using User.IsInRole() across active directory domains to check for group membership

1.4k Views Asked by user1154725 At 12 April 2025 at 17:37

I have two domains that are set up with a two way trust.

Domain A has a group (group A) with a member (User A).

Domain B has a group (group B) with Group A (from the other domain) as a member.

I'm checking with:

if(User.IsInRole(group B))
{
  // logging in as User A should provide access because this use is part of Group A which is part of Group B
}

but that's not working.

what am I missing here?

Original Q&A

There are 1 best solutions below

dave On 07 July 2015 at 15:25

This fails for me when run on a machine logged in as the user and joined to that domain.

        private static SecurityIdentifier GetGroupSid(string domainName, string groupName)
    {
        using (var d = Domain.GetDomain(new DirectoryContext(DirectoryContextType.Domain, domainName)))
        {
            using (var context = new PrincipalContext(ContextType.Domain, d.Name))
            {
                using (var group = GroupPrincipal.FindByIdentity(context, groupName))
                {
                    return group.Sid;
                }
            }
        }
    }
    [Test]
    public void should_check_role_with_sid()
    {

        var barDomain = "bar.example.com";
        var groupinBar = GetGroupSid(barDomain, "group_in_bar");
        var identity = WindowsIdentity.GetCurrent();
        var windowsPrincipal = new WindowsPrincipal(identity);
        Assert.That(windowsPrincipal.IsInRole(groupinBar), Is.True, "Checking role " + groupinBar);
    }

using User.IsInRole() across active directory domains to check for group membership

There are 1 best solutions below

Related Questions in WINDOWS

Related Questions in ACTIVE-DIRECTORY

Related Questions in WINDOWS-SERVER-2008

Related Questions in TRUST

Trending Questions

Popular # Hahtags

Popular Questions