使用 VPN 连接到我们公司网络的离岸承包商的 2 线 Active Directory 呼叫失败
我们有离岸承包商正在尝试运行一个应用程序来执行以下 Active Directory 调用,如下所示,在 VB.NET 中
Dim objRootDSE As New DirectoryEntry("LDAP://RootDSE")
Return "GC://" & Replace(Replace(objRootDSE.Properties("rootDomainNamingContext").Value().ToString, ",", "."), "DC=", "") 'DC=uis,DC=unisys,DC=com
该代码在函数返回行上返回一个错误,表明它无法联系服务器,当它工作时对于我本地来说,是“DC=uis,DC=unisys,DC=com”
承包商通过 VPN 连接到我们公司的内部网络,并且通常可以访问整个网络,所以我不知道为什么他们不应该能够联系到该服务器。
其他地点的离岸用户使用相同的代码没有问题。
我对AD几乎一无所知。有人可以给我线索吗?
we have offshore contractors that are tryingt o run an app that performs the following Active Directory call, shown below in VB.NET
Dim objRootDSE As New DirectoryEntry("LDAP://RootDSE")
Return "GC://" & Replace(Replace(objRootDSE.Properties("rootDomainNamingContext").Value().ToString, ",", "."), "DC=", "") 'DC=uis,DC=unisys,DC=com
The code returns an error on the function return line, indicating that it could not contact the server, which, when it works for me locally, is "DC=uis,DC=unisys,DC=com "
The contractors connect to our company's internal network via VPN and in general have access to the full network, so I don't know why they shouldn't be able to contact this server.
Other offshore users in other locations have no problem with the same code.
I know almost nothing about AD. Can someone give me a clue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
该代码适合您,因为您在加入您的域 (uis.unisys.com) 的计算机上运行它,并且您以该域中的用户身份登录。当您访问第二行的 DirectoryEntry 时,您是在执行程序的用户的上下文中执行此操作的。因为顾问不使用/拥有您域中的帐户,所以他们无权访问。
简单说明:您会发现上面的代码很难在任何未加入域的网络的计算机上运行(因为查找 RootDSE 依赖于此)。您的代码的目的是获取域名并进行全局目录 (GC) 搜索。您很可能会发现程序中的其他代码无法在未连接到您的域的系统上运行。
我建议这样做:
用户名和密码与您域中的服务帐户匹配。这样,顾问就可以在该用户的上下文中连接到您的域并执行所需的工作。
The code works for you because you're running it on a computer joined to your domain (uis.unisys.com) and you're logged in as a user in that domain. When you access the DirectoryEntry on line two you do that in the context of the user executing the program. Because the consultants don't use/have accounts in your domain they won't have access.
Simplified explanation: You'll find it difficult to get the code above to work on any computer that isn't domain-joined to your network (because finding the RootDSE relies on that). The purpose of your code is to get the domain name and do a Global Catalog (GC) search. You'll most likely find that there's other code further down in your program which won't work on systems not connected to your domain.
I would suggest this instead:
Where the username and password matches an service account in your domain. That way the consultants can connect to your domain under the context of that user and perform the work required.