locked
UserPrincipal.IsMemberOf throwing a [System.DirectoryServices.AccountManagement.PrincipalOperationException] = {"Unknown error (0x80005000)"}

    Question

  •  

    I have the following code.  It always works when the user is in the group itself ( for instance user is a UserPrincipal and I do user.GetGroups().ToList<Principal>() ).  I have a problem when the user is not directly in the group or the user is a member of a group that is a member of the given group.  Before I call IsMememberOf I confirmed that user and groupPrincipal are valid.

        /// <summary>
        /// Determines if the given user is a member of the Active Directory group with the given name. 
        /// </summary>
        /// <param name="groupName">Group name with the domain identifier omitted</param>
        /// <returns>True if the user is a member of the group</returns>
        static bool IsUserInGroup (
          string groupName,
          UserPrincipal user
          )
          {
          PrincipalContext principalContext = new PrincipalContext ( ContextType.Domain );
          GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity ( principalContext, groupName );
          if ( user.IsMemberOf ( groupPrincipal ) ) {
            return true;
            }
          return false;
          }
    

    at System.DirectoryServices.AccountManagement.ADStoreCtx.IsMemberOfInStore(GroupPrincipal g, Principal p)
       at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsNativeTest(Principal principal)
       at System.DirectoryServices.AccountManagement.PrincipalCollection.Contains(Principal principal)
       at System.DirectoryServices.AccountManagement.Principal.IsMemberOf(GroupPrincipal group)
       at AIM.Model.Authorizer.IsUserInGroup(String groupName, UserPrincipal user) in

     

    Why is this exception being thrown?  Is there a workaround?

    Thursday, January 20, 2011 4:41 PM

Answers

  • I opened a support ticket with Microsoft and they determined this is a bug in .net 4.0 that will be fixed in .net 4.5.  The workaround is to change the first line of the IsUserInGroup method and call the PrincipalContext ( ContextType, string ) constructor instead of just the PrincipalContext ( ContextType ) constructor.  When you provide the domain name in this manner you don't have the problem.  Hopefully this saves someone else out there some time.

    Thanks for your help,
    Jon

     

    class Program
        {
        static void Main ( string [ ] args )
          {
          // find the user in Active Directory
          PrincipalContext principalCtx = new PrincipalContext ( ContextType.Domain );
          UserPrincipal queryByExampleUser = new UserPrincipal ( principalCtx );
          queryByExampleUser.SamAccountName = "therijm";
          PrincipalSearcher principalSearcher = new PrincipalSearcher ( );
          principalSearcher.QueryFilter = queryByExampleUser;
          UserPrincipal userPrincipal = principalSearcher.FindOne ( ) as UserPrincipal;
    
          //bool isInGroup = IsUserInGroup ( "DG-DSK-AIM-ADM", userPrincipal );
          IsUserInGroup ( "DG-DSK-AIM-RO", userPrincipal );
          }
    
        static bool IsUserInGroup (
          string groupName,
          UserPrincipal user )
          {
          PrincipalContext principalContext = new PrincipalContext ( ContextType.Domain );
          GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity ( principalContext, groupName );
          if ( user.IsMemberOf ( groupPrincipal ) ) {
            return true;
            }
          return false;
          }
        }
    
    • Marked as answer by Jon Theriault Friday, January 28, 2011 12:58 PM
    Friday, January 28, 2011 12:57 PM

All replies

  • Hi Jon Theriault,

    Thank you for posting.

    From which line did throw this error when you debug your application?

    0x80005000 error code means an invalid directory pathname was passed. PrincipalOperationException will be thrown when ADSI returns an error during an operation to update the store.

    From the description of error code, I suspected that your issue might be related with groupName. Could you please provide this parameter for me?

    Best Regards,

    Larcolais


    Larcolais Gong[MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, January 21, 2011 10:58 AM
  • Thanks the help, Larcolais.

    The error is being thrown at the user.IsMemberOf ( groupPrincipal ) call.  The group name value is "DG-DSK-AIM-ADM".  I don't believe it's the group name because the method will return true for a user if that user is directly in the group ( and not in a group that's in the group ).  If the user is not directly in the group the exception is thrown. 

    Using the immediate window in debug mode I took a snapshot of what each of the objects looked like before user.IsMemeberOf ( groupPrincipal ) was called.  This was done by just typing the variable name, hitting enter and copying the output below.  I have overtyped "I Hid This" or something similar to hide some info I didn't want posted in the forums.  I hope this helps.

    groupName

    DG-DSK-AIM-ADM
    

    user

    Name ( "therijm" )
     base {System.DirectoryServices.AccountManagement.AuthenticablePrincipal}: Name ( "therijm" )
     AdvancedSearchFilter: {System.DirectoryServices.AccountManagement.AdvancedFilters}
     EmailAddress: "therijm@iHidThis.com"
     EmployeeId: null
     GivenName: "Jonathan"
     MiddleName: null
     Surname: "Theriault"
     VoiceTelephoneNumber: null
    

    principalContext

    {System.DirectoryServices.AccountManagement.PrincipalContext}
     ConnectedServer: "iHidThisServerName.com"
     Container: null
     ContextType: Domain
     Name: null
     Options: Negotiate | Signing | Sealing
     UserName: null
    
    groupPrincipal
    Name ( "DG-DSK-AIM-ADM" )
     base {System.DirectoryServices.AccountManagement.Principal}: Name ( "DG-DSK-AIM-ADM" )
     GroupScope: Global
     IsSecurityGroup: true
     Members: {System.DirectoryServices.AccountManagement.PrincipalCollection}
    
    

     

    Also I'm not sure if it matters but this is how the "user" parameter was retrieved from AD.  It is called userPrincipal in the code below.

    // find the user in Active Directory
    PrincipalContext principalCtx = new PrincipalContext ( ContextType.Domain );
    UserPrincipal queryByExampleUser = new UserPrincipal ( principalCtx );
    queryByExampleUser.SamAccountName = "therijm";      
    PrincipalSearcher principalSearcher = new PrincipalSearcher ( ); principalSearcher.QueryFilter = queryByExampleUser; UserPrincipal userPrincipal = principalSearcher.FindOne ( ) as UserPrincipal;
    Friday, January 21, 2011 12:58 PM
  • Hi Jon Theriault,

    Thank you for your feedback.

    FindOne method returns a principal search result that contains the first principal object found that matches the principal specified in the QueryFilter property.

    In addition, I suggest you to check the following article about AD Operations.  

    If you have any finding, please feel free to let me know.

    Best Regards,

    Larcolais


    Larcolais Gong[MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, January 25, 2011 5:29 AM
  • I opened a support incident and they're having me trace with IDNA to find the directory pathname that the .net libraries are constructing.  I'll let you know how it goes.
    Tuesday, January 25, 2011 2:12 PM
  • I opened a support ticket with Microsoft and they determined this is a bug in .net 4.0 that will be fixed in .net 4.5.  The workaround is to change the first line of the IsUserInGroup method and call the PrincipalContext ( ContextType, string ) constructor instead of just the PrincipalContext ( ContextType ) constructor.  When you provide the domain name in this manner you don't have the problem.  Hopefully this saves someone else out there some time.

    Thanks for your help,
    Jon

     

    class Program
        {
        static void Main ( string [ ] args )
          {
          // find the user in Active Directory
          PrincipalContext principalCtx = new PrincipalContext ( ContextType.Domain );
          UserPrincipal queryByExampleUser = new UserPrincipal ( principalCtx );
          queryByExampleUser.SamAccountName = "therijm";
          PrincipalSearcher principalSearcher = new PrincipalSearcher ( );
          principalSearcher.QueryFilter = queryByExampleUser;
          UserPrincipal userPrincipal = principalSearcher.FindOne ( ) as UserPrincipal;
    
          //bool isInGroup = IsUserInGroup ( "DG-DSK-AIM-ADM", userPrincipal );
          IsUserInGroup ( "DG-DSK-AIM-RO", userPrincipal );
          }
    
        static bool IsUserInGroup (
          string groupName,
          UserPrincipal user )
          {
          PrincipalContext principalContext = new PrincipalContext ( ContextType.Domain );
          GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity ( principalContext, groupName );
          if ( user.IsMemberOf ( groupPrincipal ) ) {
            return true;
            }
          return false;
          }
        }
    
    • Marked as answer by Jon Theriault Friday, January 28, 2011 12:58 PM
    Friday, January 28, 2011 12:57 PM
  • Thank-you for posting.  I ran into the same problem and you helped me resolve it very fast.
    Monday, October 24, 2011 3:39 PM
  • I opened a support ticket with Microsoft and they determined this is a bug in .net 4.0 that will be fixed in .net 4.5.  The workaround is to change the first line of the IsUserInGroup method and call the PrincipalContext ( ContextType, string ) constructor instead of just the PrincipalContext ( ContextType ) constructor.  When you provide the domain name in this manner you don't have the problem.  Hopefully this saves someone else out there some time.

    Thanks for your help,
    Jon

     

    Jon,

    I tried this workaround and it failed too.  It gives me an unknown error (0x8000500).  Below is the expanded exception:

    Source: System.DirectoryServices.AccountManagement
    Method: IsMemberOfInStore
    Error: Unknown error (0x80005000)
    Stack Trace: at System.DirectoryServices.AccountManagement.ADStoreCtx.IsMemberOfInStore(GroupPrincipal g, Principal p)
       at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsNativeTest(Principal principal)
       at System.DirectoryServices.AccountManagement.PrincipalCollection.Contains(Principal principal)
       at System.DirectoryServices.AccountManagement.PrincipalCollection.Contains(UserPrincipal user)
       at QVI.ICE.Common.UserInformation.IsCurrentUserDesiredGroup(String desiredGroup) in

    Friday, October 28, 2011 8:25 PM
  • Jon -

    Thanks, this was very helpful.

    Thursday, December 06, 2012 12:33 PM