在asp.net MVC应用程序中,我在尝试使用directoryEntry.Invoke重置密码时遇到拒绝访问错误。
尝试更改密码的用户可以访问该页面,并在IIS中标记SSL required和Client Certificates - Required。
相关代码:
directoryEntry.Invoke("SetPassword", new object[] { model.Password });
directoryEntry.Properties["LockOutTime"].Value = 0;
directoryEntry.Close();
确切的错误是 -
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
--- End of inner exception stack trace ---
at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
Web.config -
<authentication mode="Windows" />
<identity impersonate="false" />
<authorization>
<deny users="?" />
</authorization>
[Domain1\AppPoolUser]。 [Domain2\testUser]的用户和运行应用程序池的帐户位于不同的域中,但这可能不是问题。 AppPoolUser的有效权限允许testUser帐户上的ChangePassword。 在网上查了一下,但我不清楚问题是什么。我看到的最接近的相关内容是 - Setting ASP.Net Permissions - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
但是,正如我所说,应用程序池在有限的技术帐户下运行,我不认为SSL证书存在任何问题。
答案 0 :(得分:-1)
我们有类似的要求更改或重置密码。我们使用以下代码段。
/// <summary>
/// Resets the user password.
/// </summary>
public static void ResetUserPassword(string domain, string domainUsername, string domainPassword, string sAMAccountName, string newPassword,
bool askToChangePassword, bool unlockAccount, bool passRespectDomainPolicy, bool superuser)
{
// Get root directory entry
using (var entry = GetDirectoryEntry(domain, domainUsername, domainPassword, AuthenticationTypes.Secure))
{
var displayName = string.Empty;
// Search for the user with the same sAMAccountName
using (var searcher = new DirectorySearcher(entry))
{
// Filter results by SAMAccountName
searcher.Filter = string.Format("(SAMAccountName={0})", sAMAccountName);
// Search and return only one result
var result = searcher.FindOne();
// Check if result is returned
if (result == null) throw new Exception("Could not find user: " + sAMAccountName);
// Get the user directory entry
var userEntry = result.GetDirectoryEntry();
// Read name value
if (userEntry.Properties.Contains("displayName") && userEntry.Properties["displayName"].Count > 0)
displayName = Convert.ToString(userEntry.Properties["displayName"][0]);
// Validate password
// string errorMessage;
// if (passRespectDomainPolicy &&
// !IsValidPassword(domain, sAMAccountName, newPassword, displayName, userEntry, superuser, out errorMessage))
// {
// if (!string.IsNullOrEmpty(errorMessage)) throw new Exception(errorMessage);
// throw new Exception("Password is not valid as per AD policy. Please consult Administrator.");
// }
// Earlier we used impersonation to reset password on same DC.
// But that didn't worked and so removed.
userEntry.Invoke("SetPassword", newPassword);
// 0(for on) and -1(for off) for LDAP case. For WinNT it is opposite.
// Set "Ask to change password at next login"
if (askToChangePassword)
userEntry.Properties["pwdLastSet"].Value = 0;
// Unlock account if required
if (unlockAccount)
userEntry.Properties["lockoutTime"].Value = 0;
// Commit changes
userEntry.CommitChanges();
}
}
}
值得注意的是,我们在根目录条目userEntry.Invoke("SetPassword", newPassword);的上下文中运行代码using (var entry = GetDirectoryEntry(domain, domainUsername, domainPassword, AuthenticationTypes.Secure)){。
我的意思是entry表示持有域管理员用户和密码的对象。此管理员用户必须具有在AD中进行更改的完全权限。
告诉我们您的测试结果。