Request a user's roles in AD when caller is not in domain

Question

I would like to get a user's group memberships in an ActiveDirectory, without being in the domain. When I run this inside the domain, all is well.

var context = new PrincipalContext(ContextType.Domain);
var principal = UserPrincipal.FindByIdentity(context, IdentityType.Name, "administrator");

foreach (var authorizationGroup in principal.GetAuthorizationGroups())
{
    Console.WriteLine(authorizationGroup.Name);
}

However, when I run outside the domain, I have to specify the PrincipalContext lie this:

var context = new PrincipalContext(ContextType.Domain, "10.0.1.255", "DC=test,DC=ad,DC=be", "administrator", "password");

When I run this code, I get an exception when I execute principal.GetAuthorizationGroups(). The exception I get is:

System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355).
at System.DirectoryServices.AccountManagement.Utils.GetDcName(String computerName, String domainName, String siteName, Int32 flags)
at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()

Answer 1

Looks like a DNS problem.

DC locator works by doing DNS queries for SRV records to find the appropriate DC in your current site. If that stuff isn't in DNS, DC locator will fail, which is happening in your stack trace.

Answer 2

I just had to deal with same problem. I hope this help someone else.

/*Argument*/
string username;



/*Global settings*/
string ADHost = "dc.a.b.c"; /*Or ip address*/
string ADUsername = "username";
string ADPassword = "password";
string ADDomain = "a.b.c";
string ADContainer = "DC=A,DC=B,DC=C"; /*I have a function to do the translation*/
/*Global settings*/

var list = new List<string>();

var path = "LDAP://" + ADHost + "/" + ADContainer;
var deDomain = new DirectoryEntry(path, ADUsername, ADPassword);
var ds = new DirectorySearcher(deDomain, "(&(objectClass=User)(sAMAccountName=" + username + "))");

ds.SearchScope = SearchScope.Subtree; /*Cascade*/
ds.ReferralChasing = ReferralChasingOption.All; /*Follow redirection*/

var usr = ds.FindOne();
if (null != usr)
{
    var deUsr = new DirectoryEntry(usr.Path, ADUsername, ADPassword);

    foreach (string groupDN in deUsr.Properties["memberOf"])
    {
        string[] parts = groupDN.Replace("CN=", "").Split(',');
        list.Add(parts[0]);
    }
}