背景:
我一直在使用 UserPrincipal.GetAuthorizationGroups
有一段时间了,检查在2个不同的应用程序的权限。他们一直工作正常了好几年。最近一些用户已经获得的称号( System.DirectoryServices.AccountManagement.PrincipalOperationException
),而其他没有提到的错误。我有一个怀疑,这可能与被添加在Windows Server 2012上运行,因为这些问题开始了一天之后加入一个新的域控制器。完整的错误如下:
I've been using UserPrincipal.GetAuthorizationGroups
for a while now to check permissions in 2 different applications. They have been working fine for several years. Recently some users have been getting the error mentioned in the title (System.DirectoryServices.AccountManagement.PrincipalOperationException
) while others have not. I have a suspicion that it might be related to a new domain controller that was added running on Windows Server 2012 because the problems started the day after it was added. The full error is listed below:
例外:
System.DirectoryServices.AccountManagement.PrincipalOperationException: 而枚举组时发生错误(1301)。该集团的 SID无法得到解决。
System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.
在System.DirectoryServices.AccountManagement.SidList.TranslateSids(字符串对象,IntPtr的[] pSids) 在System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR [] sidAndAttr)
at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids) at System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR[] sidAndAttr)
在System.DirectoryServices.AccountManagement.AuthZSet..ctor(字节[] userSid,NetCred凭据, ContextOptions contextOptions,串flatUserAuthority,StoreCtx userStoreCtx,对象userCtxBase)
at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
在System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ ... P)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ...p)
在System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups
问:
我该如何解决这个问题?
How do I fix this?
我发现使用替代 DirectorySearcher从
:
var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>();
var allSearcher = allDomains.Select(domain =>
{
DirectorySearcher searcher = new DirectorySearcher(
new DirectoryEntry("LDAP://" + domain.Name));
searcher.Filter = String.Format(
"(&(&(objectCategory=person)(objectClass=user)(userPrincipalName=*{0}*)))",
"Current User Login Name");
return searcher;
}
);
var directoryEntriesFound =
allSearcher.SelectMany(searcher =>
searcher.FindAll()
.Cast<SearchResult>()
.Select(result => result.GetDirectoryEntry()));
var memberOf = directoryEntriesFound.Select(entry =>
{
using (entry)
{
return new
{
Name = entry.Name,
GroupName = ((object[])entry.Properties["MemberOf"].Value)
.Select(obj => obj.ToString())
};
}
}
);
foreach (var user in memberOf)
{
foreach (var groupName in user.GroupName)
{
if (groupName.Contains("Group to Find"))
{
// Do something if the user is in that group
}
}
}