从Active Directory读取用户授权组
[英]Read user authorization groups from Active Directory
问题描述
In our system we are reading user security groups from an Active Directory in two slightly different ways. 
在我们的系统中,我们以两种略有不同的方式从Active Directory读取用户安全组。 In one case the list of groups returned by the AD is missing the domain local groups. 在一种情况下,AD返回的组列表缺少域本地组。 The response from GetAuthorizationGroups () is dependent on the used PrincipalContext. GetAuthorizationGroups()的响应取决于使用的PrincipalContext。 In the failing scenarios GetAuthorizationGroups() will only return global groups. 在失败的场景中,GetAuthorizationGroups()将仅返回全局组。 The result is missing all domain local groups from the AD. 结果是缺少AD中的所有域本地组。 Can anyone please explain why? 任何人都可以解释原因吗?
Failing solution: 失败的解决方案:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net");
var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB");
PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();
In this case the process is executed by “UserA”. 在这种情况下,该过程由“UserA”执行。 “UserA” is a member of the domain “our.domain.net”. “UserA”是域“our.domain.net”的成员。 “UserA” is the very same user as the specifically identified user in the working solution. “UserA”与工作解决方案中特定标识的用户完全相同。 The PrincipalContext should because of that be identical to the PrincipalContext in the working solution. 因为PrincipalContext与工作解决方案中的PrincipalContext相同。 The response from GetAuthorizationGroups() in this solution miss domain local groups from the AD. GetAuthorizationGroups()在此解决方案中的响应错过了AD中的域本地组。
Working solution: 工作方案:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net", "UserA", "PasswordA");
var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB");
PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();
In this case the calling user is identified specifically by use name and password when creating the Principal Context. 在这种情况下,在创建主体上下文时,使用名称和密码专门标识调用用户。 In this case the AD returns all the groups that the user is a member of. 在这种情况下,AD返回用户所属的所有组。 This is the behavior I would like to see from the failing solution as well. 这也是我希望从失败的解决方案中看到的行为。 In some cases I do not have the user password of UserA and of that reason the Working solution is not an option. 在某些情况下,我没有UserA的用户密码,因此不能选择Working solution。
Please help me understand why the failing solution does not return all the groups that the user is a member of. 请帮助我理解为什么失败的解决方案不会返回用户所属的所有组。
2 个解决方案
解决方案1
2 2015-10-02 15:13:44
"It misses domain local groups from the AD" because you are probably iterating the resulting groups with foreach loop and you are getting NoMatchingPrincipalException exception for one of the groups that the user doesnt have read access and at that point it stops iterating, failing to get the rest of the groups. “它错过了来自AD的域本地组”,因为您可能正在使用foreach循环迭代结果groups ,并且您正在获取用户没有读取访问权限的其中一个组的NoMatchingPrincipalException异常,并且此时它将停止迭代,无法获取其余的团体。
As a solution you may use the following iterator (the code behind the foreach structure) to get all the rest of the groups: 作为解决方案,您可以使用以下迭代器( foreach结构后面的代码)来获取所有其余组:
var enumerator = groups.GetEnumerator();
while (enumerator.MoveNext())
{
try
{
var e = enumerator.Current;
listView1.Items.Add(e.Name);
}
catch (NoMatchingPrincipalException)
{
}
}
解决方案2
2 已采纳 2011-06-10 08:23:24
We finally found the problem. 我们终于找到了问题。 It turned out not to be a coding problem at all. 结果证明根本不是编码问题。 The strange behaviour was caused by an erronious Domain Level in the Active Directory. 奇怪的行为是由Active Directory中的一个错误的域级别引起的。
Domain Level had to be set to "2003 functional level" 域级别必须设置为“2003功能级别”
Now it all works as expected. 现在一切正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.