Question

我需要在asp.net Web应用程序中实现两个功能。

使用Active Directory进行身份验证
获取Active Directory用户列表。

当我将IIS应用程序池设置为网络服务时，上述两者在客户端环境中都能正常工作。当我更改回IIS用户时，只有身份验证工作，但让用户列表停止工作。我不确定为什么会这样。

这是我的代码：

身份验证：

public bool AuthenticateADUser(string domain, string password, string username)
{
    bool isValid = false;

    using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
    {
        isValid = pc.ValidateCredentials(username, password);
    }

    return isValid;
}

获取Active Directory用户列表：

using (var context = new PrincipalContext(ContextType.Domain, domain))
{
    if (groupName != string.Empty)
    {   
        // get list of users for a group
        GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupName);

        foreach (Principal principal in group.Members)
        {                            
            AdUsers.Add(principal);                            
        }                        
    }
    else   // get all users regardless of group
    {
        using (var searcher = new PrincipalSearcher(new UserPrincipal(context)))
        {
            foreach (Principal principal in searcher.FindAll())
            {
                if (principal.UserPrincipalName != null)
                    AdUsers.Add(principal);
            }                            
        }  //end PrincipalSearcher using 
    }  //end else
}  //end PrincipalContext using

更新：我不能说代码行是因为我将应用程序部署到客户端服务器，因此无法对其进行调试。但这是错误：

异常信息：

Exception type: DirectoryServicesCOMException 
Exception message: Logon failure: unknown user name or bad password.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.PrincipalSearcher.SetDefaultPageSizeForContext()
at System.DirectoryServices.AccountManagement.PrincipalSearcher..ctor(Principal queryFilter)
at WarshawGroup.OneVoice.User.bus_cUser.GetADUsers(String domain, String groupName)
at WarshawGroup.OneVoice.UI.Data.Users.Modify.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

更新

它在

 var searcher = new PrincipalSearcher(new UserPrincipal(context));

Context是PrincipalContext类型......

 var context = new PrincipalContext(ContextType.Domain, domain);

PrincipalContext具有名为“ConnectedServer”的属性。 ConnectedServer的值为null，因此会抛出异常。

如果我在PrincipalContext中传递用户名和密码以及域名，那么一切正常。示例...

 var context = new PrincipalContext(ContextType.Domain, domain,"username","pwd");

似乎我需要冒充有权访问特定域的用户。

有没有其他方法可以实现这个目标？

谢谢，

Active Directory获取使用PrincipalSearcher的用户列表会引发错误

0 个答案: