我想创建一个内联网网站，可以查找用户的电子邮件地址的基础上他们的Active Directory用户名。

I am trying to create a intranet website which can look up a users email address based on their Active Directory username.

我在web.config中的以下内容：

I have the following in my web.config:

<authentication mode="Windows"/>
<identity impersonate="true"/>

和我能获得用户的用户名与

And I can obtain the the users UserName with:

Environment.UserName

运行在本地主机，下面的code可以让我查询了广告并获得电子邮件：

Running on localhost, the following code allows me to query the AD and obtain the email:

public string GetADUser(string userName)
{            
    DirectoryEntry entry = new DirectoryEntry();

    // get a DirectorySearcher object
    DirectorySearcher search = new DirectorySearcher(entry);

    // specify the search filter
    search.Filter = "(&(objectClass=user)(anr=" + userName + "))";

    // specify which property values to return in the search  
    search.PropertiesToLoad.Add("mail");    // smtp mail address

    // perform the search
    SearchResult result = search.FindOne();

    string email = string.Empty;

    if (result != null)
    {
        if (result.Properties["mail"].Count == 1)
        {
            email = result.Properties["mail"][0].ToString();
        }
        else
        {
            email = "no email";
        }
    }
    else
    {
        email = "not found";
    }

    return email;
}

大，这code认证使用我的凭据默认情况下，允许我传递一个用户名和查找用户的电子邮件地址。

Great, this code authenticates using my credentials by default and allows me to pass in a username and look up the users email address.

不过，当我上传这个测试code到服务器中，code停止，如果我浏览到该网站从任何地方以外的其他本地主机的工作。

However, when I upload this test code to the server, the code stops working if I browse to the site from anywhere other than localhost.

[COMException (0x80072020): An operations error occurred.]

谷歌搜索这表明我有一个权限问题。

Googling this reveals that I have a permissions issue.

要解决这个问题我已经尝试设置为我的凭据的应用程序池标识，但是这仍然没有让code搜索广告。

To get around this I have tried setting the application pool identity to my credentials but this still does not allow the code to search the AD.

该网站的身份验证在IIS中配置如下（已启用的项目标记以＆lt;＆LT;）：

The website authentication is configured in IIS as follows (enabled items tagged with <<):

Anonymous Authentication:Disabled
ASP.NET Impersonation:Enabled  <<
Basic Authentication:Disabled
Digest Authentication:Disabled
Forms Authentication:Disabled
Windows Authentication:Enabled  <<

它甚至有可能做什么，我想干什么？ 我在想什么？

Is it even possible to do what I am trying to do? What am I missing?

推荐答案

确定我发现这个问题。

在此情况下，具有 ASP.NET模拟：启用在IIS和我的web.config中发生冲突与我所配置的应用程序池标识。 （我认为）。

In this case, having ASP.NET Impersonation:Enabled in IIS and my Web.Config was conflicting with the Application Pool identity I had configured. (I think).

在我设置的应用程序池标识使用适当的帐户验证查询AD，残疾人模拟和剩余的运行时间 Windows身份验证：启用我能得到网站查询AD不传递任何凭据在我的code。

Once I set the application pool identity to run using an appropriate account authenticated to query the AD, disabled Impersonation and left Windows Authentication:Enabled I was able to get the website to query the AD without passing any credentials in my code.