[英]ASP.NET MVC Active Directory code to retrieve all users stops working when deployed to IIS 7
I have an intranet ASP.NET MVC3 web application that is using Windows authentication with .NET Framework 4. All my code is working as far as authenticating the users. 我有一个内部网ASP.NET MVC3 Web应用程序,它使用.NET Framework 4进行身份验证。我的所有代码都在验证用户身份。 I am using Windows Authentication for the baseline authentication, and then link the Active Directory user to a user in a table in SQL Server 2008 for additional user properties specific to my application.
我使用Windows身份验证进行基线身份验证,然后将Active Directory用户链接到SQL Server 2008中的表中的用户,以获取特定于我的应用程序的其他用户属性。 All of that is working fine.
所有这一切都很好。
There is a section of the site where admins can select Active Directory users to add to the SQL user table (see above) and put in their site specific properties (IsAdmin, ShoeSize, etc.). 该站点的一部分管理员可以选择Active Directory用户添加到SQL用户表(见上文)并放入他们的站点特定属性(IsAdmin,ShoeSize等)。 On this screen, there is a drop down list that I populate to retrieve all Active Directory from a custom object I created that just holds the username and full name properties of the Active Directory user.
在此屏幕上,有一个下拉列表,我填充该列表以从我创建的自定义对象中检索所有Active Directory,该对象仅保存Active Directory用户的用户名和全名属性。 Here is this code for that:
这是这个代码:
public IQueryable<ActiveDirectoryUser> ActiveDirectoryUsers
{
get
{
// get list of users in the Active Directory
DirectoryEntry dirEntry = new DirectoryEntry("WinNT://" + Environment.UserDomainName);
List<DirectoryEntry> activeDirectoryUsers = dirEntry.Children.Cast<DirectoryEntry>()
.Where(c => c.SchemaClassName == "User").ToList();
// populate a custom class I have to hold the active directory user's username and full name property values
return activeDirectoryUsers
.Where(u => !string.IsNullOrEmpty(u.Properties["FullName"].Value.ToString()))
.Select(u => new ActiveDirectoryUser()
{
NetworkId = String.Format(@"{0}\{1}", Environment.UserDomainName, u.Properties["Name"].Value),
FullName = u.Properties["FullName"].Value.ToString()
}).AsQueryable();
}
}
For some reason, this code returns no results when the web application is deployed to IIS 7. However, this works perfectly when running the site from IIS Express in Visual Studio. 出于某种原因,当Web应用程序部署到IIS 7时,此代码不会返回任何结果。但是,这在Visual Studio中从IIS Express运行站点时非常有效。 Any ideas of why this would be happening?
有关为什么会发生这种情况的任何想法? I have been looking for IIS settings as the culprit, but have not found anything helpful.
我一直在寻找IIS设置作为罪魁祸首,但没有找到任何有用的东西。 Do I need to change the way I am retrieving the Active Directory users?
我是否需要更改检索Active Directory用户的方式? Thank you!
谢谢!
This issue ended up being a combination of Eric J. answer, and a change to my code for getting the Active Directory entries. 这个问题最终是Eric J.回答的组合,以及我获取Active Directory条目的代码的更改。 I found that the DirectoryEntry method can be overloaded to take a username and password to use for the permissions (eg you don't have to rely on whatever account IIS is running under. Here is the code:
我发现DirectoryEntry方法可以重载以获取用于权限的用户名和密码(例如,您不必依赖于IIS运行的任何帐户。这是代码:
List<SearchResult> searchResults;
// use login account to access active directory (otherwise it will use the IIS user account, which does not have permissions)
using (DirectoryEntry root = new DirectoryEntry("LDAP://CN=Users,DC=test,DC=example,DC=com", "usernameCredential", "passwordCredential"))
using (DirectorySearcher searcher = new DirectorySearcher(root, "(&(objectCategory=person)(objectClass=user))"))
using (SearchResultCollection results = searcher.FindAll())
{
searchResults = results.Cast<SearchResult>().ToList();
}
// get the active directory users name and username
return searchResults
.Select(u => new ActiveDirectoryUser()
{
NetworkId = String.Format(@"{0}\{1}", this._domainName, u.Properties["sAMAccountName"][0]),
FullName = (string) u.Properties["cn"][0]
}).AsQueryable();
This allowed me to get the Active Directory entries, but only those are Users and person objects. 这允许我获取Active Directory条目,但只有那些是用户和个人对象。 Then I used LINQ to map it to my custom model.
然后我用LINQ将它映射到我的自定义模型。
When running in IIS Express under Visual Studio you have a much higher permission set than running in the default security context of IIS 7. 在Visual Studio下的IIS Express中运行时,您拥有的权限集比在IIS 7的默认安全上下文中运行的权限集要高得多。
You will have to understand exactly which permissions are needed to query Active Directory in this way and ensure that the application pool your app runs in under IIS 7 has that right. 您必须准确了解以这种方式查询Active Directory所需的权限,并确保您的应用程序在IIS 7下运行的应用程序池具有此权限。 Be careful to grant only the permissions needed for this operation, and make sure you review the implications of granting those rights carefully before proceeding.
请务必仅授予此操作所需的权限,并确保在继续操作之前仔细检查授予这些权限的含义。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.