Is there a way to enable referral chasing for UserPrincipal.FindByIdentity()?

6
votes

I have a .NET 3.5 web application that uses the System.DirectoryServices.AccountManagement classes. When I search for some users I get a PrincipalOperationException: A referral was returned from the server. If I did this the old school way with my own LDAP code I could enable chasing of referrals. Do I need to rewrite my code?

My code looks like this:

   using (var principalContext = new PrincipalContext(ContextType.Domain, null, adPath))
    {

        // Find the principal object for which you wish to enumerate group
        // membership.
        using (var userPrincipal = UserPrincipal.FindByIdentity(principalContext, identity))
        {
            if (userPrincipal != null)
            {
                Name = userPrincipal.DisplayName;
                DistinguishedName = userPrincipal.DistinguishedName;
                EmailAddress = userPrincipal.EmailAddress;
                Sid = userPrincipal.Sid.Value;
            }
        }
    }

My adPath can be one of 2 values. One of the values is a domain that was recently joined, and can be accessed using different tools. I believe this is a problem with how this .NET library makes the LDAP calls.

2
c#windowsactive-directoryldapwindows-server
Perhaps you can add more tags [.net-3.5],[windows-server-2008], or [windows-server] at least.JPBlanc

2 Answers

1
votes

Here is a partial Answer, as it's too long for a comment.

According to this Microsoft documentation, as you even know, Referrals are a hint that the client can chase. But concerning RODC they add "For example, in the case of an LDAP application, if chase referrals is enabled on the LDAP connection between the client and the RODC, the application never knows that the client received a referral from the RODC. The client is automatically redirected to the writable domain controller that is specified in the referral. ".

So I look how to enable LDAP chasing on a connexion in Microsoft site and I found this which means ADSI use. I'am very interested in the answer.

Do you try to query the global catalog like this :

/* Retreiving a principal context
 */
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, "YourGCServer:3268", "dc=dom,dc=fr", "User", "Password");

It's supposed to contains all the forest domain's datas. I hope it helps.

0
votes

Have you tried code of the form(put the domain in as the second argument):

var principalContext = new PrincipalContext(ContextType.Domain, "office.local", "OU=Users, DC=office, DC=local" ))

Also make sure that the adPath is from most specific to least specific.