Search code examples
c#.netactive-directoryuserprincipal

UserPrincipal.Current throws COMException from one day to the next

This morning I started noticing some problems with several of my programs regarding Active Directory read operations. I noticed that all those applications (client and server) use the System.DirectoryServices.AccountManagement.UserPrincipal class for those read operations, while the programs still running correctly use System.DirectoryServices.DirectorySearcher.

So in order to narrow the problem down, I built the following, very simple console application

class Program
{
    static void Main(string[] args)
    {
        //this works great
        Console.WriteLine($"Enviroment.Username:{Environment.UserName}");

        //this works great
        PrincipalContext pcFull = new PrincipalContext(ContextType.Domain, "my.company.de", "dc=my,dc=company,dc=de");
        UserPrincipal upPrincipalContextFull = UserPrincipal.FindByIdentity(pcFull, Environment.UserName);

        //this doesn't work at all
        //Exception: “The specified directory service attribute or value does not exist”
        PrincipalContext pc = new PrincipalContext(ContextType.Domain);
        UserPrincipal upPrincipalContext = UserPrincipal.FindByIdentity(pc, Environment.UserName);

        //this doesn't either, same exception
        UserPrincipal upCurrent = UserPrincipal.Current;
        
        Console.ReadKey();
    }
}

As you can see in the comments, the two latter operations will fail on every Computer in the domain i tested it on, even though they worked perfectly for several years. The following Exception occurs when I call UserPrincipal.Currentor UserPrincipal.FindByIdentity(pc, Environment.UserName); without specifying the Container in the PrincipalContext:

System.Runtime.InteropServices.COMException: “The specified directory service attribute or value does not exist”

Here is what I know:

  • none of the applications that suddenly stopped working received an update within the last two weeks
  • all of those applications, the UserPrincipal.Current-Property and the UserPrincipal.FindByIdentity-Method worked perfectly yesterday
  • Workstations did not receive Windows or .Net updates in the last week
  • the phenomenon does not relate to a single workstation, user or OS, but occures for a lot of different users, on a lot of different machines running Windows 7 or 10.
  • Domain Controllers received updates a week ago. Apparently one of those updates has a known issue about LDAP queries: Due to a defect in WLDAP32.DLL, applications that perform LDAP referral chasing can consume too many dynamic TCP ports. It seems unlikely that this is the reason for the sudden failures because a) that patch was installed a week ago and the Problems only occurred today and b) the suggested Workarounds from Microsoft (restarting Services) don't have any effect

What might cause such a behavior "overnight"? If it really is related to a Windows update, other users will soon be experiencing this bug too!

I can obviously build Workarounds, so I don't have to use the failing methods and properties, but I still have to know why it stopped working in the first place.

Edit

To start with, it would be useful to understand the difference between public PrincipalContext(ContextType contextType); and public PrincipalContext(ContextType contextType, string name, string container);. The PrincipalContext constructed without container still has to obtain that container somehow, doesn't it?

Solution

  • By default the PrincipalContext searches in the "OU=Computers"-Container. This fails if the reading permission is not set for the Container and will throw a COM Exception.