{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 兄弟一词,经得起流年. 的问题《Principal.IsInRole(“AD Group Name”) always returns》','https://www.manongdao.com/q-1041768.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In a Web API controller I needed to determine the role membership using an AD group that contained members from multiple domains in another forest.
this.RequestContext.Principal.IsInRole(roleName)
returned false and no indication of an error could be found. The code above did work with other AD groups, though. I then modified the code to loop through the group in question and received an exception.
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, roleName);
if (group != null)
{
foreach (Principal p in group.GetMembers())
{
if (p != null && currentUserPrincipal.UserPrincipalName == p.UserPrincipalName)
{
roles.Add(roleName);
break;
}
}
}
The specified directory service attribute or value does not exist.
I determined it was the exception was being thrown on a group member from a specific domain. I removed said individual and code executed normally. I added another account form the same domain as the first and the error returned.
Searching for the given error message I found the following SO question and answer. The top answer states.
Using Active Directory Users and Computers I browsed the AD of the problem domain and could not see any
Computerscontainer. I contacted IS and informed them of this and they restored the directory to a good state. At that pointthis.RequestContext.Principal.IsInRole(roleName)worked as expected and I was able to evaluate role membership.Edit: OMG! This also fixed an issue with the SharePoint user profile service not syncing user details from members in the same domain. I have been trying for two years to track down the cause of the the user profile error with no success.