Active Directory gives up group info for only SOME users

From: Bear (
Date: 01/22/03

From: "Bear" <>
Date: Wed, 22 Jan 2003 12:02:37 -0500

Our ASP.NET app is secured with forms authentication and validates users
against Active Directory. Using one of the functions in the code below, we
can get group (role) information from Active Directory for SOME users but
not for all.

All users for whom we're requesting group information are registered in
Active Directory - they have passed the IsAuthenticated function below. The
app then calls the getUserGroups function below to retrieve group
information from Active Directory.

For a couple of users, we can retrieve group information, and if we change
their group membership at the server the changes are seen immediately when
the getUserGroups function below is called. However for other users, we
cannot retrieve any group information - the Active Directory "memberOf"
property returns nothing to the getUserGroups function below.

The couple of users for whom login works OK happen to be administrators with
various high-level privileges, but is this coincidental? Promoting
non-working user identities to all the same high-level rights (making them
members of the same groups such as admin, domain admin, etc.) still does not
make those users' groups available to our application.

This behaviour does not appear to be related to the WINDOWS login of the app
user. The behaviour occurs whether the tester/client user is logged into
WINDOWS as an administrator or as a user. For example, logged in to WINDOWS
as one of the identities which work OK in our app, he can log into our app
using either of the working user identities, but cannot log in as one of the
non-working user identities. Conversely, logged into WINDOWS as one of the
non-working identities he can log into the app as any of the working user
identities but not as any of the non-working identities. The application
runs on IIS under its own low-privilege user account.

What are we missing?


Public Class LDAPAuthentication

Private _path As String

Private _filterAttribute As String

Private Shared _domain As String

Private Shared _userName As String

Private Shared _password As String

Public Sub New(ByVal path As String)

_path = path

End Sub 'New

Public Function IsAuthenticated(ByVal domain As String, ByVal username As
String, ByVal pwd As String) As Boolean

Dim domainAndUsername As String = domain & "\" & username

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndUsername,


' Bind to the native AdsObject to force authentication.

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & username & ")"


Dim result As SearchResult = search.FindOne()

If result Is Nothing Then

Return False

End If

' Update the new path to the user in the directory

_path = result.Path

_filterAttribute = CType(result.Properties("cn")(0), [String])

Catch ex As Exception

Throw ex

End Try

Return True

End Function 'IsAuthenticated

' getUserGroups

' purpose: return bar-separated list of group names

Public Function getUserGroups() As String

Dim search As DirectorySearcher = New DirectorySearcher(_path)

search.Filter = "(cn=" + _filterAttribute + ")"


Dim groupNames As StringBuilder = New StringBuilder()


Dim result As SearchResult = search.FindOne()

Dim propertyCount As Int32

Dim dn As String

Dim equalsIndex As Int32

Dim commaIndex As Int32

Dim propertyCounter As Int32

' for some users, result.Properties is NOT nothing
' but result.Properties("memberOf") is nothing

If Not result.Properties("memberOf") Is Nothing Then

propertyCount = result.Properties("memberOf").Count

For propertyCounter = 0 To propertyCount - 1

dn = CType(result.Properties("memberOf")(propertyCounter), String)

equalsIndex = dn.IndexOf("=", 1)

commaIndex = dn.IndexOf(",", 1)

If equalsIndex = -1 Then

Return ""

End If

groupNames.Append(dn.Substring(equalsIndex + 1, commaIndex - equalsIndex -


Next propertyCounter

' strip off final "|" at end of groupNames

Dim last As Int32 = groupNames.Length - 1

If last > 0 Then

groupNames.Remove(last, 1)

End If

End If

Catch ex As Exception

Throw New Exception("Error obtaining group names. " + ex.Message)

End Try

Return groupNames.ToString

End Function

End Class

Relevant Pages

  • Re: System.Net.WebException
    ... My network hasnt a proxy buy I m working with the idea.... ... Why do you think that the ASP.NET app can connect and the conolse/windforns ... >> at Proceso.Proceso.MiRequest(String Method, String URL, String ... >> Dim res As HttpWebResponse ...
  • AD only gives up group (role) information for SOME users
    ... Our ASP.NET app is secured with forms authentication and validates users ... against Active Directory. ... Private _filterAttribute As String ... Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndUsername, ...
  • Connecting to ODBC DB at startup
    ... Oracle tables in the table list, it asks for an id and pass. ... The problem is when I go to run a query or do anything else in the app ... Dim cnConn As ADODB.Connection ... Dim strLogin As String ...
  • Re: My.Application.CommandLineArgs
    ... (wrote every CommandLineArg followed by a vbCrLf just so I could read the log easier..) ... For Each _s As String In My.Application.CommandLineArgs ... Dim _sw As New IO.StreamWriter ... For a test I've copied a bunch of text files that im selecting and sending to my app through the send to menu. ...
  • RE: Querying Active Directory using VB?
    ... AdsPath, then binds to each user object to retrieve the other attribute ... I need to query the Active Directory just before sending my ... Public Function UserInfo(LoginName As String) As String ... Dim conn As New ADODB.Connection ...