Home/ Questions/Q 8848403
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T12:24:56+00:00

In testing our .NET 4.0 application under .NET 4.5, we’ve encountered a problem with

  • 0

In testing our .NET 4.0 application under .NET 4.5, we’ve encountered a problem with the FindByIdentity method for UserPrincipal. The following code works when run in a .NET 4.0 runtime, but fails under .NET 4.5:

[Test]
public void TestIsAccountLockedOut()
{
    const string activeDirectoryServer = "MyActiveDirectoryServer";
    const string activeDirectoryLogin = "MyADAccount@MyDomain";
    const string activeDirectoryPassword = "MyADAccountPassword";
    const string userAccountToTest = "TestUser@MyDomain";
    const string userPasswordToTest = "WRONGPASSWORD";

    var principalContext = new PrincipalContext(ContextType.Domain, activeDirectoryServer, activeDirectoryLogin, activeDirectoryPassword);

    var isAccountLockedOut = false;
    var isAuthenticated = principalContext.ValidateCredentials(userAccountToTest, userPasswordToTest, principalContext.Options);
    if (!isAuthenticated)
    {
        // System.DirectoryServices.AccountManagement.PrincipalOperationException : Information about the domain could not be retrieved (1355).
        using (var user = UserPrincipal.FindByIdentity(principalContext, IdentityType.UserPrincipalName, userAccountToTest))
        {
            isAccountLockedOut = (user != null) && user.IsAccountLockedOut();
        }
    }
    Assert.False(isAuthenticated);
    Assert.False(isAccountLockedOut);
}

Here is the exception stack trace:

System.DirectoryServices.AccountManagement.PrincipalOperationException : Information about the domain could not be retrieved (1355).
at System.DirectoryServices.AccountManagement.Utils.GetDcName(String computerName, String domainName, String siteName, Int32 flags)   at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()   at 
System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()   at System.DirectoryServices.AccountManagement.ADStoreCtx.GetAsPrincipal(Object storeObject, Object discriminant)   at 
System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRefHelper(Type principalType, String urnScheme, String urnValue, DateTime referenceDate, Boolean useSidHistory)   at 
System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRef(Type principalType, String urnScheme, String urnValue, DateTime referenceDate)   at 
System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)   at 
System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)   at 
System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

Has anyone else seen and resolved this problem? If not, is there a better way for us to check the IsAccountLockedOut status for an Active Directory account?

For reference, all of our test machines are within the same subnet. There are separate ActiveDirectory servers running Windows Server 2003, 2008 and 2012, in a variety of domain functional modes (see below). The code works from machines running .NET 4.0, but fails from machines running .NET 4.5.

The three .NET machines we ran the code from are:
– Windows 7 running .NET 4.0
– Windows Vista running .NET 4.5
– Windows Server 2012 running .NET 4.5

The Active Directory servers we’ve tried are:
– Windows 2003 with AD Domain Functional Mode set to Windows 2000 native
– Windows 2003 with AD Domain Functional Mode set to Windows Server 2003
– Windows 2008 with AD Domain Functional Mode set to Windows 2000 native
– Windows 2008 with AD Domain Functional Mode set to Windows Server 2003
– Windows 2008 with AD Domain Functional Mode set to Windows Server 2008
– Windows 2012 with AD Domain Functional Mode set to Windows 2012

All of those Active Directory servers are configured as a simple, single forest, and the client machines are not part of the domain. They are not used for any other function than to test this behavior, and aren’t running anything other than Active Directory.

