views:

668

answers:

2

I would like to get a user's group memberships in an ActiveDirectory, without being in the domain. When I run this inside the domain, all is well.

var context = new PrincipalContext(ContextType.Domain);
var principal = UserPrincipal.FindByIdentity(context, IdentityType.Name, "administrator");

foreach (var authorizationGroup in principal.GetAuthorizationGroups())
{
    Console.WriteLine(authorizationGroup.Name);
}

However, when I run outside the domain, I have to specify the PrincipalContext lie this:

var context = new PrincipalContext(ContextType.Domain, "10.0.1.255", "DC=test,DC=ad,DC=be", "administrator", "password");

When I run this code, I get an exception when I execute principal.GetAuthorizationGroups(). The exception I get is:

System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355).
at System.DirectoryServices.AccountManagement.Utils.GetDcName(String computerName, String domainName, String siteName, Int32 flags)
at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
A: 

Looks like a DNS problem.

DC locator works by doing DNS queries for SRV records to find the appropriate DC in your current site. If that stuff isn't in DNS, DC locator will fail, which is happening in your stack trace.

Mitch Wheat
A: 

It might be that, I can't verify it right now.

I tried the following: I use sysinternals' excellent Active DirectoryExplorer. When logging in with the same credentials: 10.0.1.255, "administrator", "password"

Now I can see the user's groups without problems as

["memberOf"] = "CN=TestGroup,CN=Users,DC=test,DC=ad,DC=be"
grootjans