为什么DirectoryServicesCOMException出现从机比web服务器等查询Active Directory?服务器、web、DirectoryServicesCOMException
在IIS 7.5中工作正常运行我的ASP.NET的WebForms应用程序时,请求来自Web服务器,但是,当相同的域用户请求相同的页面,从其他机器上的域名引发以下错误:
My ASP.NET WebForms app running on IIS 7.5 works fine when the request comes from the web server but throws the following error when the same domain user requests the same page from any other machine on the domain:
类型:System.DirectoryServices.AccountManagement.PrincipalOperationException
TYPE: System.DirectoryServices.AccountManagement.PrincipalOperationException
味精:出现操作错误
在System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() 在System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() 在System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() 在System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() 在System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext背景下,类型principalType,Nullable`1 identityType,串identityValue,日期时间refDate) 在System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext背景下,类型principalType,字符串identityValue) 在System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext背景下,字符串identityValue) 在Ceoimage.Basecamp.ActiveDirectory.SidSource._TryGetGroupPrincipal(PrincipalContext背景下,串组名)的c:\Users\David\Documents\VsProjects\CeoTrunk\Ceoimage.Basecamp\Basecamp\ActiveDirectory\SidSource.cs:line 115
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at Ceoimage.Basecamp.ActiveDirectory.SidSource._TryGetGroupPrincipal(PrincipalContext context, String groupName) in c:\Users\David\Documents\VsProjects\CeoTrunk\Ceoimage.Basecamp\Basecamp\ActiveDirectory\SidSource.cs:line 115
- 内部异常 -
-- INNER EXCEPTION --
类型:System.DirectoryServices.DirectoryServicesCOMException
TYPE: System.DirectoryServices.DirectoryServicesCOMException
味精:出现操作错误
在System.DirectoryServices.DirectoryEntry.Bind(布尔throwIfFail) 在System.DirectoryServices.DirectoryEntry.Bind() 在System.DirectoryServices.DirectoryEntry.get_SchemaEntry() 在System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(的DirectoryEntry日) 在System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(的DirectoryEntry ctxBase,布尔ownCtxBase,字符串username,字符串密码,ContextOptions选项) 在System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry条目) 在System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaEntry() at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de) at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options) at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
应用程序的Web.config文件中指定<身份验证模式=窗口> 和<身份冒充=真/&GT ; 但不使用成员资格提供程序。在IIS中,应用程序池运行作为域用户和应用程序的身份验证已禁用,除了ASP.NET模拟(设置为通过身份验证的用户)和Windows身份验证一切。
The application's web.config file specifies <authentication mode="Windows"> and <identity impersonate="true" /> but does not use a membership provider. In IIS, the application pool runs as a domain user and the app's authentication has everything disabled except for ASP.NET Impersonation (set to Authenticated user) and Windows Authentication.
在code导致错误只是试图让一组的SID,以验证用户要访问的应用程序:
The code that causes the error just tries to get a group's SID to verify the user should access the application:
public string GetGroupSid()
{
using (var context = new PrincipalContext("Domain", "Test", "CN=Users,DC=Test,DC=local", ContextOptions.Negotiate))
{
var group = _TryGetGroupPrincipal(context, "AppGroup");
return group.Sid.Value;
}
}
private static GroupPrincipal _TryGetGroupPrincipal(PrincipalContext context, string groupName)
{
try
{
return GroupPrincipal.FindByIdentity(context, groupName);
}
catch (Exception e)
{
throw _GetUnableToFindGroupException(e, groupName);
}
}
正如我刚才所说,应用程序工作正常,如果请求来自Web服务器,但是,当相同的域用户请求相同的页面,从其他机器上的域抛出这个错误。我知道enabling Kerberos的,但你可以看到我的code指定 ContextOptions.Negotiate 。我不是这个东西的专家,但我很熟练困惑。
As I said earlier, the app works fine if the request comes from the web server but throws this error when the same domain user requests the same page from any other machine on the domain. I know about enabling Kerberos, but you can see my code specifies ContextOptions.Negotiate. I'm not an expert in this stuff, but I am expertly baffled.
推荐答案
配置Web服务器进行委派让我的web应用程序来查询的AD组的SID没有错误和不改变任何code。
Configuring the web server for delegation allowed my web app to query the SID of an AD group without error and without changing any code.
