Access Active Directory user groups from DMZ

0
votes

I have a method that checks if a user is a member of a AD group. I tried using my own AD account as credentials and then I get some information about the userprincipal, like email etc. But when accessing the userprincipals groups I get the following error message:

Exception:
MESSAGE: The server is not operational.
SOURCE: System.DirectoryServices.AccountManagement
TARGETSITE: System.DirectoryServices.AccountManagement.ResultSet GetGroupsMemberOf(System.DirectoryServices.AccountManagement.Principal)

STACKTRACE:
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal p)
at Authorization.AuthorizeAD.IsMemberOfGroup(String user)
at PVM.Controllers.SecurityController.IsMemberOfGroup(String user)

InnerException: System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.

at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsForestName()
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal p)

Code:

public bool IsMemberOfGroup(string user) {
    using (var context = new PrincipalContext(ContextType.Domain, ContextName, ContextContainer, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer, "myUsername", "myPass")) {
        using (var userPrincipal = UserPrincipal.FindByIdentity(
                context,
                IdentityType.SamAccountName,
                user)) {
            //I can access userPrincipal.DisplayName etc
                var groupName = "TestGroup"
                //This is where I get the error
                return userPrincipal.IsMemberOf(context, IdentityType.SamAccountName, groupName);
            }
        }

        return false;
    }

I thought it could be a permission problem, but when using ldp.exe from the server there was no problem querying active directory.

Everything works fine local. I've tried changing IIS AppPool login and so on, but now I ended up sending the credentials along with my PrincipalContext object.

Does anone have a clue what I am missing here?

1
c#active-directorydmz

1 Answers

0
votes

This got solved by using a PrincipalSearcher instead of UserPrincipal.IsMemberOf and then I did my own IsMemberOf().

private static bool IsMemberOf(PrincipalContext context, PrincipalSearcher searcher, string user,
        string groupToFind) {
        searcher.QueryFilter = new GroupPrincipal(context, groupToFind);

        var group = searcher.FindOne() as GroupPrincipal;
        if (group == null) {
            return false;
        }

        if (group.GetMembers()
            .Select(member => member as UserPrincipal)
            .Where(principal => !string.IsNullOrEmpty(principal?.SamAccountName))
            .Any(principal => principal.SamAccountName.Equals(user))) {
            return true;
        }

        return false;
    }