Ldap GetMembers working over 389 port

[AALOON]

Description

Hi!

When GroupPrincipal.GetMembers used and 389 port blocked on machine (and 636 specified on connection string)
Method not working

problem is here:
https://github.com/dotnet/runtime/blob/main/src/libraries/System.DirectoryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/AD/ADStoreCtx.cs
protected virtual void LoadDomainInfo()

Reproduction Steps

var options = Negotiate | SecureSocketLayer;
using var context = new PrincipalContext( ContextType.Domain, "domain:636", "DC=domain", options);
using (var indentity = GroupPrincipal.FindByIdentity(context, "Group"))
{
var tmp = indentity.GetMembers(true).First(); // we will wall
}

Expected behavior

When domain specified, used same port (LDAPS) communication

Actual behavior

Method failed when 389 blocked

Regression?

No response

Known Workarounds

No response

Configuration

• Net462, NetCore31, NetCore5 and other
• Windows
• Debug, Release

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Hi!

When GroupPrincipal.GetMembers used and 389 port blocked on machine (and 636 specified on connection string)
Method not working

problem is here:
https://github.com/dotnet/runtime/blob/main/src/libraries/System.DirectoryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/AD/ADStoreCtx.cs
protected virtual void LoadDomainInfo()

Reproduction Steps

var options = Negotiate | SecureSocketLayer;
using var context = new PrincipalContext( ContextType.Domain, "domain:636", "DC=domain", options);
using (var indentity = GroupPrincipal.FindByIdentity(context, "Group"))
{
var tmp = indentity.GetMembers(true).First(); // we will wall
}

Expected behavior

When domain specified, used same port (LDAPS) communication

Actual behavior

Method failed when 389 blocked

Regression?

No response

Known Workarounds

No response

Configuration

• Net462, NetCore31, NetCore5 and other
• Windows
• Debug, Release

Other information

No response

Author:	AALOON
Assignees:	-
Labels:	area-System.DirectoryServices, untriaged
Milestone:	-

[danmoseley]

Hi @AALOON thanks for the report. Do you want to debug a little to find where the cause might be?

[AALOON]

@danmoseley
Actually, I debugged it. And link to source code and image show the place where it goes wrong.
When we loading group from sub domain or just different group type (e.g. security) we will LoadDomainInfo information (protected virtual void LoadDomainInfo()).
Where method loads DnsHostName and builds up ldap link on default port (389)
Load triggered by accessing to properties such this

also same problem exists in DirectoryEntry domainNC = SDSUtils.BuildDirectoryEntry(
I don't know but there could be two potential fixes if I am not mistaken:

1. switch dnsHostName to UserSuppliedServerName (but there could be problems on sub domain groups)
2. switch AuthenticationTypes.Anonymous -> this.authTypes (but I also don't know how it can impact other domains)

Also I can create pull request if some one who understands ldap and this policy, will say I am right or I am wrong and that designed to work this way.

If there need any other debug information I will help.

[joperezr]

cc: @jay98014 and @kumarravi do you mind taking a look?

[patrickulrich007]

Is this issues fixed? I have the same problem, it will be more and more important, as customers start switching from LDAP to LDAPS and closing the 389 port.

[buyaa-n]

ping @jay98014 and @kumarravi again

[patrickulrich007]

Is there an other way with C#, to get the groups from a user, with .net libraries? I know, that I could do it directly with LDAP queries, but I would like to avoid that.

[kumarravik78c]

I have approved the PR after validating the fix on my local set up.