堆栈内存溢出
  简体   繁体   English

为什么DirectoryServicesCOMException从Web服务器以外的机器查询Active Directory?

[英]Why does DirectoryServicesCOMException occur querying Active Directory from a machine other than the web server?

 原文  2011-10-13 20:38:38       c#/ asp.net/ active-directory/ windows-authentication

问题描述

My ASP.NET WebForms app running on IIS 7.5 works fine when the request comes from the web server but throws the following error when the same domain user requests the same page from any other machine on the domain: 当请求来自Web服务器时,在IIS 7.5上运行的ASP.NET WebForms应用程序正常工作,但当同一域用户从域上的任何其他计算机请求同一页面时,会引发以下错误:

TYPE: System.DirectoryServices.AccountManagement.PrincipalOperationException TYPE:System.DirectoryServices.AccountManagement.PrincipalOperationException

MSG: An operations error occurred. MSG:发生了操作错误。

at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at Ceoimage.Basecamp.ActiveDirectory.SidSource._TryGetGroupPrincipal(PrincipalContext context, String groupName) in c:\\Users\\David\\Documents\\VsProjects\\CeoTrunk\\Ceoimage.Basecamp\\Basecamp\\ActiveDirectory\\SidSource.cs System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()at System System.DirectoryServices上的System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context,Type principalType,String identityValue)中的.DirectoryServices.AccountManagement.Principal.FindBdentIdentityWithTypeHelper(PrincipalContext context,Type principalType,Nullable`1 identityType,String identityValue,DateTime refDate) .AcountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context,String identityValue)位于c:\\ Users \\ David \\ Documents \\ VsProjects \\ CeoTrunk \\ Ceoimage.Basecamp \\ Basecamp \\中的Ceoimage.Basecamp.ActiveDirectory.SidSource._TryGetGroupPrincipal(PrincipalContext context,String groupName) ActiveDirectory中\\ SidSource.cs :line 115 :第115行

-- INNER EXCEPTION -- - 内部例外 -

TYPE: System.DirectoryServices.DirectoryServicesCOMException TYPE:System.DirectoryServices.DirectoryServicesCOMException

MSG: An operations error occurred. MSG:发生了操作错误。

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaEntry() at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de) at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options) at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() 在System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)位于System.DirectoryServices.DirectoryEntry.Bind()的System.DirectoryServices.DirectoryEntry.get_SchemaEntry()处于System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)的System.DirectoryServices上.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase,Boolean ownCtxBase,String username,String password,ContextOptions选项)位于System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()的System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry条目)中。

The application's web.config file specifies <authentication mode="Windows"> and <identity impersonate="true" /> but does not use a membership provider. 应用程序的web.config文件指定<authentication mode="Windows"><identity impersonate="true" />但不使用成员资格提供程序。 In IIS, the application pool runs as a domain user and the app's authentication has everything disabled except for ASP.NET Impersonation (set to Authenticated user) and Windows Authentication. 在IIS中,应用程序池作为域用户运行,除了ASP.NET模拟(设置为Authenticated用户)和Windows身份验证之外,应用程序的身份验证已禁用所有内容。

The code that causes the error just tries to get a group's SID to verify the user should access the application: 导致错误的代码只是尝试获取组的SID以验证用户应该访问应用程序: 

public string GetGroupSid()
{
    using (var context = new PrincipalContext("Domain", "Test", "CN=Users,DC=Test,DC=local", ContextOptions.Negotiate))
    {
        var group = _TryGetGroupPrincipal(context, "AppGroup");
        return group.Sid.Value;
    }
}
private static GroupPrincipal _TryGetGroupPrincipal(PrincipalContext context, string groupName)
{
    try
    {
        return GroupPrincipal.FindByIdentity(context, groupName);
    }
    catch (Exception e)
    {
        throw _GetUnableToFindGroupException(e, groupName);
    }
}

As I said earlier, the app works fine if the request comes from the web server but throws this error when the same domain user requests the same page from any other machine on the domain. 正如我之前所说,如果请求来自Web服务器,该应用程序工作正常,但当同一域用户从域上的任何其他计算机请求同一页面时,该错误会引发此错误。 I know about enabling Kerberos , but you can see my code specifies ContextOptions.Negotiate . 我知道启用Kerberos ,但您可以看到我的代码指定了ContextOptions.Negotiate I'm not an expert in this stuff, but I am expertly baffled. 我不是这方面的专家,但我对此感到困惑。

1 个解决方案

解决方案1
 4 已采纳  2011-10-14 14:46:32

配置Web服务器以进行委派允许我的Web应用程序无错误地查询AD组的SID,并且不更改任何代码。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法从 Active Directory 读取所有用户 - [DirectoryServicesCOMException] MoveNext() - Cannot read all users from Active Directory - [DirectoryServicesCOMException] MoveNext() UserPrincipal对象,Active Directory查询:DirectoryServicesCOMException - UserPrincipal Object, Active Directory Query: DirectoryServicesCOMException 仅在服务器上查询Active Directory时出错 - Getting Error Querying Active Directory On The Server Only 尝试访问活动目录时出现DirectoryServicesCOMException(0x80072030) - DirectoryServicesCOMException (0x80072030) when trying to access active directory 异步 Active Directory 查询 - Async Active Directory querying 尝试在Active Directory C#中委派OU的控件时,出现DirectoryServicesCOMException“发生操作错误” - DirectoryServicesCOMException “operations error occurred” when trying to delegate control for OU in Active directory C# 从C#从Active Directory增量查询用户 - Querying users incrementally from Active Directory from C# 为什么我的 C# API 在服务器上工作正常,但当我尝试从任何其他客户端计算机调用它时总是失败? - Why does my C# API work fine on the server but it always fails when I try to call it from any other client machine? 从 Blazor 客户端模块查询本地 Active Directory? - Querying local Active Directory from Blazor client side module? 如何从c#代码连接到Active Directory以外的ldap数据源? - How to connect to ldap data source other than Active Directory from c# code?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM