在 ASP.NET 中访问 Active Directory?
我使用控制台应用程序编写一些测试代码:
/// <summary>
/// Returns AD information for a specified userID.
/// </summary>
/// <param name="ntID"></param>
/// <returns></returns>
public ADUser GetUser(string ntID)
{
DirectorySearcher search = new DirectorySearcher();
search.Filter = String.Format("(cn={0})", ntID);
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("givenName");
search.PropertiesToLoad.Add("sn");
search.PropertiesToLoad.Add("displayName");
search.PropertiesToLoad.Add("userPrincipalName");
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
return new ADUser(result);
}
这在控制台应用程序中工作得很好。 但是,当我将其移动到 ASP.NET 应用程序时,我收到一条关于不知道正确域的错误消息。
在 ASPNET 帐户上运行时,我是否缺少访问 AD 的技巧?
编辑:仅传递 LDAP://domain 连接字符串是不够的,因为它需要实际的登录名/密码。 因为它在计算机上的本地帐户上运行,所以我不确定要使用什么 AD L/P。 我可以以某种方式将访问用户帐户委托给此帐户吗?
编辑#2:当尝试使用身份模拟时,我收到一个 DirectoryServicesCOMException:
身份验证机制未知。
I use a console application to write some test code:
/// <summary>
/// Returns AD information for a specified userID.
/// </summary>
/// <param name="ntID"></param>
/// <returns></returns>
public ADUser GetUser(string ntID)
{
DirectorySearcher search = new DirectorySearcher();
search.Filter = String.Format("(cn={0})", ntID);
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("givenName");
search.PropertiesToLoad.Add("sn");
search.PropertiesToLoad.Add("displayName");
search.PropertiesToLoad.Add("userPrincipalName");
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
return new ADUser(result);
}
And this worked fine from the console app. However, when I moved it to an ASP.NET application, I received an error message about not knowing the correct domain.
Is there a trick I am missing for accessing AD when running on the ASPNET account?
EDIT: Passing just a LDAP://domain connection string isn't enough, as it wants an actual login/password. Because this runs on a local account on a machine, I'm not sure what AD L/P to use. Can I delegate the accessing users account to this somehow?
EDIT #2: When trying to use identity impersonation, I get a DirectoryServicesCOMException with:
The authentication mechanism is unknown.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
是的。 您需要给它一个目录连接字符串。 控制台应用程序(与您一起运行)使用您的凭据运行,包括目录访问权限。 ASP.NET 应用程序使用 ASPNET 用户凭据运行,这些凭据是应用程序运行所在系统的本地凭据,而不是目录全局凭据。
Yes. You need to give it a directory connection string. A console app (running as you) runs with your credentials, including directory access. An ASP.NET app runs with the ASPNET user's credentials, which are local to the system the app is running on, not directory-global.
如果它是使用 Windows 身份验证的 Intranet 应用程序,那么您可以将 AD 调用包装在用户的模拟上下文中。
就像是:
If its an intranet application that uses windows authentication, then you can wrap your AD call in a impersonation-context of the user.
Something like:
或者,您可以在 web.config 中指定 Identity impersonate=true ,并且对 Active Directory 的请求将作为调用用户而不是 Machine\ASPNET
发送 编辑:如果您收到身份验证错误,请参阅 PIPTHEGEEK 的帖子,您将不得不信任您的网络服务器进行委派,但是要小心信任委派(因为它会为安全类型打开另一堆蠕虫)。 您必须允许 Web 服务器将当前用户的凭据传递给 AD。
如果可能,请转到计算机的 AD 属性,选择委派选项卡,然后选择“信任此计算机委派任何服务(仅限 Kerberos)”
查看是否有效。如果有效,您可以使用第三个选项指出
“仅信任此计算机委派指定的服务”,
然后选择“仅使用 Kerberos”
,并在“此帐户可以向其提供委派凭据的服务”中添加相关服务信息。
Alternatively you could specify identity impersonate=true in the web.config and the request to Active directory will be sent as the calling user instead of Machine\ASPNET
Edit: If you are getting the authentication error see PIPTHEGEEK's post you will have to trust your web server for delegation, however be careful with trusting for delegation (since it opens another can of worms for security types). You have to allow the web server to pass the credentials of the current user to AD.
If possible, go to AD properties for the computer, select the delegation tab, and select "Trust this computer for delegation to any service (Kerberos Only)
See if that works. If it does, you can further fine grain the permissions by using the third option which states
"Trust this computer for delegation to specified services only"
Then select "Use Kerberos Only"
and in the "services to which this account can present delegated credentials", add the relevant service information.
解决此问题的最简单方法是让您的 Web 应用程序池作为具有所需访问权限的域帐户运行。 这避免了您必须管理密码的安全存储。 不要忘记使该帐户成为 IIS_WPG 本地组的成员。
如果您决定使用模拟,则必须配置 Kerberos 委派以及更改 ASP.NET 配置以进行模拟。 这将涉及使应用程序池作为域帐户运行,授予该域帐户委派凭据的权限(AD 用户和计算机 MMC 中帐户属性的委派选项卡)。 然后确保网站在元数据库中设置为使用 negoiate(这是 IIS6 上的默认设置,不确定其他版本)并为新域帐户注册 SPN。
编辑:您的“未知身份验证”错误听起来像是错误配置的委派。 检查您的应用程序池运行的帐户是否受信任进行委派、IIS 设置为仅使用 Windows 身份验证以及是否为应用程序池身份帐户注册了有效的 SPN。
The easiest way around this is to make your web application pool run as a domain account that has the required access. This avoids you having to manage the secure storing of a password. Don't forget to make the account a member of the IIS_WPG local group.
If you do decide to use impersonation you will have to configure Kerberos delegation as well as changing the ASP.NET configuration to impersonate. This will involve making the application pool run as a domain account, granting that domain account permission to delegate credentials (the delegation tab of the account properties in the AD users and computers MMC). Then ensuring that the website is set to use negoiate in the metabase (this is the default on IIS6, not sure about other versions) and registering an SPN for the new domain account.
Edit: Your 'Unknown authentication' error sounds like mis-configured delegation. Check that the account your app pool is running as is trusted for delegation, that IIS is set to use ONLY windows authentication and that a valid SPN is registered for the app pool identity account.
您也可以尝试在登录名中包含域
You could also try including the domain in the login