UserPrincipal.Current Throws Error “The specified directory service attribute or value does not exist”

My ASP.NET page (windows authentication, impersonation) uses UserPrincipal.Current to get information about the active user.

Getting this property executes an LDAP query to Active Directory.

Now with some browsers I get an error message “The specified directory service attribute or value does not exist”.

Using WireShark I figured out that Kerberos authentication did not work between the web server and AD, which is a sign that the browser did not pass a Kerberos ticket in the first place.

I pinned this down to two reasons:

Internet Explorer

in IE the problem was that the site was not in the “Intranet” zone. Adding it to this zone fixed the problem.


There are two essential settings:
•    network.negotiate-auth.delegation-uris
•    network.negotiate-auth.trusted-uris

If you set both to the domain (or full name) of your server, Kerberos authentication will work.


I hope this saves someone else the two days that it took me to figure out where the problem was.

No comments:

adaxas Web Directory