Hi,
I'm setting up a service to manage AD user accounts via System.DirectoryServices.AccountManagement. The service lives in a different domain (our DMZ) than where the user accounts live (user domain). Pre-4.5, I was able to hit a controller on the user domain from the DMZ using LDAPS (port 636) and all was well. Once 4.5 hit, we ran into issues where calls to UserPrincipal.FindByIdentity and UserPrincipal.GetUnderlyingObject would fail. Stack Overflow has what appears to be a related a thread at http://stackoverflow.com/questions/12608971/net-4-5-bug-in-userprincipal-findbyidentity-system-directoryservices-accountma?rq=1.
I have yet to find a comprehensive answer as to what changed with 4.5 (at least one that I can absorb), but I think what .NET 4.5 is doing is hitting DNS to find a list of domain controllers for the user domain, and then subsequently connecting to another domain controller in that list. This seems to happen even if you initially connect to a specific domain controller, for security purposes.
So, my question: How do I manage cross-domain usage of System.DirectoryServices.AccountManagement with my systems and network teams? Is it a matter of setting up a DNS entry for my user network containing domain controllers, and then having network set up port 636 access to those controllers from the DMZ, or is there more to it than that?
If there is a white paper or FAQ about what 4.5 is doing, I will be happy to read through that, I just haven't been able to find it yet.
Thanks!
