C#, UserPrincipal.FindByIdentity always throw exception: "Server sent a referer" or unknown 0x80005000

I spend a whole day and got nothing. I'm developing a web app that authenticate using domain user/password. The code is followed. the first half is ok, I can get output: "the user and pass is: True."

Then, UserPrincipal.FindByIdentity throws error, either "server sent a referer" or "unknown 0x80005000". I changed the connect parameters many times like: LDAP://CN=Users,DC=sbi,DC=com

CN=Users,DC=sbi,DC=com

DC=sbi,DC=com

for every one of those, the first half code is correct, I can get my user/pass successfully authenticated. But I cannot get the userPrincipal.

I googled a lot but still get nothing, someone please help.

    bool valid = false;
    using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "sbi.com", "LDAP://CN=Users,DC=sbi,DC=com"))
    {
        valid = context.ValidateCredentials(user, pass);
        System.Diagnostics.Debug.WriteLine("the user and pass is: " + valid.ToString());
    }
    //return;
    if (valid)
    {
        PrincipalContext context2 = new PrincipalContext(ContextType.Domain,
            "sbi.com", "CN=Users,DC=sbi,DC=com",
            ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing,
            user, pass);


        //System.Diagnostics.Debug.WriteLine("connected server:" + context2.ConnectedServer);

        UserPrincipal userInDomain = UserPrincipal.FindByIdentity(context2, user);
        if (userInDomain != null)
        {
            System.Diagnostics.Debug.WriteLine("user found: " + userInDomain.Name);
        }
        else
        {
            System.Diagnostics.Debug.WriteLine("user not found");
        }
    }

I just figure it out. If I don't specify the container string, it workds. Maybe something wrong with the container string.