Cross domain active directory group membership

Question

I have seen a few questions that are like mine, but none that actually apply. The problem I am facing is:

I need to get group membership of User with:

• Group in Domain B
• User in domain A.
• Service in domain B.
• Forrest to Forrest 2-way trust.

User attaches to service and service gets WindowsIdentity object with SID, name, etc.

In order to get group membership, I am using a UserPrincipal object. In order to get that, you need a PrincipalContext object. The constructor for the PrincipalContext object needs the FQDN of the domain (i.e. A.some.domain.com). The WindowsIdentity object has the NetBios domain name in the username (i.e. A\User), but I cannot see a way to get the DNS name.

Here is an example of code that has the DNS name HARD CODED, that works, but I need to take out the hard coded part.

-- WindowsIdentity wi (passed into the method) --

PrincipalContext context = new PrincipalContext(ContextType.Domain, "A.some.domain.com");
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(context, IdentityType.Sid, wi.User.ToString());

I have another solution that uses impersonation, using System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().Name, but that is not acceptable because impersonation may not be available. I need a solution that will work with TokenImpersonationLevel.Identification

I have spent several days scouring MSDN and Google (including Stack Overflow) to no avail.

Answer 1

Does using WindowsIdentity.Groups not work? If DomainA\User is accessing DomainB\Service, the user's token should include the groups from both domains.