重新连接后的Active Directory身份验证问题-C#
[英]Active Directory authentication issue after reconnect - C#
问题描述
adding more info on @serialhobbyist's request 
在@serialhobbyist的请求上添加更多信息
hi all. 大家好。 we're (= me and my colleagues) using PrincipalContext from System.DirectoryServices.AccountManagement to retrieve some authentication info (make sure a user belongs to a group etc). 我们(=我和我的同事)使用System.DirectoryServices.AccountManagement中的PrincipalContext来检索一些身份验证信息(确保用户属于某个组,等等)。
Important: our client is a service running as LocalSystem. 重要提示:我们的客户端是作为LocalSystem运行的服务。 this does not happen when we run in a normal process or when we change the service to run as a specific user 当我们在正常流程中运行或将服务更改为以特定用户身份运行时,不会发生这种情况
here's a code sample: 这是一个代码示例:
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domain))
{
Principal p = Principal.FindByIdentity(ctx,IdentityType.Sid, sid);
...
}
normally all works well (getting replies). 通常情况下一切正常(得到答复)。 once in a few hours (the trigger is not clear), or after a network disconnect and reconnect, (when our AD client disconnects, via network cable disconnect or VM adapter disable etc) we're getting this exception: 每隔几个小时(触发器不清晰)一次,或者在网络断开并重新连接之后(当我们的AD客户端断开连接,通过网络电缆断开连接或VM适配器禁用等)时,我们将收到此异常:
System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable``1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
searched for the exception (0x80072020), I see it translates to LDAP_OPERATIONS_ERROR (actually used as a code value translation example here :) ) we inspected the traffic using wireshark and the exception is thrown before any LDAP query is sent. 搜索异常(0x80072020),我看到它转换为LDAP_OPERATIONS_ERROR (实际上在这里用作代码值转换示例:)),我们使用LDAP_OPERATIONS_ERROR检查了流量,并在发送任何LDAP查询之前抛出了异常。
after re-starting our process everything is back to normal (can validate successfully, no exceptions). 重新启动过程后,一切恢复正常(可以成功验证,没有异常)。 can anybody shed light on the matter? 有人可以阐明这件事吗? any ideas how to achieve the equivalent the cleanups done on process termination? 有什么想法可以实现在过程终止时完成的等效清理吗? thanks! 谢谢!
update: we've found a way around this, will supply answer below. 更新:我们已经找到解决方法,将在下面提供答案。 however, we'd rather find a simpler solution. 但是,我们宁愿找到一个更简单的解决方案。
1 个解决方案
解决方案1
0 已采纳 2009-10-06 10:16:27
we've found a workaround here on msdn , by querying LDAP directly using the DirectoryEntry + DirectorySearcher objects. 我们在msdn上找到了一种解决方法,方法是使用DirectoryEntry + DirectorySearcher对象直接查询LDAP。 this requires some rather nasty parsing (considering this ins't our main speciality) instead of working via existing objects. 这需要一些相当麻烦的解析(考虑这不是我们的主要专长),而不是通过现有对象进行工作。 using this approach however the condition described above isn't encountered. 使用这种方法,但是不会遇到上述情况。 as mentioned above, we would appreciate a better solution using the existing objects. 如上所述,我们将赞赏使用现有对象的更好解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.