locked
FindByIdentity, .NET Framework 4.5 RRS feed

  • Question

  • Hi,

    I'm setting up a service to manage AD user accounts via System.DirectoryServices.AccountManagement.  The service lives in a different domain (our DMZ) than where the user accounts live (user domain).  Pre-4.5, I was able to hit a controller on the user domain from the DMZ using LDAPS (port 636) and all was well.  Once 4.5 hit, we ran into issues where calls to UserPrincipal.FindByIdentity and UserPrincipal.GetUnderlyingObject would fail.  Stack Overflow has what appears to be a related a thread at http://stackoverflow.com/questions/12608971/net-4-5-bug-in-userprincipal-findbyidentity-system-directoryservices-accountma?rq=1.

    I have yet to find a comprehensive answer as to what changed with 4.5 (at least one that I can absorb), but I think what .NET 4.5 is doing is hitting DNS to find a list of domain controllers for the user domain, and then subsequently connecting to another domain controller in that list. This seems to happen even if you initially connect to a specific domain controller, for security purposes.

    So, my question:  How do I manage cross-domain usage of System.DirectoryServices.AccountManagement with my systems and network teams?  Is it a matter of setting up a DNS entry for my user network containing domain controllers, and then having network set up port 636 access to those controllers from the DMZ, or is there more to it than that? 

    If there is a white paper or FAQ about what 4.5 is doing, I will be happy to read through that, I just haven't been able to find it yet.

    Thanks!

    Tuesday, August 19, 2014 5:30 PM

Answers

  • Hello JTerando,

    >> How do I manage cross-domain usage of System.DirectoryServices.AccountManagement with my systems and network teams?

    Is that your systems and network teams are in the same Active Directory forest? If it is, you can check if Global Catalog is running in your forest. If you have Global Catalog running, you can run a LDAP query against the global catalog as described here. Although it only shows using the query feature of System.DirectoryServices.AccountManagement, you could try to test other features to whether this way would work completely for System.DirectoryServices.AccountManagement in the cross domain scenario.

    >> If there is a white paper or FAQ about what 4.5 is doing, I will be happy to read through that, I just haven't been able to find it yet.

    It seems that there is not a detail description for what 4.5 is doing, however, there are new features listed here comparing with 4.0 version, you could check them:

    http://msdn.microsoft.com/en-us/library/ms171868(v=vs.110).aspx#core

    Best Regards,

    Fred.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Fred Bao Wednesday, August 27, 2014 10:11 AM
    Wednesday, August 20, 2014 6:37 AM

All replies

  • Hello JTerando,

    >> How do I manage cross-domain usage of System.DirectoryServices.AccountManagement with my systems and network teams?

    Is that your systems and network teams are in the same Active Directory forest? If it is, you can check if Global Catalog is running in your forest. If you have Global Catalog running, you can run a LDAP query against the global catalog as described here. Although it only shows using the query feature of System.DirectoryServices.AccountManagement, you could try to test other features to whether this way would work completely for System.DirectoryServices.AccountManagement in the cross domain scenario.

    >> If there is a white paper or FAQ about what 4.5 is doing, I will be happy to read through that, I just haven't been able to find it yet.

    It seems that there is not a detail description for what 4.5 is doing, however, there are new features listed here comparing with 4.0 version, you could check them:

    http://msdn.microsoft.com/en-us/library/ms171868(v=vs.110).aspx#core

    Best Regards,

    Fred.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Fred Bao Wednesday, August 27, 2014 10:11 AM
    Wednesday, August 20, 2014 6:37 AM
  • Thanks Fred.  I find it really frustrating that this kind of a change isn't better documented (or documented at all). I'm pretty sure Global Catlogue is query-only, but I'll set up some test code and see. I think I'm going to have to try and escalate this up the Microsoft food chain.
    Thursday, August 21, 2014 4:51 PM
  • Hello,

    Any update? I have marked my own reply as answer since I think it would be helpful, if you think it provides no help, please unmark it.

    Thank you for your understanding and support.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, August 27, 2014 10:11 AM