I am using LdapAuthentication to log a user into Active Directory. I want to find all the groups that the user belongs to. I am using the following code:
string adPath = "LDAP://OU=HR Controlled Users,OU=All Users,DC=myDomain,DC=local";
LdapAuthentication adAuth = new LdapAuthentication(adPath);
try
{
if (true == adAuth.IsAuthenticated("myDomain", txtLoginEmail.Text, txtLoginPassword.Text))
{
string email = txtLoginEmail.Text;
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.Name, email);
foreach (var group in user.GetGroups())
{
Console.WriteLine(group.Name);
}
}
}
}
catch(Exception e) { /* Handle Error */ }
My problem is that when I call UserPrincipal.FindByIdentity() I always get a null value, even though the user authentication works as intended.
Why is this happening? Is there a problem with the code or with my approach? This is running inside an ASP.NET 4.0 WebForms application.
Update:
Apparently I have been using the wrong IdentityType (cn). I checked in debug and the name of the account is “UserA”.
So I tried using the following code manually:
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.Name, "UserA");
But still I get null.
Update 2 (solved):
The issue was two fold. I needed to specify the name of my domain controller when declaring the PrincipalContext.
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "myDomain"))
{
// code here...
}
Then, when searching for the UserPrincipal I was using the wrong IdentityType; I was searching with IdentityType.Name – which is the name of the account – instead of IdentityType.SamAccountName – which is the username.
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, email);
Issue solved.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
By using IdentityType.Name, you’re telling it that the value you’re passing is the name of the account (which is the cn attribute). If you want to match by username (the sAMAccountName atrribute), you’ll need to pass IdentityType.SamAccountName.
Old answer:
But you seem to be sending it the email address. So that will indeed always return nothing.
AD does not consider an email address to be a unique identifier, so you cannot use FindByIdentity with an email address.
Here is an example on how to search by email address: http://doogalbellend.blogspot.ca/2012/03/finding-userprincipal-for-email-address.html
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0