[英]PrincipalContext.ValidateCredentials fails for some users?
I have the following code :我有以下代码:
public void AuthenticateActiveDirectoryAccount(string username, string password)
{
PrincipalContext context;
var envSettings = _settingsService.GetGlobalSetting<EnvironmentSettings>().Props;
string ADServer = envSettings.ActiveDirectory.ServerURI;
string ADUserName = envSettings.ActiveDirectory.Username;
string ADUserPassword = envSettings.ActiveDirectory.Password;
string account = null;
account = username.ToLower();
if (ADUserName.Length > 0)
context = new PrincipalContext(ContextType.Domain, ADServer, ADUserName, ADUserPassword);
else
context = new PrincipalContext(ContextType.Domain, ADServer);
using (context)
{
if (!context.ValidateCredentials(account, password))
{
throw new Exception();
}
}
}
This works great for most users but some get the following exception :这对大多数用户都很有效,但有些用户会遇到以下异常:
The server does not handle directory requests : System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)\\r\\n vid System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)\\r\\n vid System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)服务器不处理目录请求:System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)\\r\\n vid System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator。 BindLdap(NetworkCredential creds, ContextOptions contextOptions)\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)\\r\\n vid System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)
First I thought that failing users do not have permission to call the AD but Im sure that the AdServer, AdUserName and AdUserPassword is set with the global AD account that should have access.首先,我认为失败的用户没有调用 AD 的权限,但我确定 AdServer、AdUserName 和 AdUserPassword 设置为应该具有访问权限的全局 AD 帐户。
Why do some users get this exception?为什么有些用户会收到此异常?
Changing the ValidateCredentials to this solves the problem :将 ValidateCredentials 更改为此可以解决问题:
context.ValidateCredentials(account, password, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing)
It is however probably still a question of security of the Active Directory account.然而,这可能仍然是 Active Directory 帐户的安全问题。
如果没有域但工作组,它将与
context.ValidateCredentials(account, password, ContextOptions.Negotiate)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.