C# Trying to get users groups from domain controller using computer that is outside of the domain
I am using C# and trying to to get a users groups from domain controller using computer that is outside of the domain.
The domain controller and DNS server are on the same server. The server is an Azure VM running 2012R2.
I get this error:
I have put the DNS server for the domain controller as the first DNS server on the computer where I am running the code, and the domain name resolves:
Any suggestions?
The domain controller and DNS server are on the same server. The server is an Azure VM running 2012R2.
I get this error:
Information about the domain could not be retrieved (1355).
I have put the DNS server for the domain controller as the first DNS server on the computer where I am running the code, and the domain name resolves:
Any suggestions?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello guys and thank you for the replies.
So, the authentication gets done in line 68. You can see it in the screenshot. Lets take a look at the line:
So what happens here is we declare a PrincipalContext, using ContextType Domain (used for AD), we define the address we talk to (uri.Host + ":" + uri.Port), and give a username and password (connectionUsername, connectionPassword). You can see the values of the variables in the screenshot as well. The using block makes sure the method dispose is called on the object named context that is declared within the using (declared as: var context). This happens when the code block that the using defines is done.
We can see the code breaks at line 71. This is in the inner most part of all the using blocks. That the code hasn't broken before means that all the objects defined before in the code flow have been established successfully. These establish only if I can:
Now lets check out line 71 better. Here I check if user is null. That happens only if I found no user in line 70. If the user is null, the rest of the checks on the line will abort and the line will return false (user != null will evaluate as false because user == null, meaning user is null). But we know that didn't happen, because then the error would never have been thrown (referring to "Information about the domain could not be retrieved (1355)."). That again means that there is communication with AD. So lets look at the next condition at line 71:
This is where the code fails. I am asking if the user I found is a member of the group name that is defined in the variable groupName. The reply I get is:
My first check was to make sure that the client can resolve the domain and get the SRV records for the domain. So I added the DNS server for the domain as the first DNS server in the list of DNS servers at the client and verified that name resolution happens. See screenshot in my original post. But that didn't fix it.
This article:
http://www.c-sharpcorner.com/article/accessing-the-active-directory-from-microsoft-net/
Is very informative and shows an alternate way to code against AD. But it really isn't addressing the core problem, which would be nice to handle.
So, the authentication gets done in line 68. You can see it in the screenshot. Lets take a look at the line:
using (var context = new PrincipalContext(ContextType.Domain, uri.Host + ":" + uri.Port, connectionUsername, connectionPassword)) So what happens here is we declare a PrincipalContext, using ContextType Domain (used for AD), we define the address we talk to (uri.Host + ":" + uri.Port), and give a username and password (connectionUsername, connectionPassword). You can see the values of the variables in the screenshot as well. The using block makes sure the method dispose is called on the object named context that is declared within the using (declared as: var context). This happens when the code block that the using defines is done.
We can see the code breaks at line 71. This is in the inner most part of all the using blocks. That the code hasn't broken before means that all the objects defined before in the code flow have been established successfully. These establish only if I can:
- Authenticate at line 68
- Initiate a searcher at line 69.
- Find a user at line 70.
Now lets check out line 71 better. Here I check if user is null. That happens only if I found no user in line 70. If the user is null, the rest of the checks on the line will abort and the line will return false (user != null will evaluate as false because user == null, meaning user is null). But we know that didn't happen, because then the error would never have been thrown (referring to "Information about the domain could not be retrieved (1355)."). That again means that there is communication with AD. So lets look at the next condition at line 71:
user.IsMemberOf(context, IdentityType.SamAccountName, groupName);This is where the code fails. I am asking if the user I found is a member of the group name that is defined in the variable groupName. The reply I get is:
So some sort of chat between the client and the AD server is not happening because of something unknown.
Information about the domain could not be retrieved (1355).
My first check was to make sure that the client can resolve the domain and get the SRV records for the domain. So I added the DNS server for the domain as the first DNS server in the list of DNS servers at the client and verified that name resolution happens. See screenshot in my original post. But that didn't fix it.
This article:
http://www.c-sharpcorner.com/article/accessing-the-active-directory-from-microsoft-net/
Is very informative and shows an alternate way to code against AD. But it really isn't addressing the core problem, which would be nice to handle.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Used workaround described above.
http://www.c-sharpcorner.c
The main thing... you need DNS access to the directory, and you'll create an authenticated connection to the AD, and then you can enumerate the groups, memberships etc. just like normal.
Coralon