?
Solved

C# Trying to get users groups from domain controller using computer that is outside of the domain

Posted on 2016-09-24
6
Medium Priority
?
271 Views
Last Modified: 2016-10-06
I am using C# and trying to to get a users groups from domain controller using computer that is outside of the domain.
The domain controller and DNS server are on the same server. The server is an Azure VM running 2012R2.

I get this error:
Information about the domain could not be retrieved (1355).
The code breakpoint and variables

I have put the DNS server for the domain controller as the first DNS server on the computer where I am running the code, and the domain name resolves:
 The domain resolves
Any suggestions?
0
Comment
Question by:itnifl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 1000 total points
ID: 41814138
I'm not a programmer but I know when doing ldap queries you have to auth before you can get any data out of AD. Since the computer isn't domain joined it can't pass the logged in user so you need to auth somehow.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 41814151
This should get you along..

http://www.c-sharpcorner.com/article/accessing-the-active-directory-from-microsoft-net/

The main thing...  you need DNS access to the directory, and you'll create an authenticated connection to the AD, and then you can enumerate the groups, memberships etc. just like normal.  

Coralon
0
 
LVL 2

Author Comment

by:itnifl
ID: 41814383
Hello guys and thank you for the replies.
So, the authentication gets done in line 68. You can see it in the screenshot. Lets take a look at the line:
using (var context = new PrincipalContext(ContextType.Domain, uri.Host + ":" + uri.Port, connectionUsername, connectionPassword)) 

Open in new window


So what happens here is we declare a PrincipalContext, using ContextType Domain (used for AD), we define the address we talk to (uri.Host + ":" + uri.Port), and give a username and password (connectionUsername, connectionPassword). You can see the values of the variables in the screenshot as well. The using block makes sure the method dispose is called on the object named context that is declared within the using (declared as: var context). This happens when the code block that the using defines is done.

We can see the code breaks at line 71. This is in the inner most part of all the using blocks. That the code hasn't broken before means that all the objects defined before in the code flow have been established successfully. These establish only if I can:
  1. Authenticate at line 68
  2. Initiate a searcher at line 69.
  3. Find a user at line 70.

Now lets check out line 71 better. Here I check if user is null. That happens only if I found no user in line 70. If the user is null, the rest of the checks on the line will abort and the line will return false (user != null will evaluate as false because user == null, meaning user is null). But we know that didn't happen, because then the error would never have been thrown (referring to "Information about the domain could not be retrieved (1355)."). That again means that there is communication with AD. So lets look at the next condition at line 71:
user.IsMemberOf(context, IdentityType.SamAccountName, groupName);

Open in new window


This is where the code fails. I am asking if the user I found is a member of the group name that is defined in the variable groupName. The reply I get is:

Information about the domain could not be retrieved (1355).
So some sort of chat between the client and the AD server is not happening because of something unknown.

My first check was to make sure that the client can resolve the domain and get the SRV records for the domain. So I added the DNS server for the domain as the first DNS server in the list of DNS servers at the client and verified that name resolution happens. See screenshot in my original post. But that didn't fix it.

This article:
http://www.c-sharpcorner.com/article/accessing-the-active-directory-from-microsoft-net/

Is very informative and shows an alternate way to code against AD. But it really isn't addressing the core problem, which would be nice to handle.
0
Not sure which OpenStack Certification to get?

So you’ve realized you might want to get certified in OpenStack, but you’re not sure what the benefits might be or even which one you should take. You know there are several certification courses you can choose from, but how do you know which one is right for you?

 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1000 total points
ID: 41815124
Wish I could be more help.. I'm not a programmer.. I just script a lot of AD stuff..

One interesting thing.. It looks to me like error 1355 is The specified domain either does not exist or could not be contacted. and if that is correct, then are you possibly losing your authenticated session to the domain?

Coralon
0
 
LVL 2

Accepted Solution

by:
itnifl earned 0 total points
ID: 41824685
I moved the code to the AD controller, and it all worked fine.
So there is something wrong in the setup for the client being outside of AD, or in the network communication between the AD controller an the external client.

No one hit the nail here in this thread, but giving points to everyone that participated for the participation.
0
 
LVL 2

Author Closing Comment

by:itnifl
ID: 41831400
Used workaround described above.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question