Marisa Marisa - 2 years ago 166
ASP.NET (C#) Question

System.DirectoryServices.DirectoryServicesCOMException (0x8000500C) When Checking Group Membership

I have an ASP.NET application which calls out to a WCF service for all its data access and business logic needs.

App -> WCF -> DB etc.

The application is hosted in IIS with a custom user as the ApplicationPoolIdentity. ASP Impersonation is enabled for the web application. The ApplicationPoolIdentity user has permission to query/access AD groups (as it does so in other applications). All methods in the WCF service are decorated with impersonation attributes.

My problem is that on my local dev machine, when I run the whole hierarchy the site is able to successfully access AD and query it accordingly. After I publish to the dev box (which has identical settings), I get the following exception when checking membership.

System.DirectoryServices.DirectoryServicesCOMException (0x8000500C): Unknown error (0x8000500c)
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

The code I am using to check is as follows.

private static bool IsUserMemberOfGroup(string userName, string ntGroupName)
if (userName == null || ntGroupName == null)
return false;

userName = userName.Replace($"{Environment.UserDomainName}\\", string.Empty);

bool result;
using (var ctx = new PrincipalContext(Environment.UserDomainName == Environment.MachineName
? ContextType.Machine
: ContextType.Domain, Environment.UserDomainName))
using (var grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, ntGroupName))
result = grp != null && grp.GetMembers(true)
.Any(m => m.SamAccountName.Equals(
userName, StringComparison.OrdinalIgnoreCase));

return result;
catch (Exception ex)
Log4NetLogManager.LogException($"Error while checking {userName} membership in group {ntGroupName}", ex);

return false;

It fails on the line
using (var grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, ntGroupName))

What am I doing wrong? Is there a 100% foolproof way to avoid this exception? We are actively using a similar pattern in another application and it works beautifully. I have reviewed the similarities and differences between the two applications and their configurations (both ASP.NET), but can't find any differences.

I also set up a testing application to run on the remote box with the code used by both applications (the working and the broken one) and could not replicate the failure.

A checklist would be incredibly helpful here.

Answer Source

In the end, we did the stupid solution and broke out this logic into a small service and directed both applications to call this service for group membership validation. It works beautifully for both applications without any issues.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download