UserPrincipal.GetAuthorizationGroups() throwing exception when Distinguished Name in UserPrincipal contains special characters(a comma in my case) RRS feed

  • Question

  • I have a situation where I need to find AD Group of a user recursively. e.g. UserA is part of Group3, Group3 is part of Group2, Group2 is part of Group1 So, UserA is part of Group3,Group2,Group1.

    Dim UserP1 As UserPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, Remote_ID)
        allrecursiveUserGroups = UserP1.GetAuthorizationGroups()

    The problem here is when [Distinguished Name][2] of UserPrincipal contains special characters(a comma in my case) then it throws exception.
    In my case the distinguished name is : 

    CN=Smith\, John,DC=mydomain,DC=com

    Here backward slash has been used as escape character which is added by UserPrincipal itself.

    If Distinguished Name doesn't contain any special character the function GetAithorizationGroups() works fine.

    e.g. CN=Smith John,DC=mydomain,DC=com

    What is the reason of the problem and is there any solution available for this.

    Wednesday, May 16, 2018 6:49 AM

All replies

  • What is the type of the Exception?  What version of the .Net Framework are you using?

    Have you tried using a different IdentityType?  Perhaps a different format will avoid the issue.

    If you're on the latest framework and a different IdentityType doesn't help, then you may need to use a different method of querying active directory.  If that is what happens, let us know... at that point it may be worth a bug report on the internal parsing of GetAuthorizationGroups().

    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Wednesday, May 16, 2018 1:19 PM
  • I've seen some issues using this method and there used to be a bug which I'm not sure was ever fixed. Here is one alternative method you may want to try:

       Public Function GetNestedGroups(ByVal samAccountName As String) As IEnumerable
            Dim userNestedMembership = New List(Of String)
            Dim domainConnection = New DirectoryEntry()
            domainConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure
            Dim samSearcher = New DirectorySearcher()
            samSearcher.SearchRoot = domainConnection
            samSearcher.Filter = "(samAccountName=" & samAccountName & ")"
            Dim samResult = samSearcher.FindOne()
            If samResult IsNot Nothing Then
                Dim userLDAPPath As String = samResult.Path.ToString
                Dim theUser As New DirectoryServices.DirectoryEntry(userLDAPPath)
                theUser.RefreshCache(New String() {"tokenGroups"})
                Dim sidSearcher = New DirectorySearcher()
                sidSearcher.SearchRoot = domainConnection
                sidSearcher.Filter = CreateFilter(theUser)
                For Each result As SearchResult In sidSearcher.FindAll()
                Next result
            End If
            Return userNestedMembership
        End Function
        Private Function CreateFilter(ByVal theUser As DirectoryEntry) As String
            Dim filter As String = "(|"
            For Each resultBytes As Byte() In theUser.Properties("tokenGroups")
                Dim SID = New System.Security.Principal.SecurityIdentifier(resultBytes, 0)
                filter &= "(objectSid=" & SID.Value & ")"
            Next resultBytes
            filter &= ")"
            Return filter
        End Function

    Paul ~~~~ Microsoft MVP (Visual Basic)

    Wednesday, May 16, 2018 1:46 PM