Access Active Directory user groups from DMZ

Question

Access Active Directory user groups from DMZ

I have a method that checks if a user is a member of a AD group. I tried using my own AD account as credentials and then I get some information about the userprincipal, like email etc. But when accessing the userprincipals groups I get the following error message:

Exception:
MESSAGE: The server is not operational.
SOURCE: System.DirectoryServices.AccountManagement
TARGETSITE: System.DirectoryServices.AccountManagement.ResultSet GetGroupsMemberOf(System.DirectoryServices.AccountManagement.Principal)

STACKTRACE:
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal p)
at Authorization.AuthorizeAD.IsMemberOfGroup(String user)
at PVM.Controllers.SecurityController.IsMemberOfGroup(String user)

InnerException: System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.

at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsForestName()
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal p)

Code:

public bool IsMemberOfGroup(string user) {
    using (var context = new PrincipalContext(ContextType.Domain, ContextName, ContextContainer, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer, "myUsername", "myPass")) {
        using (var userPrincipal = UserPrincipal.FindByIdentity(
                context,
                IdentityType.SamAccountName,
                user)) {
            //I can access userPrincipal.DisplayName etc
                var groupName = "TestGroup"
                //This is where I get the error
                return userPrincipal.IsMemberOf(context, IdentityType.SamAccountName, groupName);
            }
        }

        return false;
    }

I thought it could be a permission problem, but when using ldp.exe from the server there was no problem querying active directory.

Everything works fine local. I've tried changing IIS AppPool login and so on, but now I ended up sending the credentials along with my PrincipalContext object.

Does anone have a clue what I am missing here?

c#

active-directory

dmz

asked on Stack Overflow Mar 10, 2016 by

MrProgram • edited Mar 10, 2016 by

marc_s

1 Answer

This got solved by using a PrincipalSearcher instead of UserPrincipal.IsMemberOf and then I did my own IsMemberOf().

private static bool IsMemberOf(PrincipalContext context, PrincipalSearcher searcher, string user,
        string groupToFind) {
        searcher.QueryFilter = new GroupPrincipal(context, groupToFind);

        var group = searcher.FindOne() as GroupPrincipal;
        if (group == null) {
            return false;
        }

        if (group.GetMembers()
            .Select(member => member as UserPrincipal)
            .Where(principal => !string.IsNullOrEmpty(principal?.SamAccountName))
            .Any(principal => principal.SamAccountName.Equals(user))) {
            return true;
        }

        return false;
    }

answered on Stack Overflow Mar 14, 2016 by

MrProgram

User contributions licensed under CC BY-SA 3.0