Principal.IsInRole("AD Group Name") always returns false, no exceptions thrown

Question

In a Web API controller I needed to determine the role membership using an AD group that contained members from multiple domains in another forest.

this.RequestContext.Principal.IsInRole(roleName)

returned false and no indication of an error could be found. The code above did work with other AD groups, though. I then modified the code to loop through the group in question and received an exception.

GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, roleName);
if (group != null)
{
    foreach (Principal p in group.GetMembers())
    {
         if (p != null && currentUserPrincipal.UserPrincipalName == p.UserPrincipalName) 
        {
            roles.Add(roleName);
            break;
         }
      }


 }

The specified directory service attribute or value does not exist.

I determined it was the exception was being thrown on a group member from a specific domain. I removed said individual and code executed normally. I added another account form the same domain as the first and the error returned.

Answer 1

Searching for the given error message I found the following SO question and answer. The top answer states.

When omitting the LDAP container property as described in PrincipalContext Class, the user running the code must have read permissions to both the default User Container (i.e. CN=Users,DC=yourDomain,DC=COM) and the Computers Container (i.e. CN=Computers,DC=yourDomain,DC=COM).

Using Active Directory Users and Computers I browsed the AD of the problem domain and could not see any Computers container. I contacted IS and informed them of this and they restored the directory to a good state. At that point this.RequestContext.Principal.IsInRole(roleName) worked as expected and I was able to evaluate role membership.

Edit: OMG! This also fixed an issue with the SharePoint user profile service not syncing user details from members in the same domain. I have been trying for two years to track down the cause of the the user profile error with no success.