Principal.IsInRole ("AD Group Name") always returns false, no exception thrown
In the Web API Controller, I needed to define role membership using an AD group that contained members from multiple domains in a different forest.
this.RequestContext.Principal.IsInRole(roleName)
returns false and no error indications were found. However, the code above worked with other AD groups. Then I modified the code to iterate over this group and got an exception.
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, roleName);
if (group != null)
{
foreach (Principal p in group.GetMembers())
{
if (p != null && currentUserPrincipal.UserPrincipalName == p.UserPrincipalName)
{
roles.Add(roleName);
break;
}
}
}
The specified directory service attribute or value does not exist.
I figured the exception was thrown by a group member from a specific domain. I removed the said person and the code executed fine. I added another account of the same domain as the first one and the error returned.
source to share
While searching for the given error message, I found the following SO question and answer. ... The highest answer indicates.
When disabling the LDAP container property as described in
PrincipalContext
Class, the user executing the code must have read permissions on both the default containerUser
(i.e.CN=Users,DC=yourDomain,DC=COM
) and the containerComputers
(i.e.CN=Computers,DC=yourDomain,DC=COM
).
Using Active Directory Users and Computers I looked through the AD of the problem domain and could not see the container Computers
. I contacted IS and informed them of this and they returned the catalog to good condition. At this point, this.RequestContext.Principal.IsInRole(roleName)
worked as expected and I was able to rate the role membership.
Edit: OMG! This also fixed an issue with the SharePoint User Profile service not syncing user data from members in the same domain. I have been trying for two years to track down the cause of a user profile error with no success.
source to share