C#/ ASP.NET / AD - “指定的目录服务属性或值不存在。”

时间:2013-11-14 18:29:14

标签: c# asp.net authentication login active-directory

通过ASP.NET Web表单向Active Directory提交有效凭据时,将返回以下错误消息:“指定的目录服务属性或值不存在。”

LDAP身份验证代码:

using System;
using System.Text;
using System.Collections;
using System.DirectoryServices;

namespace FormsAuth
{
    public class LdapAuthentication
    {
        private string _path;
        private string _filterAttribute;

        public LdapAuthentication(string path)
        {
            _path = path;
        }

        public bool IsAuthenticated(string domain, string username, string pwd)
        {
            string domainAndUsername = "CBHC" + @"\" + username;
            DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);

            try
            {
                //Bind to the native AdsObject to force authentication.
                object obj = entry.NativeObject;

                DirectorySearcher search = new DirectorySearcher(entry);

                search.Filter = "(SAMAccountName=" + username + ")";
                search.PropertiesToLoad.Add("cn");
                SearchResult result = search.FindOne();

                if (null == result)
                {
                    return false;
                }

                //Update the new path to the user in the directory.
                _path = result.Path;
                _filterAttribute = (string)result.Properties["cn"][0];
            }
            catch (Exception ex)
            {
                throw new Exception("Error authenticating user. " + ex.Message);
            }

            return true;
        }

        public string GetGroups()
        {
            DirectorySearcher search = new DirectorySearcher(_path);
            search.Filter = "(cn=" + _filterAttribute + ")";
            search.PropertiesToLoad.Add("memberOf");
            StringBuilder groupNames = new StringBuilder();

            try
            {
                SearchResult result = search.FindOne();
                int propertyCount = result.Properties["memberOf"].Count;
                string dn;
                int equalsIndex, commaIndex;

                for (int propertyCounter = 0; propertyCounter < propertyCount; propertyCounter++)
                {
                    dn = (string)result.Properties["memberOf"][propertyCounter];
                    equalsIndex = dn.IndexOf("=", 1);
                    commaIndex = dn.IndexOf(",", 1);
                    if (-1 == equalsIndex)
                    {
                        return null;
                    }
                    groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1));
                    groupNames.Append("|");
                }
            }
            catch (Exception ex)
            {
                throw new Exception("Error obtaining group names. " + ex.Message);
            }
            return groupNames.ToString();
        }
    } 
}

登录页面上的代码:

<script runat=server>
void Login_Click(object sender, EventArgs e)
{
    string adPath = "LDAP://server/DC=domain,DC=loc"; //Path to your LDAP directory server
  LdapAuthentication adAuth = new LdapAuthentication(adPath);
  try
  {
    if(true == adAuth.IsAuthenticated("CBHC",txtUsername.Text, txtPassword.Text))
    {
      string groups = adAuth.GetGroups();

      //Create the ticket, and add the groups.
      bool isCookiePersistent = chkPersist.Checked;
      FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, 
                txtUsername.Text,DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups);

      //Encrypt the ticket.
      string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

      //Create a cookie, and then add the encrypted ticket to the cookie as data.
      HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

      if(true == isCookiePersistent)
      authCookie.Expires = authTicket.Expiration;

      //Add the cookie to the outgoing cookies collection.
      Response.Cookies.Add(authCookie);

      //You can redirect now.

      Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
    }
    else
    {
      errorLabel.Text = "Authentication did not succeed. Check user name and password.";
    }
  }
  catch(Exception ex)
  {
    errorLabel.Text = "Error authenticating. " + ex.Message;
  }
}
</script>

IIS上的表单的Web.config上的身份验证设置:

<authentication mode="Windows">
      <forms loginUrl="logon.aspx" name="adAuthCookie" timeout="10" path="/" />
    </authentication>
    <authorization>
      <deny users="?" />
      <allow users="*" />
    </authorization>
    <identity impersonate="true" />

注意事项:在Debug中运行站点时不会发生这种情况;在这种情况下,它会完美地进行身份验证并转到“默认”页面。只有在IIS服务器上实时联系页面时才会发生此事。

1 个答案:

答案 0 :(得分:2)

我曾经遇到过这样的问题。可能是因为您无法检索LDAP NativeObject属性进行身份验证。如果在object obj = entry.NativeObject;调用之后立即抛出异常,请检查用户是否对域具有权限。

调试代码以查看它是否确实是失败的NativeObject绑定。或者在IsAuthenticated()函数中围绕绑定放置一个try / catch块,如下所示。如果它是由我描述的问题引起的,你应该看到引发的自定义错误。

try
{   //Bind to the native AdsObject to force authentication.         
    Object obj = entry.NativeObject;
}
catch (System.Runtime.InteropServices.COMException e)
{
    if (e.ErrorCode == -2147016694) // -2147016694 - The specified directory service attribute or value does not exist.
    {
        throw new Exception("Can't retrieve LDAP NativeObject property");
    }
    throw;
}