LDAP-从IIS获取用户的组名失败
[英]LDAP - Getting user's group names fails from IIS
问题描述
I followed a tutorial to implement LDAP authentication on an ASP.NET/C# 4.0 Web Application. 
我遵循了一个在ASP.NET/C# 4.0 Web应用程序上实现LDAP身份验证的教程 。 While things do seem to work, when I put the website under IIS7, it fails to obtain the group names. 尽管事情似乎确实可行,但是当我将网站放在IIS7下时,它无法获取组名。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text;
using System.Collections;
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
namespace KEWeb
{
public class LdapAuthentication
{
private string _path;
private string _filterAttribute;
private string _username;
private string _password;
private string _domain;
private string _domainAndUsername;
private DirectoryEntry _entry;
private DirectorySearcher _search;
private SearchResult _result;
public LdapAuthentication(string path, string domain, string username, string password)
{
_path = path;
_domain = domain;
_username = username;
_password = password;
_domainAndUsername = _domain + @"\" + _username;
_entry = new DirectoryEntry(_path, _domainAndUsername, _password);
}
public bool IsAuthenticated()
{
try
{
Object obj = _entry.NativeObject;
_search = new DirectorySearcher(_entry);
_search.Filter = "(SAMAccountName=" + _username + ")";
_search.PropertiesToLoad.Add("cn");
_result = _search.FindOne();
if (null == _result) { return false; }
_path = _result.Path;
_filterAttribute = (String)_result.Properties["cn"][0];
}
catch (Exception ex) { throw new Exception("Error authenticating user: " + ex.Message); }
return true;
}
public string GetGroups()
{
string r = "";
try
{
Object obj = _entry.NativeObject;
_search = new DirectorySearcher(_entry);
_search.Filter = "(SAMAccountName=" + _username + ")";
_search.PropertiesToLoad.Add("cn");
_result = _search.FindOne();
if (null != _result)
{
_path = _result.Path;
_filterAttribute = (String)_result.Properties["cn"][0];
_search = new DirectorySearcher(_path);
_search.Filter = "(cn=" + _filterAttribute + ")";
_search.PropertiesToLoad.Add("memberOf");
StringBuilder groupNames = new StringBuilder();
_result = _search.FindOne();
int propertyCount = _result.Properties["memberOf"].Count;
String dn;
int equalsIndex, commaIndex;
for (int propertyCounter = 0; propertyCounter < propertyCount; propertyCounter++)
{
dn = (String)_result.Properties["memberOf"][propertyCounter];
equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
if (-1 == equalsIndex) { return null; }
groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1));
groupNames.Append("|");
}
r = groupNames.ToString();
}
}
catch (Exception ex) { throw new Exception("Error obtaining group names: " + ex.Message); }
return r;
}
}
}
When running this in debug from Visual Studio 2010, it works fine. 在Visual Studio 2010的调试中运行此程序时,它可以正常工作。 But on IIS7, it gives an error An operations error occured. 但是在IIS7上,它给出一个错误An operations error occured. Not sure how to debug this while under IIS, although I'm sure it's possible. 尽管我确定有可能,但不确定在IIS下如何调试它。 If I completely ignore GetGroups() and comment that code out, it works, but of course I need these group names. 如果我完全忽略GetGroups()并注释掉该代码,则可以使用,但是我当然需要这些组名。
PS - Yes, the code above is nothing like the original, I tweaked it to re-use some redundant stuff. PS-是的,上面的代码与原始代码完全不同,我对其进行了调整以重新使用一些多余的东西。 I did however have this issue before I changed that. 但是,在更改之前,确实有这个问题。
3 个解决方案
解决方案1
2 已采纳 2012-12-11 14:38:38
you're searching using the wrong item for the groups - you need to use: 您正在使用错误的项目搜索组-您需要使用:
_search = new DirectorySearcher(_path);
in the GetGroups() call. 在GetGroups()调用中。 The _path variable is set by the IsAuthenticated() call. _path变量由IsAuthenticated()调用设置。
解决方案2
1 2012-12-11 15:22:54
You can debug an application under iis, if you attach to the w3wp process. 如果您附加到w3wp进程,则可以在iis下调试应用程序。 Use the CTRL+Alt+P hotkey to attach to it, or go to Debug menu and choose Attach to Process... and check in the "Show processes in all sessions" checkbox. 使用CTRL + Alt + P热键进行附加,或转到“调试”菜单并选择“附加到进程...”,然后选中“在所有会话中显示进程”复选框。
解决方案3
0 2017-03-27 17:00:51
This may be way too late to help but I had exactly the same issue. 这可能为时已晚,无法提供帮助,但我遇到了完全相同的问题。
For me it was the IIS Site had ASP.Net Impersonation and Anonymous both enabled and the Impersonation user was configured to use authenticated user. 对我来说,这是IIS站点同时启用了ASP.Net模拟和匿名,并且模拟用户配置为使用经过身份验证的用户。 Since Anonymous was also enabled, this would always fail since Anonymous users do NOT have access to AD. 由于还启用了匿名功能,因此这总是会失败,因为匿名用户无权访问AD。
Changed ASP.Net Impersonation to use a valid AD account and voila! 更改了ASP.Net模拟,以使用有效的AD帐户,瞧!
John 约翰
PS. PS。 I was working from the same tutorial as you as well. 我也和您在同一教程中工作。 :) :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.