Search code examples
c#active-directoryldapldapconnection

Reading objectSID from ActiveDirectory - problem when reading from BuildIn-Groups

I need to use the LdapConnection classes in my project because DirectoryEntry/DirectorySearcher do not support ignoring of self signed certificates for LDAPS - as I migrated my code I run into an issue when reading the objectGuid from BuiltIn-Groups - the format is not the same as for custom added Groups - and the return value is strange and can't be casted to anything

Here are 2 code examples that illustrate my problem - or better the result that is different

    LdapConnection conn = new LdapConnection("va.dev");

    var filter = "(objectClass=group)";
    var searchRequest = new SearchRequest("OU=Developer Goups,DC=va,DC=dev", filter, System.DirectoryServices.Protocols.SearchScope.OneLevel, "sAMAccountName", "description", "distinguishedName", "objectSid");
    var response = conn.SendRequest(searchRequest) as SearchResponse;
    var objectSid = response.Entries[0].Attributes["objectSid"][0];

The result of objectSid is Byte[] - and I can convert it to a SecureIdentifier or string - whatever I need

Now same code reading BuiltIn groups

    LdapConnection conn = new LdapConnection("va.dev");

    var filter = "(objectClass=group)";
    var searchRequest = new SearchRequest("CN=Builtin,DC=va,DC=dev", filter, System.DirectoryServices.Protocols.SearchScope.OneLevel, "sAMAccountName", "description", "distinguishedName", "objectSid");
    var response = conn.SendRequest(searchRequest2) as SearchResponse;
    var objectSid = response.Entries[0].Attributes["objectSid"][0];

Now the result is very strange for the first BuiltIn Group (and for all others) - it looks like this

"\u0001\u0002\0\0\0\0\0\u0005 \0\0\0,\u0002\0\0" (of type string)

Can't convert it to any known data type - the difference between BuildIn-Groups and manually added Groups is the SID-Length - for example the objectSID for a custom group is "S-1-5-21-978504927-3573220367-3221873571-1300" and for a BuiltIn-Group "S-1-5-32-548".

Before I used DirectorySearcher and DirectoryEntry - and with these classes I get on both entries a valid Byte-Array as return value - is there anything I can do to get it working?!? Conversion of Byte-Array to readable string I have :-)

Solution

  • The string you receive is actually the binary representation of the SID value (each character = 1 byte).

    Convert it to a byte array with:

    using System.Text.Encoding;
// ...

var binaryForm = Encoding.Ascii.GetBytes(objectSid);

    ... or:

    var binaryForm = objectSid.Select(ch => (byte)ch).ToArray();

    Then instantiate a new SecurityIdentifier based on the binary form:

    var sid = new SecurityIdentifier(binaryForm, 0);