I have a .NET 3.5 method that, given a user and a list of Active Directory groups, returns the subset of groups that the user belongs to. The code works at dozens of installations, but fails at one particular customer site. The code looks like this:
List<GroupAttrs> ret = new List<GroupAttrs>();
foreach (SymDomainInfo domain in domains)
{
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domain.Name, adUser, adPwd))
{
foreach (GroupAttrs aGroup in grpAttrs)
{
if (aGroup.Available)
continue;
GroupPrincipal pGroup;
try
{
pGroup = GroupPrincipal.FindByIdentity(ctx, IdentityType.Sid, aGroup.Authid);
}
catch (Exception e3)
{
Console.WriteLine("{3} finding group {0}/{4} in domain {1}: {2}", aGroup.Name, domain.Name, e3.Message, e3.GetType().Name, aGroup.Authid);
if (e3.InnerException != null)
Console.WriteLine("\tInner {0}: {1}", e3.InnerException.GetType().Name, e3.InnerException.Message);
continue;
}
if (pGroup != null)
{
Console.WriteLine("Found Group " + pGroup.DistinguishedName);
FindUserInGroup(grpMap, identity.User, ret, pGroup);
}
}
}
}
A GroupAttrs is our own database class that contains the name and SID (in the field AuthID) of an Active Directory group. The collection SymDomainInfos contains the name and paths of all the trusted domains in AD. And adUser and adPassword are the credentials of a domain user with authority to search AD.
Every iteration of the loop gives the same error:
System.ArgumentException: Value was invalid. Parameter name: sddlForm
at System.Security.Principal.SecurityIdentifier..ctor(String sddlForm)
at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRefHelper(Type principalType, String urnScheme, String urnValue, DateTime referenceDate, Boolean useSidHistory)
at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRef(Type principalType, String urnScheme, String urnValue, DateTime referenceDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
at ADGroupsTest.Program.Main(String[] args)
We had one other customer for which this didn't work. The error was different, and that customer had deleted or disabled some of the default properties in Active Directory. When they restored those properties, the code began to work. So my guess is that this customer has configured their AD somehow such that GroupPrincipal.FindByIdentity will not work when called from a domain context.
So my question is this: does anybody know what type of AD (mis)configuration would lead to this particular error? Failing that can anyone tell me what AD properties must be implemented for FindByIdentity to work in this case?