DirectoryServices.AccountManagement Surprise: FindByIdentity Can Throw

The convenient, high-level feel of .NET's System.DirectoryServices.AccountManagement classes would make one think that they shield you from the internals of LDAP. That does not appear to be the case. Passing a string with unusual characters as a username to the FindByIdentity function on a principal class results in a DirectoryServices exception. (I used non-printing ASCII, accidentally.) The message contains an LDAP query, indicating that special characters are not always escaped correctly.