使用两个不同的域进行验证

Question

I am currently working on a validation step for a new project.我目前正在为一个新项目进行验证步骤。 All the code is working except for this part (as described below).除了这部分（如下所述）之外，所有代码都在工作。 I am trying to check is a user (domain1) is in a group of domain2.我正在尝试检查用户（域 1）是否在域 2 的组中。 Everything I am trying is returning a null for the user, and I am not sure why.我正在尝试的一切都是为用户返回一个空值，我不知道为什么。

Here is the function that I am using.这是我正在使用的功能。

public void runTask(string serverName, string taskName)
        {
            PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domain);
            UserPrincipal user = UserPrincipal.FindByIdentity(ctx, loginWindow.getUsername());
            GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, ADGroup);


            if (user.IsMemberOf(group))
            {
                using (TaskService tasksrv = new TaskService(serverName, loginWindow.getUsername(), domain, loginWindow.getPassword()))
                {
                    Microsoft.Win32.TaskScheduler.Task task = tasksrv.FindTask(taskName);
                    if (!task.IsActive)
                    {
                        if (task.Enabled == true)
                        {
                            //task.Run();
                        }
                        else
                        {
                            log.LogMessage("Task was disabled. Enabling...");
                            task.Enabled = true;
                            //task.Run();
                        }
                    }
                    else
                    {
                        // send email
                        string body = "User: " + loginWindow.getUsername().ToUpper() + "<br/><br/>" + "Server: " + serverName + "<br/><br/>" + task.Name + " is already running.";

                        // send email confirmation
                        email = new Email(false);
                        email.SendMail(toEmail, fromEmail, serverName + subject, body);

                    }
                }
            }
        }

When I set domain = where the username exists it returns a value but does not find the ADGroup.当我在用户名存在的地方设置 domain = 时，它返回一个值但找不到 ADGroup。 When I switch it to the domain of the ADGroup, the user is null.当我切换到ADGroup的域时，用户为空。

loginWindow is a simple class that validates the users credentials. loginWindow 是一个简单的类，用于验证用户凭据。 Task is the windows task that I am trying to run.任务是我试图运行的 Windows 任务。

Any thoughts or tips would be helpful because right now I am at a loss.任何想法或提示都会有所帮助，因为现在我不知所措。

Thanks!谢谢！

Answer 1

Well, from the code it looks like you're using the same domain-scoped PrincipalContext object to look up both the user and the group and since they are actually in different domains then at least each lookup should be performed using its own context:好吧，从代码看来，您正在使用相同的域范围PrincipalContext对象来查找用户和组，并且由于它们实际上位于不同的域中，因此至少应该使用自己的上下文执行每个查找：

        PrincipalContext userCtx = new PrincipalContext(ContextType.Domain, domain1);
        UserPrincipal user = UserPrincipal.FindByIdentity(userCtx, loginWindow.getUsername());

        PrincipalContext groupCtx = new PrincipalContext(ContextType.Domain, domain2);
        GroupPrincipal group = GroupPrincipal.FindByIdentity(groupCtx, ADGroup);

This should give you non-null results for both user and group .这应该为您提供user和group 的非空结果。 I'm not sure, though, if user.IsMemberOf(group) would work.不过，我不确定user.IsMemberOf(group)是否会起作用。 Active Directory uses foreignSecurityPrincipal records to keep records of cross-domain group membership and it's only using the members attribute of the group for that. Active Directory 使用foreignSecurityPrincipal记录来保存跨域组成员身份的记录，并且它仅使用组的成员属性。 The user record does not get a matching memberOf record.用户记录未获得匹配的memberOf记录。 See my answer here for details.有关详细信息，请参阅我的答案here 。

使用两个不同的域进行验证

问题描述

1 个解决方案

解决方案1
1 已采纳 2015-11-10 03:24:21

使用两个不同的域进行验证

问题描述

1 个解决方案

解决方案1 1 已采纳 2015-11-10 03:24:21

解决方案1
1 已采纳 2015-11-10 03:24:21