Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UserPrincipal.GetGroups throws exception if user distinguishedName has a slash #25887

Open
gabeluci opened this issue Apr 13, 2018 · 3 comments
Open

Comments

@gabeluci
Copy link

@gabeluci gabeluci commented Apr 13, 2018

For AD user objects that have a forward slash in the distinguished name, UserPrincipal.GetGroups throws an exception:

System.Runtime.InteropServices.COMException: Unknown error (0x80005000)'

The forward slash might be in the CN of the object, or in any OU in the path of the DN, for example:

CN=test user,OU=Test / OU,OU=Users,DC=domain,DC=com

or

CN=test/user,OU=Users,DC=domain,DC=com

Tested with:

  • .NET Core 2.0
  • System.DirectoryServices.AccountManagement 4.5.0-preview2-26406-04

Here is the test code:

var domain = "domain.com";
var username = "username"; //user  with a slash in the distinguishedName
var domainContext = new PrincipalContext(ContextType.Domain, domain);
var user = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, username);

//The user was found so this works
Console.WriteLine("User Found: {0}", user.DistinguishedName);

//This causes COM Exception: Unknown Error 0x80005000                
var output = user.GetGroups().ToList();

The problem seems to be line 1218 of ADStoreCtx.cs:

roots.Add(new DirectoryEntry("GC://" + gc.Name + "/" + p.DistinguishedName, this.credentials != null ? this.credentials.UserName : null, this.credentials != null ? this.credentials.Password : null, this.AuthTypes));

This is putting the distinguished name into an LDAP path without escaping the slashes in the DN. I enabled debugging for .NET code, and after that line, I changed the Path value of the resulting DirectoryEntry using the debugger to add the escaped slash and it ran successfully. So I believe that line can be fixed with a Replace():

roots.Add(new DirectoryEntry("GC://" + gc.Name + "/" + p.DistinguishedName.Replace("/", "\\/"), this.credentials != null ? this.credentials.UserName : null, this.credentials != null ? this.credentials.Password : null, this.AuthTypes));

There may be other places in the code where this should be taken into account as well: anywhere that a distinguished name is being dropped into an LDAP path, like possibly line 1830 in that same file (although I haven't tested that - I just searched the file for "://"). Maybe elsewhere too.

This is a bug in the full .NET Framework too, but I'm not sure where to report bugs for the full framework. If you can let me know, I don't mind reporting there too.

This came from a question in StackOverflow: https://stackoverflow.com/questions/49805255/0x80005000-unknown-error-on-userprincipal-getgroups-with-special-characters-in-o/49816959

@gabeluci gabeluci changed the title UserPrincipal.GetGroups throws exception if OU has a slash in the name UserPrincipal.GetGroups throws exception if user distinguishedName has a slash Apr 13, 2018
@klyse
Copy link

@klyse klyse commented Sep 19, 2019

Any updates on this? I have the same problem.

@gabeluci
Copy link
Author

@gabeluci gabeluci commented Sep 19, 2019

No, it hasn't been fixed yet.

As an alternative, you can get a user's groups using DirectoryEntry directly (which is what UserPrincipal uses in the background anyway). I wrote an article on this, with some example code: Active Directory: Finding all of a user’s groups. I find that using DirectoryEntry directly performs faster anyway.

@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the Future milestone Jan 31, 2020
@Zorgle
Copy link

@Zorgle Zorgle commented Apr 9, 2020

Just hit this bug using .NET 4.8 on Windows 2016 1909.

@ericstj ericstj removed the untriaged label Jul 9, 2020
@krwq krwq added this to Future in Triage for team IoT pod Feb 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants