PrincipalContext.ValidateCredentials against the local SAM store fails with a PrincipalOperationException after any successful call to ValidateCredentials against the local SAM store

[KaizerT]

Description

In summary, when validating a local user, PrincipalContext.ValidateCredentials throws an exception after a single local user is verified. It doesn't matter if the credentials are correct or not, the exception is thrown. The same code works when validating against an Active Directory.

This is a duplicate of the issue below.
#83269

In the issue it is said to have been broken for version 7.0 and 8.0 and fixed last year. However we are running with 8.0 and are experiencing the same issue.

I've tried downgrading System.DirectoryServices and System.DirectoryServices.AccountManagement to 7.0 and 6.0 with the same issue.

Reproduction Steps

PrincipalContextIssueRepro.zip
Here's a small sample project that duplicates the behavior

Expected behavior

Unlimited amount of local user credentials can be verified

Actual behavior

Exception is thrown after 1 user is successfully verified. After that only that user can be verified. Exception is thrown for other users or when the first user is verified with the wrong password.

Regression?

This is a duplicate issue #83269

Known Workarounds

Workaround is restarting the application (recycle for web apps) but would break right after.

Configuration

.net 8.0.6
Windows 10 Enterprise Build 19045.4651 x64
Windows 11 Pro Build 22621.4037 x64
Vistual Studio Enterprise 2022 17.10.4

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014
See info in area-owners.md if you want to be subscribed.

[ericstj]

@jkoritzinsky can you have a look? It seems that this was fixed by you last year, b039eab

I confirm that fix shipped in 8.0, and was backported to 7.0 in System.DirectoryServices.AccountManagement 7.0.1. The repro is using package version 8.0.0.

[buyaa-n]

@jkoritzinsky looks the finally block that releases the pointer in UnsafeNativeMethods.cs supposed to added to the outer try/catch block as it calls Interop.Activeds.ADsOpenObject in outer block

runtime/src/libraries/System.DirectoryServices/src/Interop/UnsafeNativeMethods.cs

Lines 35 to 50 in a3365e4

	try
	{
	int hr = global::Interop.Activeds.ADsOpenObject(path, userName, password, flags, ref iid, out ppObjectNative);
	try
	{
	ppObject = ppObjectNative != IntPtr.Zero ? Marshal.GetObjectForIUnknown(ppObjectNative) : null!;
	return hr;
	}
	finally
	{
	if (ppObjectNative != IntPtr.Zero)
	{
	Marshal.Release(ppObjectNative);
	}
	}
	}

[ericstj]

@buyaa-n were you able to verify that's the problem here? It seems unusual since the outer try/catch is handling an EntryPointNotFoundException which I would expect to only be hit if there was an issue invoking ADsOpenObject - therefor nothing to release.

I gave the repro a try, first by adapting to a console app, then trying the original winforms application. Validating local user accounts I created for the purpose of repro. I could not reproduce this issue.

@KaizerT - I'm not sure what you're hitting but your repro worked for me. One thing I did notice about your repro code is that you leak the PrincipalContext and UserPrincipal types - but I don't think that should matter here. Here's a screen cap of what I see: Recording-20240916_114150.webm