I am trying to determine if a user is a member of this group using System.DirectoryServices.AccountManagment.
- I do this inside SharePoint WebPart in SharePoint 2007 on a 64-bit system.
- Project Objectives .NET 3.5
- Impersonation is included in the web.config file.
- This IIS site uses the IIS application pool with the domain user configured as an identifier.
I can create an instance of PrincipalContext as such:
PrincipalContext pc = new PrincipalContext(ContextType.Domain)
Then I try to capture the principal:
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain)) { GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, "MYDOMAIN\somegroup");
Both above and UserPrincipal.FindByIdentity with user SAM throws a DirectoryServicesCOMException : "Login failed: unknown username or invalid password"
I tried to pass either FindByIdentity (in the form MYDOMAIN \ username) to the SAMAccountName fully qualified name, or just the username without changing the behavior. I tried to execute the code with other credentials using the approaches HostingEnvironment.Impersonate and SPSecurity.RunWithElevatedPrivileges , and also get the same result.
I also tried to instantiate my context with the domain name in place:
Principal Context pc = new PrincipalContext(ContextType.Domain, "MYDOMAIN");
This throws a PrincipalServerDownException : "The server cannot be contacted."
I am working on a fairly tough server. I did not block the system, so I'm not sure exactly what was done with it. If you have credentials, I need to assign the user a pool identification or domain security policy so that they work, I can configure the domain accordingly. Are there any settings that prevent my code from running? Am I missing something in the code? Is this not possible in a SharePoint website?
EDIT: During further testing, my code functions correctly when testing in a console application designed for .NET 4.0. I aimed at a different structure because I did not have the AccountManagement available to me in the console application when for some reason I was setting up .NET 3.5.
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain)) using (UserPrincipal adUser = UserPrincipal.FindByIdentity(pc, "MYDOMAIN\joe.user")) using (GroupPrincipal adGroup = GroupPrincipal.FindByIdentity(pc, "MYDOMAIN\user group")) { if (adUser.IsMemberOf(adGroup)) { Console.WriteLine("User is a member!"); } else { Console.WriteLine("User is NOT a member."); } }
What is changing in my SharePoint environment that may prohibit this feature?