System.DirectoryServices.DirectoryServicesCOMException thrown when passing credentials

Applies to: Windows Vista Service Pack 2Windows 7 Service Pack 1Windows Server 2008 Service Pack 2 More

Symptoms


In the Microsoft .NET Framework 4.5 or a later version, the following methods may throw a System.DirectoryServices.DirectoryServicesCOMException exception together with an inner message that resembles "Access Denied," "Invalid Credentials," or "Logon failure" when topologies that contain multiple domains or forests are targeted:
  • System.DirectoryServices.AccountManagement.Principal.GetGroups()
  • System.DirectoryServices.AccountManagement.Principal.GetGroups(PrincipalContext contextToQuery)
  • System.DirectoryServices.AccountManagement.GroupPrincipal.GetGroups()
  • System.DirectoryServices.AccountManagement.GroupPrincipal.GetGroups(PrincipalContext contextToQuery)
  • System.DirectoryServices.AccountManagement.AuthenticablePrincipal.GetGroups()
  • System.DirectoryServices.AccountManagement.AuthenticablePrincipal.GetGroups(PrincipalContext contextToQuery)
  • System.DirectoryServices.AccountManagement.UserPrincipal.GetGroups()
  • System.DirectoryServices.AccountManagement.UserPrincipal.GetGroups(PrincipalContext contextToQuery)
  • System.DirectoryServices.AccountManagement.ComputerPrincipal.GetGroups()
  • System.DirectoryServices.AccountManagement.ComputerPrincipal.GetGroups(PrincipalContext contextToQuery)

Cause


A Principal may be a member of a group that belongs to a separate domain or forest. In order to retrieve the data from such a group, System.DirectoryServices.AccountManagement has to connect to the domain controller in that group’s domain. To authenticate to a domain controller in another domain or forest, the user’s domain information is required. If a user name and password are passed to the PrincipalContext constructor and the user name does not contain user domain information, then these methods throw an exception.

Workaround


If user credentials are passed during the creation of a PrincipalContext, the user name parameter should contain the domain information of the user. Therefore, use "domain\AccountName" or userPrincipalName.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.