Home/ Questions/Q 8346729
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T07:06:52+00:00

The following works great on my local development box. However when I move it

  • 0

The following works great on my local development box. However when I move it to the web server it fails and will not even log the error:

public static List<string> getAuthorizationGrps(string userName)
    {
        List<string> grps = new List<string>();

        try
        {
            PrincipalSearchResult<Principal> groups = UserPrincipal.Current.GetGroups();
            IEnumerable<string> groupNames = groups.Select(x => x.SamAccountName);
            foreach (var name in groupNames)
            {
                grps.Add(name.ToString());
            }
            return grps;
        }
        catch (Exception ex)
        {
            Log.WriteLog("Error in retriving form data: " + ex.Message);
        }
    }

Is there permissions that I must set on the webserver to query the groups? I can get the current user with no problem both locally and on the web server.

Any ideas would be greatly appreciated, I have been fighting this for 2 days now.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I assume this is your environment

    Web browser --> Web Server --> Domain Controller

    Unless you are running the Web Browser and Web Server or Web Server and Domain Controller on the same machine, you need to set up the Kerberos delegation to make the above code work. I am guessing your dev box is working because you are running Web Browser and Web Server on the same machine.

    You can easily find tons of articles teaching you how to configure Kerberos delegation for IIS and ASP.NET from Google. Here is one example. I won’t cover the details here. The point is that your ASP.NET application is impersonating the client credentials and trying to use that client credentials to query Active Directory. If you don’t have
    delegation setup properly, Windows will think that your impersonated credentials cannot access network. In your case, you cannot access Domain Controller. This is a security measure. It’s just to make sure server cannot do things on behalf of the end user on the network unless it’s explicitly granted to have permissions to do that.

    Another solution is to change your code. So, before you call the GetGroups, you undo the impersonation and becomes the IIS AppPool account again. If your AppPool account is configured to be a domain account, which has enough permission to read the Active Directory, then, you can query Active Directory for the groups of the user.

    Here is a blob talking about this. This is the code that I think it should work without any Kerberos delegation setup. I didn’t test it though.

    public static List<string> getAuthorizationGrps(string userName)          
{          
    List<string> grps = new List<string>();          

    try          
    {
        var currentUser = UserPrincipal.Current;
        RevertToSelf();             
        PrincipalSearchResult<Principal> groups = currentUser.GetGroups();          
        IEnumerable<string> groupNames = groups.Select(x => x.SamAccountName);          
        foreach (var name in groupNames)          
        {          
            grps.Add(name.ToString());          
        }          
        return grps;          
    }          
    catch (Exception ex)          
    {          
        Log.WriteLog("Error in retriving form data: " + ex.Message);          
    }          
}
    • 0