如果有人有类似的故事，请张贴下面详细说明！

我要建一个需要支持对LDAP身份验证的ASP.NET网站。

I'm building an ASP.NET website which needs to support authentication against LDAP.

在窗口，LDAP身份验证可以通过Active Directory（我不是专家，但公元似乎仅仅是LDAP的特定味）来执行。我不控制AD和/或LDAP服务器。

On windows, LDAP auth can be performed via Active Directory (I'm no expert, but AD seems to simply be a particular flavor of ldap). I don't control the AD and/or LDAP servers.

我已经试过认证的各种方法，但我已经决定使用一个的DirectoryEntry 每身份验证尝试：

I've tried various methods of authentication, but I've settled on using a single DirectoryEntry per authentication attempt:

using (DirectoryEntry de = new DirectoryEntry(ldapPath, ldapUsername, password, AuthenticationTypes.ServerBind)) {
    try {
        // Bind to the native AdsObject to force authentication.
        object obj = de.NativeObject;//not IDisposable
    } catch(...

检索NativeObject导致一个收到COMException 如果有什么不对出错，例如，如果验证失败，异常是像登录失败：未知的用户名或密码错误如果LDAP服务器无法访问或超时，像服务器是不可操作。

Retrieving the NativeObject causes a COMException if anything whatsoever goes wrong, for instance if the authentication failed, the exception is something like "Logon failure: unknown user name or bad password", and if the ldap server is unreachable or times out, something like "The server is not operational."

这工作，基本的，但变数天数后，总是开始在早上第一件事情，我们得到该服务器不可操作。直到重新启动IIS。这显然​​不是一个伟大的长期解决方案，但据我可以告诉故障在于COM对象底层的DirectoryEntry - 不是容易解决。

This works, basically, but after variable number of days, always starting first thing in the morning, we get "The server is not operational." until IIS is restarted. This is obviously not a great long-term solution, but as far as I can tell the fault lies with the Com Object underlying DirectoryEntry - not something easy to fix.

这的问题 不 new 或的未知。有些人通过微软的支持，不同的结果了;基本的答案似乎归结为把你的LDAP路径，并创建一些等价的替代品，也许其中的一个会工作。每一次尝试，或课程，你不会知道几天是否实际工作，直到真正找到解决办法，我们又回到了每天晚上重新启动Windows服务器。

This problem isn't new or unknown. Some people have gone through microsoft's support with mixed results; basically the answers seem to come down to "take your ldap path and create a few equivalent alternatives and maybe one of those will work". Each time you try, or course, you won't know for a few days whether it actually worked, and until a real solution is found, we're back to "reboot the windows servers every night".

作为一个开始，我已经试过格式LDAP路径

As a start, I've tried ldap paths in the format

* "LDAP://server.uri:636"
* "LDAP://insecure.server.uri:389"
* "LDAP://server.uri:636/cn=username,ou=staff,o=myOrganisation,c=org"

始终与下面的模式用户名：

Always with a username with the following pattern:

* "cn=username,ou=staff,o=myOrganisation,c=org"

所有这些方法的工作开始，但可变天数之后失败（和启动一个IIS复位后的工作）。服务器正在运行IIS6上赢2K3。

All of these methods work initially, but fail after a variable number of days (and start working after an IIS reset). The server is running IIS6 on win 2k3.

如果任何人有这些问题，请在下方，也许最终我们会发现一个模式与工作或有例子足够数量的说服微软来解决这个问题。

If anyone else has these problems, please post below, and perhaps eventually we'll find a pattern to work with or have sufficient number of examples to convince microsoft to fix this.

推荐答案

虽然我不能precisely找出这个问题的原因，它似乎已经迁移到非群集服务器后已停止。

Although I can't precisely pinpoint the cause of this trouble, it seems to have to have stopped after migrating to a non-clustered server.

有这个错误其他奇怪的事实：

There are other odd facts about this bug:

重新启动asp.net主机进程不足以解决这个麻烦。这是奇怪的;你所期望的操作系统，强制解除的过程中死亡的资源 重新启动的 IIS 的服务不释放资源（UDP的端口）。 netstat的显示端口看起来自由，但打开的所有端口由进程＃4居然开 - 系统进程 的杀的IIS（例如通过IIS管理器）的确实的释放UDP端口，然后再认证工作。 Restarting the asp.net host process isn't sufficient to fix the trouble. This is odd; you'd expect the OS to forcibly release resources on process death Restarting the IIS service doesn't release the resources (the UDP ports). netstat reveals the ports seem free, but all ports opened are actually opened by process #4 - the System process. Killing IIS (for instance via the IIS manager) does release the UDP ports, and then authentication works again.

所有的一切，这看起来很像WIN2K3聚类驱动程序或内核的问题启用，而不是.NET相关的问题。

All in all, this looks very much like a driver or kernel issue in win2k3 with clustering enabled, and not a .NET related problem.

因此​​，如果其他人绊倒过类似的问题，检查是否集群已启用 - 它可以节省你头痛周

So, if anyone else stumbles over a similar problem, check to see if clustering is enabled - it may save you weeks of headaches.