UserPrincipal.FindByIdentity Permissions

Tuesday, March 1, 2011 by Nate Bross

Someone asked on Stack Overflow:

I’m attempting to use the .NET System.DirectoryServices.AccountManagement library to obtain the UserPrincipal for a particular Active Directory user.

I’ve got the following code:

PrincipalContext context = new PrincipalContext(ContextType.Domain, "DomainName");
userPrincipal = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);

This code is running as a valid domain user, but when I execute it I get the following exception:

System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): Logon failure: unknown user name or bad password.

What’s interesting is that I can make the following call, using the same context, without a problem:

context.ValidateCredentials(username, password, ContextOptions.Negotiate)

Ideas?

I posted the following answer, which was chosen as the accepted answer and received 13 upvotes:

You need to use the the PrincipalContext constructor that takes username and password.

The reason that Validate works is because its using the provided credentials to bind to the directory.

Notable comments

Nate (0 upvotes): As far as I know, that shouldn’t be any different between Windows 2008 and Windows 2003 domains. If you’re only reading data, you delegation may not be necessary.

Nate (1 upvotes): In the Active Directory Users and Computers (on the domain controller) you need to select the Organizational Unit you want to manage, and “Delegate Control” in the delegate wizard, put in the credentials that your service is running as.

Nate (0 upvotes): I think you misunderstood, ValidateCredentials uses the credentials provided in the parameter list for ValidateCredentials — the Context you’ve defined has no credentials associated with it besides the ones of the current thread. I suspect your issues is in the configuration/deployment of the server. Make sure the account running the service has been delegated to within the domain.

Originally posted on Stack Overflow — 13 upvotes (accepted answer). Licensed under CC BY-SA.

signed letter b

Dad. Geek. Gamer. Software developer. Cloud user. Old Car enthusiast.  Blogger.

Top Posts

profile for Nate on Stack Exchange, a network of free, community-driven Q&A sites
a proud member of the blue team of 512KB club
Thoughts, opinions, and ideas shared here are my own. © 2026 Nate Bross.
RSS Feed