Why does UserPrincipal.GetAuthorizationGroups () fail for one principal but not the other?
I am running the following code on an ASP.Net MVC website:
using (var ctx = new PrincipalContext(ContextType.Domain, DOMAIN))
using (var userPrincipal = UserPrincipal.FindByIdentity(ctx, principal.Identity.Name))
using (var groups = userPrincipal.GetAuthorizationGroups())
The code uses a custom RoleProvider and the "main" variable is HttpContext.Current.User. DOMAIN is my local domain.
This code works fine when I log into the site, but throws an exception on the last line if I log in as one of the multiple tested users.
While trying to retrieve the authorization groups, an error (5) occurred.
Test users have fewer domain permissions, but are users in the active directory. I tried to create a PrincipalContext with an alternate constructor supplying my username and password, but this did not affect the behavior.
This happens on both my dev machine and a separate staging server, so I don't think it has anything to do with local permissions. I also don't see how this might have to do with user permissions, as I expect the active directory request to be made as the IIS application pool user (impersonation disabled) or possibly the user specified in the PrincipalContext constructor.
Any suggestions as to what's going on are greatly appreciated.
source to share
It is not enough that they are users in Active Directory. The IIS application pool user must be a member of the Windows Authorization Access Group to perform GetAuthorizationGroups.
The answer is here: An error occurred while trying to get the authorization groups (5)
source to share