Question

我使用Windows PowerShell在安装过程中查询和验证用户的Windows凭据。直到昨天一直运作良好。现在我公司的IT部门已经改变了域控制器的一些配置，现在我得到了以下例外。

Exception calling "ValidateCredentials" with "2" argument(s): "The server cannot
handle directory requests."
At line:32 char:5
+ if ($pc.ValidateCredentials($username, $credential.GetNetworkCredenti ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryOperationException

根据我的研究，我已经发现它与缺少的SSL连接有关。我必须在代码中的某处添加ContextOptions.SecureSocketLayer。 问题是：放置此参数的正确位置在哪里？我找不到PowerShell的任何示例。

这是我用来检查凭据的脚本：

$credential = $Host.UI.PromptForCredential("Need credentials.", "For using Windows Integrated Authentication please provide the login information for the user that has access to the Microsoft SQL Server database.", "", "")
if (!$credential) {
    Write-Output "No credentials provided"
    return
}

[System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement')

$system = Get-WmiObject -Class Win32_ComputerSystem

if ($credential.GetNetworkCredential().Domain) {
    Write-Output "Credentials contain domain"
    if ($credential.GetNetworkCredential().Domain -eq $system.Name) {
        Write-Output "Domain is local system"
        $pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Machine', $system.Name
    } else {
        Write-Output "Domain is network domain"
        $pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Domain', $credential.GetNetworkCredential().Domain
    }
    $username = $credential.UserName
} elseif (0, 2 -contains $system.DomainRole) {
    $pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Machine', $system.Name
    $username = $system.Name + '\' + $credential.GetNetworkCredential().UserName
} else {
    $pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Domain', $system.Domain
    $username = $system.Domain + '\' + $credential.GetNetworkCredential().UserName
}

if ($pc.ValidateCredentials($username, $credential.GetNetworkCredential().Password)) {
    Write-Output "Validation successfull"
} else {
    Write-Output "Validation failed"
}

Answer 1

作为mentioned by Kiran in the comments，您可以将ContextOptions值传递给PrincipalContext构造函数：

$DefaultNC = "DC=$($system.Domain -replace '\.',',DC=')"
# ...
$pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Domain', $system.Domain, $DefaultNC, ([System.DirectoryServices.AccountManagement.ContextOptions]'SecureSocketLayer,Negotiate')

必须指定身份验证选项（Negotiate或SimpleBind），因此'SecureSocketLayer,Negotiate'值

“ValidateCredentials”中的异常“服务器无法处理目录请求。”

1 个答案: