C# Active Directory PrincipalContext / UserPrincipal.IsMemberOf 错误

Question

So I have a question I'm honestly not quite sure how to ask. Essentially I have a bit of code that works fantastically on my local machine when I run it. Once I publish it to our development web server, it fails. I'm not sure if it's an IIS setup issue, web.config issue or a coding issue.

Here's the snippet of code

    bool isMember = false;

    PrincipalContext ADDomain = new PrincipalContext(ContextType.Domain);
    UserPrincipal user = UserPrincipal.FindByIdentity(ADDomain, userID);

    if (user.IsMemberOf(ADDomain, IdentityType.Name, groupName.Trim()))
    {
        isMember = true;
    }

    return isMember;

Where I pass in a user name and a group and it tells me if that user's a member in that group. No problem. Works great on my machine. I went to publish that code to the webserver and it fails when it hits the line

UserPrincipal user = UserPrincipal.FindByIdentity(ADDomain, userID); 

it throws this error:

[DirectoryServicesCOMException (0x80072020): An operations error occurred.]
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +788
System.DirectoryServices.DirectoryEntry.Bind() +44
System.DirectoryServices.DirectoryEntry.get_AdsObject() +42
System.DirectoryServices.PropertyValueCollection.PopulateList() +29
System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +63
System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +163 System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() +521217
System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() +51
System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() +141
System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() +42
System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) +29
System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) +95
Cosmic.Web.Login.btnSubmit_Click(Object sender, EventArgs e) in C:\\cosmic\\Cosmic.Web\\Login.aspx.cs:79
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +154
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3691

Any ideas where this could be failing?

Answer 1

My first guess would be: that user account you're running this code under doesn't have the necessary permissions to query Active Directory.

To fix this, basically you need to change your constructor from this:

PrincipalContext ADDomain = new PrincipalContext(ContextType.Domain);

(establishes a connection to AD with the current, default credentials this code is running under)

to this:

PrincipalContext ADDomain = 
   new PrincipalContext(ContextType.Domain, "DOMAIN", useraccount, password);

and provide a username and password for a user account that you know has sufficient privileges to query Active Directory.

Answer 2

If you've got several seconds to spare waiting for your data form a large AD, then go ahead and use PrincipalContext but if you want your response in milliseconds, use DirectoryEntry, DirectorySearcher and .PropertiesToLoad.

Here's an example

https://stackoverflow.com/a/65986796/5248400