I have found the answer. I record it here in case it helps someone in the future.

While avoiding AD, if you simply want to check if an account exists either locally or in the default domain do this:

uint sidSize = 0;
uint domainSize = 0;
int accountType = 0;
bool b1 = LookupAccountName(null, user, null, ref sidSize, null, ref domainSize, ref accountType);
int err2 = Marshal.GetLastWin32Error();
if (err2 == 0x007a) { the account exists (insufficient buffer) }
else if (err2 == 0x0534) { account not found (no mapping) }
else { some bad error code }

If you want to authenicate an account credentials then call LoginUser, there are lots of examples.

Greg

On Fri, 24 May 2024 at 09:06, Greg Keogh <gfkeogh@gmail.com> wrote:

TGIF!

I just spiced-up an ASP.NET app so that it uses DirectorySearch.FindOne to either verify a login user account exists or to authenticate. It runs perfectly on my work PC, but when I installed the app in IIS on my test server it died with The specified domain either does not exist or could not be contacted. I discovered that because my app was running as NETWORK SERVICE, which isn't a domain user, it can't see the Active Directory.

A trap...only domain user accounts can see AD. Asking the customer (a hospital) to create a special account, assign it to the pool and set ACLs is impractical. My lovely new login feature has hit a roadblock and I'm not sure of a workaround or alternative. It's a specialist topic, but I thought I'd ask in here just in case some boffin has suggestions.

Greg Keogh

P.S. I just remembered that about 15 years ago I used a Win32 Interop to call LoginUser for a similar purpose, but it was for local accounts and I'll need to research if it works for domain accounts.