GetDomain does not work in Azure App Service

[mahamr]

Hi Team,
I'm internal MSFT (in CSS, IIS/ASP.NET team), and I believe this call fails in an Azure App Service due to the App Service sandbox not allowing any calls to these ports: 137, 138, 139, and 445. The Forest.GetForest(DirectoryContext) method also fails. The error in both cases is:
System.UnauthorizedAccessException - "Access is denied"
This is reproducible by simply running a console app in an App Service with a DC that is reachable, and running GetDomain/GetForest with a user that is allowed to call the domain like this. LDAP calls work without issue, while these other calls do not.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: b6f2062a-749a-3748-bb7e-577bf8607bc8
• Version Independent ID: 9a328368-d80b-9b98-88ac-48c0a36ef321
• Content: Domain.GetDomain(DirectoryContext) Method (System.DirectoryServices.ActiveDirectory)
• Content Source: xml/System.DirectoryServices.ActiveDirectory/Domain.xml
• Product: dotnet-api
• GitHub Login: @dotnet-bot
• Microsoft Alias: dotnetcontent

[mahamr]

Adding reference for App Service port blockages:
https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox
Restricted Outgoing Ports
Regardless of address, applications cannot connect to anywhere using ports 445, 137, 138, and 139. In other words, even if connecting to a non-private IP address or the address of a virtual network, connections to ports 445, 137, 138, and 139 are not permitted.