1

I have seen a few questions that are like mine, but none that actually apply. The problem I am facing is:

I need to get group membership of User with:

  • Group in Domain B
  • User in domain A.
  • Service in domain B.
  • Forrest to Forrest 2-way trust.

User attaches to service and service gets WindowsIdentity object with SID, name, etc.

In order to get group membership, I am using a UserPrincipal object. In order to get that, you need a PrincipalContext object. The constructor for the PrincipalContext object needs the FQDN of the domain (i.e. A.some.domain.com). The WindowsIdentity object has the NetBios domain name in the username (i.e. A\User), but I cannot see a way to get the DNS name.

Here is an example of code that has the DNS name HARD CODED, that works, but I need to take out the hard coded part.

-- WindowsIdentity wi (passed into the method) --

PrincipalContext context = new PrincipalContext(ContextType.Domain, "A.some.domain.com");
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(context, IdentityType.Sid, wi.User.ToString());

I have another solution that uses impersonation, using System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().Name, but that is not acceptable because impersonation may not be available. I need a solution that will work with TokenImpersonationLevel.Identification

I have spent several days scouring MSDN and Google (including Stack Overflow) to no avail.

DCastenholz
  • 196
  • 2
  • 12

1 Answers1

5

Does using WindowsIdentity.Groups not work? If DomainA\User is accessing DomainB\Service, the user's token should include the groups from both domains.

Brian Desmond
  • 4,473
  • 1
  • 13
  • 11
  • 1
    Short answer is that this will work. Just spent several hours testing this. I was under the impression that the groups coming from the WindowsIdentity.Groups property could be stale or incomplete. This is true, but it appears that when hitting a service across domain boundaries, the token is always fresh. Good call. – DCastenholz Feb 11 '12 at 00:57