我有code表示Active Directory查询使用用户可以通过组名称下面块 System.DirectoryServices.AccountManagement ：

I have the following block of code that queries Active Directory for users by Group Name using System.DirectoryServices.AccountManagement:

var domainContext = new PrincipalContext(ContextType.Domain, "company.container.internal");
var groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, IdentityType.Name, "Lvl1Users");
if (groupPrincipal != null)
{
  //Read the values
}

现在该网站使用了以下内容：

Now the site uses the following:

在IIS7上Win2k8 Windows身份验证 模拟=真 在应用程序池在.NET 4.0中使用网络服务作为帐户

在我的本地机器（你知道如何去），这一切的伟大工程。我的同龄人试图在本地也效果很好。然而，一旦部署到服务器上会显示如下：

On my local machine (you know how this goes) it all works great. My peers that try it locally also it works well. However once deployed to the server it shows the following:

时发生操作错误。

我的一切研究说，这是一个权限问题。 1要注意的，在我的本地机器我在 MainNetwork 域是父 company.container.internal 域而我查询。在IIS机器上的 company.container.internal 并询问同一个域。所以说实话，我倒觉得更有挑战性的情况看广告在我的本地机器，是在不同的领域，但它的作品。在该查询同一个域中的服务器，它失败。

Everything I research says it's a permissions issue. 1 thing to note, on my local machine I'm on the MainNetwork domain which is the parent to company.container.internal domain which I am querying. The IIS machine is on company.container.internal and is querying the same domain. So honestly, I would think the more challenging situation is reading AD on my local machine which is on a different domain, but it works. On the server which is querying the same domain, it fails.

下面是我试过，和无这些曾：

Here is what I've tried, and none of these has worked:

更改程序池以本地系统 更改程序池使用一个静态的超级骗子管理员帐户 在code用于模拟操纵呼叫的情况下与上的 MainNetwork 域管理员用户本地块。 在code用于模拟操作与对 company.container.internal 域管理员用户本地块调用的背景下。 添加在使用（HostingEnvironment.Impersonate（）） Change AppPool to 'LocalSystem' Change AppPool to use a static super-duper Admin account Used Impersonation in code to manipulate the context of the calls in a local block with an admin user on the MainNetwork domain. Used Impersonation in code to manipulate the context of the calls in a local block with an admin user on the company.container.internal domain. Adding in using (HostingEnvironment.Impersonate())

是什么让这里？我试图模仿所有类型的电源管理的两个领域，并用于多个程序池设置，我不断收到同样的错误。有没有什么事情需要在code更改与域的声明，或者是有权限问题我失踪？

What gives here? I have tried impersonating every type of power admin on both domains, and used multiple AppPool settings, and I keep getting the same error. Is there anything that needs to change in the code with the declaration of the domains, or is there a permissions issue I'm missing?

推荐答案

我想通了这一点，它原来是使用 HostingEnvironment.Impersonate（）仍处于根要解决的问题。我已经尝试过这一点，但还有一个问题，我的code。

I figured this out and it turned out that using HostingEnvironment.Impersonate() was still at the root to solve the problem. I had already tried this, but there was another issue with my code.

这个问题通常是，对于其中的Active Directory调用由上下文是不具有权限的用户下（也可以发生在身份冒充=真正的在ASP.NET，由于这样的事实，该用户令牌是一种次要令牌对另一服务器的身份认证，不能使用： http://bit.ly/1753RjA ）。

The issue is often that the context for which the Active Directory calls is made is under a user that does not have permissions (also can happen when identity impersonate="true" in ASP.NET, due to the fact that the users token is a "secondary token" that cannot be used when authenticating against another server from: http://bit.ly/1753RjA).

下面code将确保code运行的块，是的上下文中运行说程序池（即 NETWORKSERVICE ）的ASP.NET网站正在运行。

The following code will ensures that the block of code running, is run under the context of say the AppPool (i.e. NETWORKSERVICE) that the ASP.NET site is running under.

using (HostingEnvironment.Impersonate())
{
   var domainContext = new PrincipalContext(ContextType.Domain, "myDomain.com");
   var groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, IdentityType.Name, "PowerUsers");
   if (groupPrincipal != null)
   {
      //code to get the infomation
   }

}

然而，一个超级重要的细节是的所有code调用的Active Directory 的必须在该​​块。我用了一些codeA团队我的成员写道，在返回 LINQ 类型的查询结果用户（定制类），而不是评估EX pression（糟糕的做法）。因此，EX pression树被退回，而不是结果。

However, one super important detail is that all the code calling Active Directory must be in that block. I had used some code a team member of mine wrote that was returning a LINQ query results of type Users (custom class), but not evaluating the expression (bad practice). Therefore the expression tree was returned instead of the results.

什么结束了发生的事情是调用code最终评估结果和时发生操作错误信息仍然出现了。我虽然code修复上面没有工作。而实际上它没有，但有code评估外块的结果。

What ended up happening is the calling code eventually evaluated the results and the An operations error occurred message still appeared. I though the code fix above didn't work. When in fact it did, but there was code evaluating the results outside the block.

在简单地说，要确保所有 code访问Active Directory是里面那个使用块和异常应固定使用服务/应用程序部署到服务器。

In a nutshell, make sure all code to access Active Directory is inside that using block and the exception should be fixed one the service/app is deployed to the server.