Getting a users's groups in Active Directory

Question

I’m having an issue with integrating my ASP.NET web service with an Active Directory setup, and using it to authentication users and check with AD groups they are a member of and if they have permissions to use my custom application.

My custom application has its own permissions, and the administrators configure Active Directory groups that are allow to use the custom application.

The issue I’m having is when a user from a different Trusted AD forest, with full two way trust, attempts to login I can’t get a list of his groups from the AD server my ASP.NET web services communicates with. The ASP.NET web service only has access to the AD server (AD Main), not the trust AD controller (AD Secondary).

The user is a member of the (AD Secondary) domain, and I can authenticate that user against the (AD Main) domain, but I can’t get a list of groups from the (AD Main) domain when the user is in the (AD Secondary) domain.

I’ve tried this code.

StringCollection groupids = new StringCollection();
try
{
    DirectoryLibrary dirLib = new DirectoryLibrary();
    DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://" + domain,username, password);   
    if (directoryEntry != null)
    {
        //Enum the properties so we can see what is in them
        foreach (string propname in directoryEntry.Properties.PropertyNames)
        {
            Debug.WriteLine(propname);
        }

        object obGroups = directoryEntry.Invoke("Groups");
        foreach (object ob in (IEnumerable)obGroups)
        {
        // Create object for each group.
            DirectoryEntry obGpEntry = new DirectoryEntry(ob);
            groupids.Add(obGpEntry.NativeGuid);
        }
    }
}
catch (DirectoryServicesCOMException ex) { throw ex; }

I’ve tried to move away from the DirectoryEntry object to, something like this.

List<GroupPrincipal> result = new List<GroupPrincipal>();
StringCollection groupids = new StringCollection();

PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain, domain, userName, password);

// find your user
UserPrincipal user = UserPrincipal.FindByIdentity(yourDomain, userName);

// if found - grab its groups
if (user != null)
{
    PrincipalSearchResult<Principal> groups = user.GetGroups();

    // iterate over all groups
    foreach (Principal p in groups)
    {
        // make sure to add only group principals
        if (p is GroupPrincipal)
        {
            groupids.Add(p.DisplayName);
        }
    }

}

But, I don’t get the user and I can’t get a list of the groups for that user in the other domain. Any help would be appreciated.

Answer 1

This appears to be a great use case for the AD derived attribute memberOf. With the DirectoryEntry directoryEntry object, you can enumerate what groups a user belongs to.

foreach (object group in directoryEntry.Properties["memberOf"])
{
    DirectoryEntry obGpEntry = New DirectoryEntry("LDAP://" + (String)group);
    groupids.Add(obGpEntry.NativeGuid);
}

It's also likely that you could use the first code segment if you prefixed ob with "LDAP://"