[Active Directory] "Value cannot be null" when using AD_CheckUserInGroup

Forge Component
Published on 2018-11-14 by Renato Pauleta
13 votes
Published on 2018-11-14 by Renato Pauleta

When using , the systems shows message "Value cannot be null".  

What are the values of the parameters of AD_CheckUserInGroup? I used:

username: saec01

GroupAccount: "SAEC"

AlternativeDomain: "."

The group in Active Directory is SAEC (please see attached image)

Attached: sceens with the error message and the parameters of AD_CheckUserInGroup.


Why you have "." on AlternativeDomain instead of nothing?



Thans for replying. The error happens also when it is empty. What should be that value?


It should be empty. but you need to use AD_SetGlobalDomain before that action.

Why are you using the actions from the extension directly and not from ActiveDirectoryCore?

And when using ActiveDirectoryCore you need to open the entry page and create and ADAccess



I tried to locate any documentation but none found. Is there any documentation of how to use it?

I an triying to use it as an extension to other app, not as an app by itself. Is it supposed to be used only from the core?

Not that i know sry.

Using the core is easier using the action AD_GroupCheckUserExists. You just need to configure it. If you dont have that much experince with it i recommend this.

But you also can use the extension. But if you want to do this look inside the core to check how they do it. Check also the action AD_GroupCheckUserExists

Thanks. Is there any doc or tread explaing how to configure it?

I Found it and try it:

First try: Domain: xxxxxx.com; user and password filled with a active user.

Second try: Domain: xx.xx.xx.xx:389; user and password filled with a active user.

In both cases: Error message: "The server could not be contacted."

I would say that by IP is better. 

The server where the Outsystems plataform is install can reach that IP?

The server is on the same domain as AD? if not that is that a public IP?

When you say and active user is a user that has access to the AD?

Hi Robert,

It's been hard on time to build a proper documentation and I'm sorry for that.

If you're using the latest version of the active directory component, you'll need to configure the AD accesses through the ADConfigurations module.

Steps you need to take:

  1. Go to ADConfigurations on the browser (http://<server>//ADConfigurations)
  2. Create a new AD access
  3. Copy the Token from under the Name in the list
  4. Go to Service Center and change the site property ADToken in the ADConfigurations module
  5. Go back to the ADConfigurations screen and try searching for users in the Users menu
  6. If the search works it means you've configured the Active Directory component correctly

A few ways to check if your connection is working:

  1. Go to the Users module in the browser (http://<server>/Users)
  2. Click on the Configure Authentication link to the right of the users list
  3. Change the authentication method to LDAP or AD and test your configuration by filling the username / password and clicking the Test button on the bottom
  4. If this works, it's the same type of information you'll need to have in the ADConfigurations

The "token" is just a way for you to have multiple active directory connections with the password safely stored in the database (encrypted) without having to show it or use it in site properties or in the code directly.

I forgot to fill the site properties at the site properties.  I am testing and the LDAP's users are logging.

I need to read the groups from the AD for the user trying to login.  Do I need to logon the user before check?  The structure came back with no values.  

How is the process?

Thanks for the documentation. Superb, clear, simple, effective.


If you want to use Session.Username yes the user needs to be logged on on your outsystems app. Or you need to get the username of other way. 

What are you trying to accomplish?

You shouldnt use the token like that. You should create and action on ADConfigurations that return Site.ADToken.

Best Regards,


Thanks for your suggestion regarding the site token.

I should grant access to the user depending if they are part of a group.  That's the reason to check for the groups.

Sometimes you are using actions from the extension other times from ADConfigurations. Always use from ADConfigurations. Instead of ActiveDirectory.AD_GetUserDetails use ADConfigurations.AD_UserGetDetails.

Btw when doing print screens the "in use" tab is more helpfull

Hope this helps you,



Thanks for your prompt response.  

ADConfigurations have no actions attached, they reside either at Active Directory or ActiveDirectoryCore or on both of them (please see attached image)  

Do you mean that I have to include ADConfigurations as a module to manage access? 

Sry for missleading you with the wrong espace name. the message should haved been this:

Sometimes you are using actions from the extension (ActiveDirectory) other times from ActiveDirectoryCore. Always use ActiveDirectoryCore actions and not the ones from the extension. Instead of ActiveDirectory.AD_GetUserDetails use ActiveDirectoryCore.AD_UserGetDetails.

Thanks for the instructions .  I used only from  ADConfigurations, but still I cannot get the user groups:

1. AD_GroupCheckerUserExists: shows an error message, what are the parameters required.

2. AD_GroupGetUsers: blanks fields.

3. AD_UserGetDetails: This one is filled.

I attached some of the screens with the data. 

Robert Feliberty wrote:

Thanks for the instructions .  I used only from  ADConfigurations, but still I cannot get the user groups:

1. AD_GroupCheckerUserExists: shows an error message, what are the parameters required.

2. AD_GroupGetUsers: blanks fields.

3. AD_UserGetDetails: This one is filled.

I attached some of the screens with the data. 

Hi Robert,

I've found one of the issues. Getting the users from groups was not working properly, I'll have a new version out today.

I'm still struggling to find the issue with getting the groups from a specific user, I keep getting the error "Information about the domain could not be retrieved (1355).", but this only happens in my AD sandbox, I don't have the problem in production. 

People seem having this issue typically point to https://social.msdn.microsoft.com/Forums/vstudio/en-US/219c4b4b-b43a-4dbc-9e3c-a1135879c5f9/information-about-the-domain-could-not-be-retrieved-1355?forum=netfxbcl

Sorry for any inconvenience.


Is there any possibility that the component will be fixed?

I've uploaded the fix to the other issue, but this particular issue it's not clear that it's a problem with the component. As I've mentioned, we also have the issue in our sandbox, but it works ok on our production environment.

Searching Google, some people mention a workaround, but I didn't had the chance to try it yet or to try to find an alternative within the component to make it work.

Tomorrow I'll try to do a bit more digging and give you a more complete response.

I have a doubt: when I checked the dependencies of the project, one of Active Directory where marked as updated.  Then, when I checked the component in the forge, it says that I have a "Customized version".

To update, I need to delete the component and then install the new version?

Typically you don't need to delete, that message is shown when there was a change applied to one of the modules in the component in your environment, something you've decided to change directly in the code.

If you don't require that change you can overwrite with the forge component, but if that change is important then you'll need to use merge to ensure you don't lose your changes.

By the way, I've uploaded a new version which should fix the problem with getting the user groups (it's an alternative to what I was using before). Let me know if it works for you.

To use the AD_GroupCheckerUserExists you'll need to provide the username and the GroupAccount (it can be the group name or DN).

I Tested but the AD_GroupCheckUser is "hanging": very long response time and it just do not actuate the debugging nor login the user.  I included the tests images from the last part.

The LDA structure is pretty big. Can it be timeout or memory?

I also tested using "." and "" as Default Domain. 

When default domain in blank, the error message was "The server could not be contacted".


The client do not want to lend us a admin user in the Active Directory, thus we can not test if we can read the users for each group.  Thus, in the case of the application, we will use an alternative solution for access and roles.

Appreciate your help.  

Thanks. Excellent support.