EDIT – 9 Oct 2012

Thanks to everyone that replied. Below is a C# command-line client that demonstrates the problem, and a short-term workaround that we identified that didn’t require us to change anything about the Active Directory and DNS configurations. It appears that the exception is only thrown once with an instance of the PrincipalContext. We included the outputs for a .NET 4.0 machine (Windows 7) and a .NET 4.5 machine (Windows Vista).

using System;
using System.DirectoryServices.AccountManagement;

namespace ADBug
{
    class Program
    {
        static void Main(string[] args)
        {
            const string activeDirectoryServer = "MyActiveDirectoryServer";
            const string activeDirectoryLogin = "MyADAccount";
            const string activeDirectoryPassword = "MyADAccountPassword";
            const string validUserAccount = "TestUser@MyDomain.com";
            const string unknownUserAccount = "UnknownUser@MyDomain.com";

            var principalContext = new PrincipalContext(ContextType.Domain, activeDirectoryServer, activeDirectoryLogin, activeDirectoryPassword);

            // .NET 4.0 - First attempt with a valid account finds the user
            // .NET 4.5 - First attempt with a valid account fails with a PrincipalOperationException
            TestFindByIdentity(principalContext, validUserAccount, "Valid Account - First Attempt");
            // Second attempt with a valid account finds the user
            TestFindByIdentity(principalContext, validUserAccount, "Valid Account - Second Attempt");
            // First attempt with an unknown account does not find the user
            TestFindByIdentity(principalContext, unknownUserAccount, "Unknown Account - First Attempt");
            // Second attempt with an unknown account does not find the user (testing false positive)
            TestFindByIdentity(principalContext, unknownUserAccount, "Unknown Account - Second Attempt");
            // Subsequent attempt with a valid account still finds the user
            TestFindByIdentity(principalContext, validUserAccount, "Valid Account - Third Attempt");
        }

        private static void TestFindByIdentity(PrincipalContext principalContext, string userAccountToTest, string message)
        {
            var exceptionThrown = false;
            var userFound = false;
            try
            {
                using (var user = UserPrincipal.FindByIdentity(principalContext, IdentityType.UserPrincipalName, userAccountToTest))
                {
                    userFound = (user != null);
                }
            }
            catch (PrincipalOperationException)
            {
                exceptionThrown = true;
            }
            Console.Out.WriteLine(message + " - Exception Thrown  = {0}", exceptionThrown);
            Console.Out.WriteLine(message + " - User Found = {1}", userAccountToTest, userFound);
        }
    }
}

.NET 4.0 Output 

Valid Account - First Attempt - Exception Thrown  = False
Valid Account - First Attempt - User Found = True
Valid Account - Second Attempt - Exception Thrown  = False
Valid Account - Second Attempt - User Found = True
Unknown Account - First Attempt - Exception Thrown  = False
Unknown Account - First Attempt - User Found = False
Unknown Account - Second Attempt - Exception Thrown  = False
Unknown Account - Second Attempt - User Found = False
Valid Account - Third Attempt - Exception Thrown  = False
Valid Account - Third Attempt - User Found = True

.NET 4.5 Output 

Valid Account - First Attempt - Exception Thrown  = True
Valid Account - First Attempt - User Found = False
Valid Account - Second Attempt - Exception Thrown  = False
Valid Account - Second Attempt - User Found = True
Unknown Account - First Attempt - Exception Thrown  = False
Unknown Account - First Attempt - User Found = False
Unknown Account - Second Attempt - Exception Thrown  = False
Unknown Account - Second Attempt - User Found = False
Valid Account - Third Attempt - Exception Thrown  = False
Valid Account - Third Attempt - User Found = True
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To the OP (and anyone else that helped with replies) we have(had) the same exact issue. In our development environment, installed VS2012 and our app broke at runtime during login (AD issue as pointed out above). So I had my system wiped and continued using 2010, all the while shedding a tear every time Id read a new blog post about how awesome 2012 is blah blah.

    So I found this thread thanks to Scott Hanselman. I installed a VM on my development box, Windows 8 developer 90day preview on it, and VS2012. Got our Application up and running and immediately was hit with the login AD snag. Simply wrapped our FindByIdentity in a try catch and forced it to try again after the first catch – and viola it works!! So thanks to whoever figured that little trick out!!

    So, its a minor fix, and a “hack” that works for local development, and shouldn’t affect production since we aren’t putting 4.5 on production any time soon.

    But the downside is that locally, logging in now takes like 2 minutes versus seconds when we ran under 2010 🙁

    I don’t really know what else I can provide to actually try to help solve the situation, but figured Id share my 2 cents anyway since this still appears to be a major issue.

    • 0