3

In the case that I'm getting groups for a UserPrincipal identity (in an Active Directory role provider), and I use the UserPrincipal.GetGroups() function that does not require a PrincipalContext as parameter, what does it default to using for the PrincipalContext? I ask as in troubleshooting an issue, I'm seeing seeing it connect to a different AD server that is not the connected server for my PrincipalContext. Some code as an example:

using ( PrincipalContext context = new PrincipalContext( ContextType.Domain, "domain", null, ContextOptions.Negotiate ) )
{
    UserPrincipal identity = UserPrincipal.FindByIdentity( context, IdentityType.SamAccountName, username );

    if (identity != null)
    {
        var groupList = identity.GetGroups();
    } 
}

If I output context.ConnectedServer I get a valid active server. However, identity.GetGroups() appears to connect to a different server (in my case, it's throwing a System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException because it's connecting to an old server). If I instead use identity.GetGroups(context), the groups are correctly returned. Why does calling GetGroups without a PrincipalContext cause it to default to connecting to a different server?

Nicole S.
  • 345
  • 1
  • 3
  • 12
  • I'm guessing the problem goes away if you use `identity.GetGroups(context)`? – itsme86 Sep 06 '17 at 22:57
  • As noted in my post, yes. I'm trying to understand the behavior. – Nicole S. Sep 06 '17 at 22:58
  • Weird. I'd think it would use the `Context` property value from the `identity` object. – itsme86 Sep 06 '17 at 23:03
  • Weird, indeed. As a double check, I just output the `identity.Context.ConnectedServer` right before the `identity.GetGroups()` call, and it outputs the correct active server. But then the `GetGroups()` call fails trying to bind to an inactive server. This is happening in multiple environments - all trying to connect to the same inactive server. – Nicole S. Sep 06 '17 at 23:16
  • It's kind of freaking me out that the [.NET Reference Source](https://referencesource.microsoft.com/) doesn't seem to include the System.DirectoryServices.AccountManagement namespace. – itsme86 Sep 07 '17 at 00:10

0 Answers0