堆栈内存溢出
  简体   繁体   English

DirectorySearcher / LDAP查找从IIS部署环境失败,从同一台计算机上的控制台工作

[英]DirectorySearcher/LDAP lookup fails from IIS deployment environment, works from console on same machine

 原文  2013-09-20 21:10:56       c#/ iis/ active-directory/ ldap/ iis-8

问题描述

We have some code executing in an ASP.NET MVC 4 application. 我们在ASP.NET MVC 4应用程序中执行了一些代码。 The application is hosted in IIS on Windows Server 2012. The identity of the app-pool is not standard, but rather a specific user, eg iis-appPool-username noted below. 该应用程序托管在Windows Server 2012上的IIS中。应用程序池的标识不是标准用户,而是特定用户,例如iis-appPool-username The application is running in .NET 4.0 w/ Integrated Mode set for the Managed Pipeline. 该应用程序在.NET 4.0中运行,具有为托管管道设置的集成模式。

  • I've tried it both with and without specifying the username in the DirectoryEntry object. 无论是否在DirectoryEntry对象中指定用户名,我都尝试了它。
  • I can run a console app that does the same thing, as the very same user (command.exe run as the same user, that is) on the same machine, and it works. 我可以运行一个控制台应用程序来执行相同的操作,就像在同一台机器上的同一个用户(command.exe作为同一个用户运行)一样,它可以工作。
  • It should be noted that the console app did not work until I manually specified the LDAP path and AuthenticationTypes.ReadonlyServer , as it is hitting a read-only domain controller. 应该注意的是,在我手动指定LDAP路径 AuthenticationTypes.ReadonlyServer之前,控制台应用程序无法工作,因为它正在命中只读域控制器。 It was giving me the same error for the console app until I specified the LDAP path and Readonly type. 在我指定LDAP路径和Readonly类型之前,它为控制台应用程序提供了相同的错误。 However, while console app works now, while the IIS app does not. 但是,虽然控制台应用程序现在可以正常工作,但IIS应用程序却没有

The code is below. 代码如下。 

// also tried: var searchRoot = new DirectoryEntry(@"LDAP://DC=subdom,DC=ourdomain,DC=com");
var searchRoot = new DirectoryEntry(@"LDAP://DC=subdom,DC=ourdomain,DC=com", @"domain\iis-appPool-username", "password");
searchRoot.AuthenticationType = AuthenticationTypes.ReadonlyServer;

using (var searcher = new DirectorySearcher(searchRoot))
{
    searcher.Filter = string.Format("(&(objectClass=group)(sAMAccountName={0}))", "someGroupName");
    searcher.PropertiesToLoad.Add("distinguishedName");

    // This is where the failure happens
    var result = searcher.FindOne();
}

The error w/ stack trace looks like this: 堆栈跟踪的错误如下所示: 

System.Runtime.InteropServices.COMException (0x8007054B): 
The specified domain either does not exist or could not be contacted.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.DirectorySearcher.get_SearchRoot()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()

EDIT: Also, it is the very same error if I explicitly use the wrong username and password. 编辑:此外,如果我明确使用错误的用户名和密码,这是完全相同的错误。 From my local machine, if I use the wrong username and password, I get an auth error. 从我的本地机器,如果我使用错误的用户名和密码,我得到一个auth错误。 However, from IIS, with the wrong username and password, it doesn't even get that far. 但是,从IIS,用户名和密码错误,它甚至没有那么远。

EDIT: I specified in the web.config to run with full trust: 编辑:我在web.config中指定以完全信任方式运行: 

<securityPolicy>
    <trustLevel name="Full" policyFile="internal"/>
</securityPolicy>

And we also gave the user admin priveleges on the box. 我们还在框中为用户提供了管理员权限。 Continue to get the same error: System.Runtime.InteropServices.COMException: The specified domain either does not exist or could not be contacted. 继续得到相同的错误: System.Runtime.InteropServices.COMException: The specified domain either does not exist or could not be contacted.

