Enumerating User Groups in Active Directory from Different Domain

Question

I have a .net web application that needs to obtains groups that a user is a member of in active directory.

My code works perfectly using my ID, but when I run it under the application ID it gives me the following error:

COMException (0x8007052e): Logon failure: unknown user name or bad password. ] System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +420085 System.DirectoryServices.DirectoryEntry.Bind() +36 System.DirectoryServices.DirectoryEntry.get_AdsObject() +31 System.DirectoryServices.PropertyValueCollection.PopulateList() +26 System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +49 System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +141 System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName) +57 

The ID that I am using to run the application is in different domain than the users. I found this answer but I am not sure if it can apply to cross domain IDs.

What kind of configuration do we need for this to work?

Thanks

Answer 1

What you are looking for is Active Directory delegation. MSFT has a published best practice document that you can use. However its very simple to implement. I also have a simple step-by-step setup of delegation for an open source AD application I wrote that you can take a look at: