subtree; /*Cascade*/ ds.ReferralChasing = ReferralChasingOption.All; /*Follow redirection*/ var usr = ds.FindOne(); if (null != usr) { var deUsr = new DirectoryEntry(usr.Path, ADUsername, ADPassword); foreach (string groupDN in deUsr.Properties["memberOf"]) { string[] parts = groupDN.Replace("CN=", "").Split(','); list.Add(parts[0]); } }

Mitch wheat · Answer 2 · 2009-02-04T13:53:57+0000

Looks like a DNS problem.

The DC locator works by performing DNS queries on SRV records to find the appropriate DC on your current site. If this stuff is not in the DNS, the DC locator will fail, which happens in your stack trace.

grootjans · Answer 3 · 2009-02-04T14:11:37+0000

Maybe I can’t check it out right now.

I tried the following: I am using the excellent Active DirectoryExplorer from sysinternals. When logging in with the same credentials: 10.0.1.255, "administrator", "password"

Now I see user groups without problems since

 ["memberOf"] = "CN=TestGroup,CN=Users,DC=test,DC=ad,DC=be"

Request user roles in AD when the caller is not in the domain

More articles: