New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UserPrincipal.GetGroups throws exception if user distinguishedName has a slash #29090

Open
gabeluci opened this Issue Apr 13, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@gabeluci
Copy link

gabeluci commented Apr 13, 2018

For AD user objects that have a forward slash in the distinguished name, UserPrincipal.GetGroups throws an exception:

System.Runtime.InteropServices.COMException: Unknown error (0x80005000)'

The forward slash might be in the CN of the object, or in any OU in the path of the DN, for example:

CN=test user,OU=Test / OU,OU=Users,DC=domain,DC=com

or

CN=test/user,OU=Users,DC=domain,DC=com

Tested with:

  • .NET Core 2.0
  • System.DirectoryServices.AccountManagement 4.5.0-preview2-26406-04

Here is the test code:

var domain = "domain.com";
var username = "username"; //user  with a slash in the distinguishedName
var domainContext = new PrincipalContext(ContextType.Domain, domain);
var user = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, username);

//The user was found so this works
Console.WriteLine("User Found: {0}", user.DistinguishedName);

//This causes COM Exception: Unknown Error 0x80005000                
var output = user.GetGroups().ToList();

The problem seems to be line 1218 of ADStoreCtx.cs:

roots.Add(new DirectoryEntry("GC://" + gc.Name + "/" + p.DistinguishedName, this.credentials != null ? this.credentials.UserName : null, this.credentials != null ? this.credentials.Password : null, this.AuthTypes));

This is putting the distinguished name into an LDAP path without escaping the slashes in the DN. I enabled debugging for .NET code, and after that line, I changed the Path value of the resulting DirectoryEntry using the debugger to add the escaped slash and it ran successfully. So I believe that line can be fixed with a Replace():

roots.Add(new DirectoryEntry("GC://" + gc.Name + "/" + p.DistinguishedName.Replace("/", "\\/"), this.credentials != null ? this.credentials.UserName : null, this.credentials != null ? this.credentials.Password : null, this.AuthTypes));

There may be other places in the code where this should be taken into account as well: anywhere that a distinguished name is being dropped into an LDAP path, like possibly line 1830 in that same file (although I haven't tested that - I just searched the file for "://"). Maybe elsewhere too.

This is a bug in the full .NET Framework too, but I'm not sure where to report bugs for the full framework. If you can let me know, I don't mind reporting there too.

This came from a question in StackOverflow: https://stackoverflow.com/questions/49805255/0x80005000-unknown-error-on-userprincipal-getgroups-with-special-characters-in-o/49816959

@gabeluci gabeluci changed the title UserPrincipal.GetGroups throws exception if OU has a slash in the name UserPrincipal.GetGroups throws exception if user distinguishedName has a slash Apr 13, 2018

@karelz karelz added this to the Future milestone Apr 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment