Hi,
We have an application that needs to query for group membership in a second domain. This works fine from our thick client, but not from IIS using identical code.
Basically our client's setup is that they have two domains, one where they define users (dom1) and another where they define groups (dom2). We need to be able to query group membership within dom2 for a dom1 user. Eventually I got the code working in the thick client by retrieving the SID of the dom1 user, and then using that SID to query for groups in dom2:
(&(objectCategory=group)(member=CN=<user's SID>,CN=ForeignSecurityPrincipals,DC=dom2)
This is the code that works in the thick client but not when running under IIS:
void GetGroups(string userSid, string path, string userName)
{
DirectoryEntry directoryEntry = new DirectoryEntry();
directoryEntry.Path = path;
directoryEntry.Username = userName;
DirectorySearcher directorySearchGroup = new DirectorySearcher();
directorySearchGroup.SearchRoot = directoryEntry;
directorySearchGroup.Filter = string.Format("(&(objectCategory=group)(member=CN={0},CN=ForeignSecurityPrincipals,DC=dom2)", userSid);
SearchResultCollection searchResultGroups = directorySearchGroup.FindAll();
foreach (SearchResult searchResultGroup in searchResultGroups)
{
DoSomething();
}
}The main difference that I can see is that the application pool under IIS will be running under a different user account to the one that is being queried for. Whereas in the thick client it will be the logged in Windows user that is being sought. So in the IIS case, application pool is running under dom1.user1 and querying for group membership in dom2 for dom1.user2, and in the thick client dom1.userA is logged in and we are querying dom1.userA in dom2.
The error encountered in the IIS case is:
System.Runtime.InteropServices.COMException (0x8007052E): Logon failure: unknown user name or bad password.
Call stack:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindAll()
I imagine it would work if we set the password property of the DirectoryEntry object, however this is of course not available at the time. Does the account that the IIS application pool is running under need to be a domain admin user or have any other elevated
permissions in order to be allowed to query for group membership of any dom1 user within dom2?
We are trying to find out whether our client has full trust established between the two domains, or just one-way trust, but I imagine this can't be the cause of the problem as it works from the thick client. However my knowledge of AD is fairly limited.
We are using .Net 2.0.
Any help would be hugely appreciated! Please let me know if any further information would be useful.