在ASP.NET中访问Active Directory?
[英]Accessing Active Directory in ASP.NET?
问题描述
I use a console application to write some test code: 
我使用控制台应用程序编写一些测试代码:
/// <summary>
/// Returns AD information for a specified userID.
/// </summary>
/// <param name="ntID"></param>
/// <returns></returns>
public ADUser GetUser(string ntID)
{
DirectorySearcher search = new DirectorySearcher();
search.Filter = String.Format("(cn={0})", ntID);
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("givenName");
search.PropertiesToLoad.Add("sn");
search.PropertiesToLoad.Add("displayName");
search.PropertiesToLoad.Add("userPrincipalName");
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
return new ADUser(result);
}
And this worked fine from the console app. 这在控制台应用程序中运行良好。 However, when I moved it to an ASP.NET application, I received an error message about not knowing the correct domain. 但是,当我将其移动到ASP.NET应用程序时,我收到一条错误消息,指出不知道正确的域。
Is there a trick I am missing for accessing AD when running on the ASPNET account? 在ASPNET帐户上运行时,是否存在访问AD的技巧?
EDIT : Passing just a LDAP://domain connection string isn't enough, as it wants an actual login/password. 编辑 :只传递LDAP://域连接字符串是不够的,因为它需要一个实际的登录/密码。 Because this runs on a local account on a machine, I'm not sure what AD L/P to use. 因为它运行在计算机上的本地帐户上,所以我不确定要使用哪个AD L / P. Can I delegate the accessing users account to this somehow? 我可以以某种方式将访问用户帐户委托给它吗?
EDIT #2 : When trying to use identity impersonation, I get a DirectoryServicesCOMException with: 编辑#2 :当尝试使用身份模拟时,我得到一个DirectoryServicesCOMException:
The authentication mechanism is unknown. 身份验证机制未知。
5 个解决方案
解决方案1
1 2008-12-08 19:47:22
Yes. 是。 You need to give it a directory connection string. 你需要给它一个目录连接字符串。 A console app (running as you) runs with your credentials, including directory access. 控制台应用程序(以您的身份运行)使用您的凭据运行,包括目录访问。 An ASP.NET app runs with the ASPNET user's credentials, which are local to the system the app is running on, not directory-global. ASP.NET应用程序使用ASPNET用户的凭据运行,这些凭据是运行应用程序的系统的本地凭据,而不是目录全局的凭据。
解决方案2
1 2008-12-08 19:51:13
Alternatively you could specify identity impersonate=true in the web.config and the request to Active directory will be sent as the calling user instead of Machine\\ASPNET 或者,您可以在web.config中指定identity impersonate = true,并且对Active Directory的请求将作为调用用户而不是Machine \\ ASPNET发送
Edit: If you are getting the authentication error see PIPTHEGEEK's post you will have to trust your web server for delegation, however be careful with trusting for delegation (since it opens another can of worms for security types). 编辑:如果您收到身份验证错误,请参阅PIPTHEGEEK的帖子,您将不得不信任您的Web服务器以进行委派,但请注意信任委派(因为它会为安全类型打开另一个蠕虫病毒)。 You have to allow the web server to pass the credentials of the current user to AD. 您必须允许Web服务器将当前用户的凭据传递给AD。
If possible, go to AD properties for the computer, select the delegation tab, and select "Trust this computer for delegation to any service (Kerberos Only) 如果可能,请转到计算机的AD属性,选择委派选项卡,然后选择“信任此计算机以委派任何服务(仅限Kerberos)
See if that works. 看看是否有效。 If it does, you can further fine grain the permissions by using the third option which states 如果是这样,您可以使用指出的第三个选项进一步细化权限
"Trust this computer for delegation to specified services only" “相信这台计算机只能委托给指定的服务”
Then select "Use Kerberos Only" 然后选择“仅使用Kerberos”
and in the "services to which this account can present delegated credentials", add the relevant service information. 并在“此帐户可以向其提供委派凭据的服务”中,添加相关的服务信息。
解决方案3
1 2008-12-08 19:57:35
If its an intranet application that uses windows authentication, then you can wrap your AD call in a impersonation-context of the user. 如果它是使用Windows身份验证的Intranet应用程序,则可以将AD调用包装在用户的模拟上下文中。
Something like: 就像是:
using (((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate())
{
// Do your AD stuff here
}
解决方案4
1 2008-12-08 19:58:20
The easiest way around this is to make your web application pool run as a domain account that has the required access. 最简单的方法是使您的Web应用程序池作为具有所需访问权限的域帐户运行。 This avoids you having to manage the secure storing of a password. 这可以避免您必须管理密码的安全存储。 Don't forget to make the account a member of the IIS_WPG local group. 不要忘记使该帐户成为IIS_WPG本地组的成员。 If you do decide to use impersonation you will have to configure Kerberos delegation as well as changing the ASP.NET configuration to impersonate. 如果您决定使用模拟,则必须配置Kerberos委派以及将ASP.NET配置更改为模拟。 This will involve making the application pool run as a domain account, granting that domain account permission to delegate credentials (the delegation tab of the account properties in the AD users and computers MMC). 这将涉及使应用程序池作为域帐户运行,授予该域帐户对委派凭据的权限(AD用户和计算机MMC中帐户属性的委派选项卡)。 Then ensuring that the website is set to use negoiate in the metabase (this is the default on IIS6, not sure about other versions) and registering an SPN for the new domain account. 然后确保将网站设置为在元数据库中使用negoiate(这是IIS6上的默认设置,不确定其他版本)并为新域帐户注册SPN。
Edit: Your 'Unknown authentication' error sounds like mis-configured delegation. 编辑:您的“未知身份验证”错误听起来像是错误配置的委派。 Check that the account your app pool is running as is trusted for delegation, that IIS is set to use ONLY windows authentication and that a valid SPN is registered for the app pool identity account. 检查您的应用程序池正在运行的帐户是否受委托信任,该IIS设置为仅使用Windows身份验证,并且为应用程序池标识帐户注册了有效的SPN。
解决方案5
1 2011-06-27 12:33:48
您也可以尝试在登录中包含域名
adSharepointUsers = new DirectoryEntry("LDAP://MyDomain","MyDomain/ADUser","password");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.