tags:

views:

116

answers:

1
+3  Q: 

Error with UserPrincipal.GetAuthorizationGroups() method

I am having an issue using the GetAuthorizationGroups method of the UserPrincipal class in a web application.

Using the following code, I am receiving "While trying to retrieve the authorization groups, an error (5) occurred"

PrincipalContext context = new PrincipalContext(ContextType.Domain, null, "DC=MyCompany,DC=COM", "username", "password");
UserPrincipal p = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "joe.blogs");
var groups = p.GetAuthorizationGroups();

I believe this code works to an extent.

  • When I view the context object, I can see the server and username/password have been resolved correctly in the object
  • When I view the p object, I can see AD details have been populated like phone no etc.

Here is the stack trace from the error.

[PrincipalOperationException: While trying to retrieve the authorization groups, an error (5) occurred.]
   System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase) +317279
   System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p) +441
   System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper() +78
   System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups() +11

By removing the username and password details from the PrincipalContext constructor and changing the applicationpool (in iis7) to run as the same user ([email protected]) - the following code works.

PrincipalContext context = new PrincipalContext(ContextType.Domain, null, "DC=MyCompany,DC=COM");
UserPrincipal p = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "joe.blogs");
var groups = p.GetAuthorizationGroups();

I need to get the code in the first example to work - I do not want run the application pool as a domain user just to get this code working.

A: 

Error 5 indicates ERROR_ACCESS_DENIED, which suggests a permissions related issue. That said, the following code has just worked for me, running on Windows 7 with the website running as the default application pool:

Content of "body" of .aspx page:

<asp:GridView ID="GridView1" runat="server">
</asp:GridView>

Code-behind:

protected void Page_Load(object sender, EventArgs e)
{
    var Context = new PrincipalContext(ContextType.Domain, "logon_domain", "username", "password");
    var principal = UserPrincipal.FindByIdentity(Context, "user_to_query");
    var groups = principal.GetAuthorizationGroups();

    GridView1.DataSource = groups;
    GridView1.DataBind();
}

In my example logon_domain was the lefthand of domain_name\username, rather than the style of domain specification you'd used. My solution may or may not work for you. If it doesn't, it does point to a permissions issue somewhere.

Rob  2010-08-17 09:23:16
Thanks Rob, I have tried many combinations in the PrincipalContext constructor with not luck. I think the root cause of my problem is knowing the permission requirements of the application user to invoke the GetAuthorizationGroups() method. My application user has read all information rights to objects in the OU. Currently I am doing this the long way by reading the memberOf property of users. This howerver is only the first level and not recursive.
Adam Jenkin  2010-08-17 12:50:43
FWIW, I had a version working where I used `var Context = new PrincipalContext(ContextType.Domain, "logon_domain");`, so the context was purely a domain one and that also worked without error in Win7/default application pool. Is the machine you're running your code on domain joined?
Rob  2010-08-17 13:23:03
Yes, joined to a domain. if I use the PrincipalContext(ContextType.Domain, "logon_domain") constructor with network service (AppPool) it doesn't work. If I change the AppPool to run as the same user as used in method PrincipalContext(ContextType.Domain, null, "DC=MyCompany,DC=COM", "username", "password") it does work!
Adam Jenkin  2010-08-17 22:09:55

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?