26

I am Using Method UserPrincipal.Current.ToString() in Domain to Get Current Logged in Domain User with Valid Domain. but when i am Displaying it in a string its giving Error when hosted in IIS Server: 

Unable to cast object of type 'System.DirectoryServices.AccountManagement.GroupPrincipal'
           to type 'System.DirectoryServices.AccountManagement.UserPrincipal'.
Levon
  • 138,105
  • 33
  • 200
  • 191
Sunil Mathari
  • 822
  • 2
  • 11
  • 21
  • 2
    Does this help? http://stackoverflow.com/a/10848934/43846 – stuartd Jun 13 '12 at 12:23
  • 1
    The cause of this error is due to attempting to read from an uninstantiated object. On the server you need to create and populate the PrincipalContext object first then the data can be read from it. When running in debug mode, VS automatically creates some of these types of objects so they can be linked in the debugger for watches and the like. – user1431356 May 01 '18 at 17:38

3 Answers3

41

I had the same problem. It worked perfectly on my local machine but when deployed it to IIS on the server it failed. In the end I had to change two things to make it work:

  1. Change the Authentication to "Windows Authentication" (how-to)

  2. Instead of using current, doing it in two steps: (source)

PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

UserPrincipal user = UserPrincipal.FindByIdentity(ctx, User.Identity.Name);

And to finally get the name (or any other info), I used user.DisplayName.

Community
  • 1
  • 1
JollyBrackets
  • 551
  • 5
  • 9
  • 4
    this throws error for me The (&(objectCategory=user)(objectClass=user)(|(userPrincipalName=)(distinguishedName=)(name=))) search filter is invalid. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.ArgumentException: The (&(objectCategory=user)(objectClass=user)(|(userPrincipalName=)(distinguishedName=)(name=))) search filter is invalid – Kurkula Jan 25 '17 at 19:04
  • @Kurkula I'm seeing the same thing - any advice? – mattnedrich Feb 15 '19 at 20:53
  • 2
    You have to set `Anonymous Authentication` to false and `Windows Authentication` to true. If you call the endpoint through javascript, you need `withCrendentials = true` – Emaborsa Feb 26 '19 at 12:39
  • 1
    I had to use the fully qualified name HttpContext.Current.User.Identity.Name – Doreen May 14 '19 at 17:50
7

I have seen this exception when running under IIS 7 on Windows 7.

System.Security.Principal.WindowsIdentity.GetCurrent().Name returns "IIS APPPOOL\ASP.NET v4.0".

This is not a real user account, which partly explains what is happening, though IMHO UserPrincipal.Current should handle this situation more gracefully.

I think it's a bug and have created a bug on Connect:

http://connect.microsoft.com/VisualStudio/feedback/details/748790/userprincipal-current-throws-invalidcastexception

As a workaround, use System.Security.Principal.WindowsIdentity.GetCurrent() to get the identity of an IIS AppPool.

Malachi
  • 3,205
  • 4
  • 29
  • 46
Joe
  • 122,218
  • 32
  • 205
  • 338
3

The issue here is that the UserPrincipal.Current property will try to access the context of the current thread. Without ASP.NET impersonation however, it means that the identity will be the application pool's configured identity. Even with ASP.NET impersonation, it has to access the Active Directory in some way and thus needs to authenticate against the domain controller. If the selected authentication method in IIS doesn't provide for that, a similar error is likely.

In my experience, only "BASIC" authentication and a 100% correctly implemented version of "KERBEROS" will work. Keep in mind that Kerberos is not really compatible with the way application pools and SPNs are handled and is likely to fail. NTLM - which is the fallback for Windows authentication in IIS - will not work due to lack of password on the Server.

A good read about the HTTP/Kerberos problems is: http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx

Roman Gruber
  • 1,411
  • 11
  • 16