1

I have a .net web application that needs to obtains groups that a user is a member of in active directory.

My code works perfectly using my ID, but when I run it under the application ID it gives me the following error:

COMException (0x8007052e): Logon failure: unknown user name or bad password.
]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +420085
   System.DirectoryServices.DirectoryEntry.Bind() +36
   System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
   System.DirectoryServices.PropertyValueCollection.PopulateList() +26
   System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +49
   System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +141
   System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName) +57

The ID that I am using to run the application is in different domain than the users. I found this answer but I am not sure if it can apply to cross domain IDs.

What kind of configuration do we need for this to work?

Thanks

Community
  • 1
Reza
  • 113
  • 3

1 Answers1

1

What you are looking for is Active Directory delegation. MSFT has a published best practice document that you can use. However its very simple to implement. I also have a simple step-by-step setup of delegation for an open source AD application I wrote that you can take a look at:

mgorven
  • 30,615
  • 7
  • 79
  • 122
Brent Pabst
  • 6,069
  • 2
  • 24
  • 36
  • Thanks, Is "reading memberof" permission granted as a defult to all accounts in the same domain? Because I can see everyone's groups in my domain using NET command. – Reza Aug 10 '12 at 15:24
  • Pretty sure it is. I can see the group membership of all Exchange groups by default and they are tied together. Read is usually allowed regardless of user, write of course is not. – Brent Pabst Aug 10 '12 at 16:19