Enumerating User Groups in Active Directory from Different Domain


I have a .net web application that needs to obtains groups that a user is a member of in active directory.

My code works perfectly using my ID, but when I run it under the application ID it gives me the following error:

COMException (0x8007052e): Logon failure: unknown user name or bad password.
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +420085
   System.DirectoryServices.DirectoryEntry.Bind() +36
   System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
   System.DirectoryServices.PropertyValueCollection.PopulateList() +26
   System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +49
   System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +141
   System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName) +57

The ID that I am using to run the application is in different domain than the users. I found this answer but I am not sure if it can apply to cross domain IDs.

What kind of configuration do we need for this to work?


asked on Server Fault Aug 9, 2012 by Reza • edited Apr 13, 2017 by Community

1 Answer


What you are looking for is Active Directory delegation. MSFT has a published best practice document that you can use. However its very simple to implement. I also have a simple step-by-step setup of delegation for an open source AD application I wrote that you can take a look at:

answered on Server Fault Aug 9, 2012 by Brent Pabst • edited Aug 9, 2012 by mgorven

User contributions licensed under CC BY-SA 3.0