Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

UserPrincipal.GetGroups vs. UserPrincipal.GetAuthorizationGroups?

Tags:

c#

asp.net-mvc-3

active-directory

I am using ASP.Net 4.0 MVC to query active directory. I am trying to get a list of a user's group memberships and that iterate through them. I am having a weird problem. To get the groups I was using:

   PrincipalSearchResult<Principal> groups = up.GetGroups();

Which worked great on localhost but returns an empty set when moved to IIS6. So I tried using this:

    PrincipalSearchResult<Principal> groups = up.GetAuthorizationGroups();

Which worked great on IIS6 but returns an empty set on localhost. What is the difference between these 2 methods? Why can I use one in IIS6 and not on localhost? Why can I use the other one on localhost and not in IIS6?

like image 886
Edward Pescetto Avatar asked Jun 22 '12 18:06

Edward Pescetto

2 Answers

The why part has been answered, but this may help someone wanting to know the functional difference between the two methods. From MS documentation:

GetGroups - Returns a collection of group objects that specify the groups of which the current principal is a member.

This overloaded method only returns the groups of which the principal is directly a member; no recursive searches are performed.

GetAuthorizationGroups - Returns a collection of principal objects that contains all the authorization groups of which this user is a member. This function only returns groups that are security groups; distribution groups are not returned.

This method searches all groups recursively and returns the groups in which the user is a member. The returned set may also include additional groups that system would consider the user a member of for authorization purposes.

So GetGroups gets all groups of which the user is a direct member, and GetAuthorizationGroups gets all authorization groups of which the user is a direct or indirect member.

Despite the way they are named, one is not a subset of the other. There may be groups returned by GetGroups not returned by GetAuthorizationGroups, and vice versa.

like image 172
Tawab Wakil Avatar answered Oct 14 '22 01:10

Tawab Wakil

I assume GetAuthorizationGroups() calls in to tokenGroups in AD. To read that, your service account (or IIS machine account if Network Service) needs to be in the Windows Authorization Access group in AD.

like image 25
Brian Desmond Avatar answered Oct 14 '22 02:10

Brian Desmond
Sign in to Comment

Related questions

How can I generate a unique hashcode for a string
IQueryable C# Select
Storing and calling generically-typed delegates
Deploying/Installing an outlook addin
Is there any way to export sequence diagram generated by visual studio?
Generating assembly code from C# code?
Dictionary with two keys?
Why a Struct can not be derived from another struct?
Writing unit tests in my compiler (which generates IL)
Why partial methods can only have void return type?
Saving higher resolution charts without messing up the appearance
best way to add jquery to an "empty" web project in visual studio?
Send email with attchement using System.Net.Mail thows exception: Cannot access a closed file
How to get thread Id in C#
Are there any stand-alone C#/.NET Debuggers?
Is there a Linq to REST library for C#
Add a button in a new column to all rows in a DataGrid
Tips for using a C library from C#
Setting cursor position with Visual Studio Extension
Remove children from Panel only if are of type T

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!