我正在尝试为内部用户创建一个自助服务页面,以便通过添加/删除AD安全组中的用户来管理自己的文件访问。
我希望该网站在用户访问该页面的上下文中运行,因为我们已经在AD中设置了所有安全性。
我已启用Windows身份验证(按此顺序协商和NTLM),禁用匿名并在IIS 7.5中启用模拟作为经过身份验证的用户。该站点现在在访问该页面的用户的上下文中运行(我使用System.Security.Principal.WindowsIdentity.GetCurrent()。Name)测试了它。
如果我在网络服务器上的浏览器中运行该网站,它可以正常工作,但是当我从远程浏览器运行时,它会在尝试运行以下代码时返回异常,以检索当前登录用户的安全组。
private void GetGroups()
{
// establish domain context
PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain, "mydomain.com");
PrincipalSearchResult<Principal> groups = UserPrincipal.Current.GetGroups();
// if found - grab its groups
if (groups != null)
{
// iterate over all groups
foreach (Principal p in groups)
{
if (p.Name.Contains("OWNER"))
{
if (p is GroupPrincipal)
{
if (p.Name.Split('_').Length <= 5)
{
lb_folder.Items.Add(p.Name.Split('_')[3]);
}
else
{
lb_folder.Items.Add(p.Name.Split('_')[3] + "_" + p.Name.Split('_')[4]);
}
}
}
}
}
}
例外:
Exception Details: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.
堆栈追踪:
[DirectoryServicesCOMException (0x80072020): An operations error occurred.
]
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +596521
System.DirectoryServices.DirectoryEntry.Bind() +44
System.DirectoryServices.DirectoryEntry.get_AdsObject() +42
System.DirectoryServices.PropertyValueCollection.PopulateList() +29
System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +63
System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +163
System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() +495517
System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() +51
System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() +161
System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() +42
System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) +29
System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) +146
System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) +44
System.DirectoryServices.AccountManagement.UserPrincipal.get_Current() +443
_Default.GetGroups() in c:\inetpub\wwwroot\WebSite1\Owner_fileaccess.aspx.cs:340
_Default.Button1_Click1(Object sender, EventArgs e) in c:\inetpub\wwwroot\WebSite1\Owner_fileaccess.aspx.cs:468
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +155
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3804
我读到这可能是由于没有使用Kerberos身份验证所以我使用Fiddler检查了标题,其中显示:
部首:
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIgvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv8lZ872B9I6o1oV46zsl4rGFc4TZetqAXZT8VrTvMRw9ClbgTOkqlSYB6PcXxgu7Upn4UeIIEc2doa8bpd4326UitjZaU/cB021ALsaCXpGW6/wLN75pvI/tT6HrlmAuSEOsVnwZJCyR1HpS7UyKU
验证
No Proxy-Authenticate Header is present.
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
答案 0 :(得分:0)
不知道为什么,但这只是在今天开始工作而没有任何改变。
我唯一能想到的就是“信任这台计算机进行授权”#34;我在AD中应用的设置需要一段时间才能复制?