Home/ Questions/Q 3979646
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T05:11:43+00:00

I have problems with UserPrincipal.GetGroups() and GetAuthorizationGroups() method. Sometimes it works, sometimes not. The

  • 0

I have problems with UserPrincipal.GetGroups() and GetAuthorizationGroups() method. Sometimes it works, sometimes not. The problem is that in the unsuccesfull cases the method contacts bad AD domain. My dev PC is connected to company
domain and I want to get groups for user in other, test domain, where the PC isn’t in.

My code:

var ctx = new PrincipalContext(ContextType.Domain, "test.int", "user1@test.int", "pwd123");
ctx.ValidateCredentials("user1@test.int", "pwd123"); //returns always true
var adUser = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "user1@test.int");
var groups = adUser.GetAuthorizationGroups(); //sometimes exception...

It raises ActiveDirectoryServerDownException – RPC server is unavailable. It is because
in this case the method call wanted to communicate with a company DC server, not with the
test domain!

My dev environment:
– server: DC+DNS server W2003, single-DC domain “test.int”, the DNS has “company.int” DNS as its forwarders, but same problem, if the forwarders are disabled.

  • my PC: connected to “company.int” domain, uses only DNS server of the test DC, same LAN network as the server

I didn’t found way, how to force to connect always to the test DC server.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    GetAuthroizationGroups() won’t work if you are from an untrusted domain. It is because underlying it’s calling Authz.dll. I just tried it in my two test domains without trust. It fails and throws me exception with the following callstack

    at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
at TestDomain.Form1.Form1_Load(Object sender, EventArgs e) in C:\Testbench\TestDomain\TestDomain\Form1.cs:line 69

    I disassemble System.DirectoryServices.AccountManagement.dll. Here is the code. I think it’s failing at AuthzInitializeContextFromSid.

    [SecurityCritical]
internal AuthZSet(byte[] userSid, NetCred credentials, ContextOptions contextOptions, string flatUserAuthority, StoreCtx userStoreCtx, object userCtxBase)
{
    this.currentGroup = -1;
    this.contexts = new Hashtable();
    this.localMachineIsDC = null;
    this.userType = userStoreCtx.OwningContext.ContextType;
    this.userCtxBase = userCtxBase;
    this.userStoreCtx = userStoreCtx;
    this.credentials = credentials;
    this.contextOptions = contextOptions;
    this.flatUserAuthority = flatUserAuthority;
    this.contexts[flatUserAuthority] = userStoreCtx.OwningContext;
    IntPtr zero = IntPtr.Zero;
    IntPtr rm = IntPtr.Zero;
    IntPtr buffer = IntPtr.Zero;
    try
    {
        UnsafeNativeMethods.LUID identitifier = new UnsafeNativeMethods.LUID();
        identitifier.low = 0;
        identitifier.high = 0;
        this.psMachineSid = new SafeMemoryPtr(Utils.GetMachineDomainSid());
        this.psUserSid = new SafeMemoryPtr(Utils.ConvertByteArrayToIntPtr(userSid));
        int num = 0;
        bool flag = UnsafeNativeMethods.AuthzInitializeResourceManager(UnsafeNativeMethods.AUTHZ_RM_FLAG.AUTHZ_RM_FLAG_NO_AUDIT, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, null, out rm);
        if (flag)
        {
            flag = UnsafeNativeMethods.AuthzInitializeContextFromSid(0, this.psUserSid.DangerousGetHandle(), rm, IntPtr.Zero, identitifier, IntPtr.Zero, out zero);
            if (flag)
            {
                int pSizeRequired = 0;
                flag = UnsafeNativeMethods.AuthzGetInformationFromContext(zero, 2, 0, out pSizeRequired, IntPtr.Zero);
                if ((!flag && (pSizeRequired > 0)) && (Marshal.GetLastWin32Error() == 0x7a))
                {
                    buffer = Marshal.AllocHGlobal(pSizeRequired);

    As you can see above, the NetCred credentials is passed in and never used. It’s calling the AuthzInitializeContextFromSid right away. If you check MSDN, they have the following disclaimer.

    Important Applications should not
    assume that the calling context has
    permission to use this function.

    I cannot explain why it sometimes works on your environment and sometimes doesn’t. It’s always not working in my environment. I guess one possible reason is that you visited the untrusted domain controller from your workstation and pressed “stored credentials”. This will store the network credentials and whenever you contact that particular machine, Windows will automatically uses the stored credentials for you. Another possible reason is that you are using the same password with the same username in those two domains.

    To walkaround the problem, I simply use GetGroups() on the users and then calling GetGroups() on all its groups. Repeat it until you reach the top level group. You may also like to check if it’s a security group. You may like to simply skip all the distribution groups. The GetGroup() method returns you both security groups and distribution group.

    • 0