2

I've got some code which checks Active Directory for all groups that a user is a member of, this works fine locally in my development environment but doesn't when I release to the Test system.

A fellow workmate has suggested that maybe the account that the application pool runs under in IIS is unable to poll Active Directory. Would this be the case? What could be causing no groups to be returned?

When I run my code locally I am able to retrieve the list, but Test comes back empty. There are no errors thrown at all.

Example code, where I change "LIVE" to "TEST" as we have a multi-domain network, but neither works:

UserPrincipal user = UserPrincipal.Current;
if (user != null)
{
    PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, "TEST");
    List<Principal> groupResults = user.GetGroups(principalContext).ToList();
}
MattR
  • 641
  • 3
  • 17
  • 38
  • This might be a silly question, but are you completely sure that there are in fact groups in the AD in the Test environment? – Lars Kristensen Aug 21 '13 at 12:57
  • Certainly not a silly question! My honest answer is I don't know, however as I've changed the Domain (assuming this actually works correctly) to Live and it still didn't return anything, and I know that the Live AD system has groups listed under my name... but if it ends up checking against the IIS account that would be another matter. – MattR Aug 21 '13 at 13:06
  • Is this a web application that runs in the context of the NetworkService user in IIS? Also, will you know the name of the specific user you want to find groups for? – Scampbell Aug 21 '13 at 13:08
  • To narrow down the problem, you could try using this to get a specific user: UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "YourUserName") ...where 'context' is your PrincipalContext object – Scampbell Aug 21 '13 at 13:22
  • @Scampbell it is a network account that is setup for the app pool in IIS. The name of the user will be whoever is looking at the page at the time, which I thought `UserPrincipal.Current` would provide. Is this not the case? I will try using the specific user. – MattR Aug 21 '13 at 13:23
  • @Scampbell I don't want to get ahead of myself but I think you may have cracked it. – MattR Aug 21 '13 at 13:33
  • UserPrincipal.Context should return that network account user and not whoever is looking at the page. There is an administrative tool called ["Active Directory Users and Computers"](http://stackoverflow.com/questions/1434320/active-directory-users-and-computers-mmc-snap-in-for-windows-7) that you can point to a specific domain to see users and groups, so you can verify if that network account is a member of any groups. – Scampbell Aug 21 '13 at 13:40

3 Answers3

2

It seems like the problem is related to the user you are using to get groups for. UserPrincipal.Current gets the user account of the thread that its running in. In an IIS application, that account is the account specified in the application's IIS application pool identity. If you want to find Active Directory groups for a specific user account to get groups for, you can use this code (.Net 4):

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "TEST");)
{
    UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "A_User_Name");
    foreach (var group in user.GetGroups())
    {
        Console.WriteLine(group.Name);
    }
}

If you want to compare the results of this to users and groups in a specific domain, you can use this tool: "Active Directory Users and Computers"

Community
  • 1
  • 1
Scampbell
  • 1,535
  • 14
  • 24
  • That's certainly got part of it. The problem I can see after specifically setting the username is selecting a different Domain, when I have TEST it doesn't seem to have any different results after I add / remove groups from my name. – MattR Aug 21 '13 at 15:02
  • 1
    Have you tried using that Active Directory Users and Computers utility to compare the groups returned for the user name in each domain? You can point it to each domain separately and see the groups that the user you are using is a part of. – Scampbell Aug 21 '13 at 15:22
1

If it is ASP.NET this should work:

    public static List<string> GetGroups(string userName)
    {
        RoleProvider roleProvider = new WindowsTokenRoleProvider();
        return roleProvider.GetRolesForUser(userName).ToList();
    }

Super simple

Andrei
  • 42,814
  • 35
  • 154
  • 218
1

I'm not 100% sure but I think it's a lot simpler than your code:

UserPrincipal user = UserPrincipal.Current;

if (user != null)
{
    List<Principal> groupResults = user.GetGroups().ToList();
}
Ashigore
  • 4,618
  • 1
  • 19
  • 39