UPDATE: So, this ended up being a combination of 2 problems. 更新:所以,这最终是两个问题的组合。

1) As @Hans noted below, I was originally missing the DirectoryEntry parameter to DirectorySearcher . 1)由于@Hans指出下面,我原本缺少DirectoryEntry参数DirectorySearcher In my quest to try different possibilities, combinations, I managed to miss that change when I had a working console application and was updating the application code to reflect it. 在我尝试不同的可能性,组合的过程中,当我有一个工作的控制台应用程序并且正在更新应用程序代码以反映它时,我设法错过了这个更改。

2) When I added the parameter to DirectorySearcher , I was still getting the error. 2)当我将参数添加到DirectorySearcher ,我仍然收到错误。 The message was identical, and the stack trace was almost identical. 消息是相同的,堆栈跟踪几乎相同。 There was 1 line different in the middle of the stack trace - a secondary call to another method that needed the DirectoryEntry argument to use in it's own DirectorySearcher . 堆栈跟踪中间有1行不同 - 对另一个需要DirectoryEntry参数在其自己的DirectorySearcher使用的方法的辅助调用。 I had been looking at the problem for so long, that my eyes were only seeing the same error message and what appeared to be the same stack trace, when in fact it was a new one. 我一直在看问题这个问题,我的眼睛只看到相同的错误信息和看起来是相同的堆栈跟踪,实际上它是一个新的。 Passing my DirectoryEntry object to those calls fixed that problem. 将我的DirectoryEntry对象传递给那些修复该问题的调用。

The ultimate solution did not require that I have a server identifier in the path (but your mileage may vary on that if your environment cannot resolve the domain controller without it). 最终解决方案并不要求我在路径中有一个服务器标识符(但如果您的环境无法解析域控制器,您的里程可能会有所不同)。

1 个解决方案

解决方案1
 5 已采纳  2013-09-23 18:44:18

You have to specify the search root for the DirectorySearcher class in order to connect to the Active Directory domain controller. 您必须指定DirectorySearcher类的搜索根DirectorySearcher才能连接到Active Directory域控制器。 You will get a COM Exception (0x8007054B) if you do not specify a search root for the DirectorySearcher class. 如果没有为DirectorySearcher类指定搜索根,则会出现COM异常(0x8007054B)

Try the following lines of code instead: 请尝试以下代码行: 

var searchRoot = new DirectoryEntry(@"LDAP://DC=subdom,DC=ourdomain,DC=com", @"domain\iis-appPool-username", "password");
searchRoot.AuthenticationType = AuthenticationTypes.ReadonlyServer;

using (var searcher = new DirectorySearcher(searchRoot)) // Specify the search root here
{
  searcher.Filter = string.Format("(&(objectClass=group)(sAMAccountName={0}))", "someGroupName");
  searcher.PropertiesToLoad.Add("distinguishedName");

  var result = searcher.FindOne();
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 DirectorySearcher不从LDAP查询(C#)返回任何结果 - DirectorySearcher not returning any results from LDAP query (C#) LDAP-从IIS获取用户的组名失败 - LDAP - Getting user's group names fails from IIS 从32Bit Machine上载文件到IIS 7失败 - Upload file from 32Bit Machine fails to IIS 7 具有MemberOf属性的LDAP DirectorySearcher - LDAP DirectorySearcher with MemberOf property 从控制台访问IIS缓存 - Access IIS cache from Console 从DirectorySearcher获取2000条记录中的2000条 - Get 2000 of 6000 records from DirectorySearcher DataContractSerializer在项目A上工作,但在同一台机器的项目B上失败,为什么? - DataContractSerializer works on Project A but Fails on Project B on Same Machine why? C#Web服务在控制台中工作,但不在IIS服务器上的asp.net网站上工作 - C# Web service works in console but not from asp.net website on IIS server COM组件可在控制台应用程序中100%工作,但从服务调用时会失败 - COM component works 100% from a console app, but fails when called from a service 我的.net应用程序可在本地计算机上运行,​​但是从网络位置使用时失败 - My .net application works on local machine but fails when used from a network location
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM