当前位置: 文江博客话题详情

无法查询 AD(获取 DirectoryServicesCOMException)

发布于 2024-09-13 17:58:14 字数 1741 浏览 6 评论 0原文

我正在尝试在 Windows Server 2008 R2(已安装 IIS7)上运行的 ASP.Net (4.0) 应用程序中查询 AD。 (作为 2.0 应用程序运行时也会失败)

这对我来说不是什么新鲜事,因为我以前已经这样做过很多次了。我编写了一个小型 ASP.Net 程序,它在我自己的计算机(带 IIS6 的 Windows XP)上运行良好,但在 2008 机器上运行时失败。

(结果是您在文本框中看到用户所属的组列表)

(on button_click) 
var userName = txtUserName.Text;

if (userName.Trim().Length == 0)
{
     txtResults.Text = "-- MISSING USER NAME --";
     return;
}

var entry = new DirectoryEntry("LDAP://blah.blah/DC=blah,DC=blah",
                               "cn=acct, dc=blah, dc=blah",
                               "pass");

var search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + userName + ")";
search.PropertiesToLoad.Add("memberOf");

var groupsList = new StringBuilder();

var result = search.FindOne();

if (result != null)
{
   int groupCount = result.Properties["memberOf"].Count;

   for (int counter = 0; counter < groupCount; counter++)
   {
           groupsList.Append((string)result.Properties["memberOf"][counter]);
           groupsList.Append("\r\n");
    }
}

txtResults.Text = groupsList.ToString();

当我运行此代码时,我在 search.FindOne() 上收到以下错误:

System.DirectoryServices.DirectoryServicesCOMException (0x8007203B): A local error has occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at System.DirectoryServices.DirectorySearcher.FindOne()
   at WebApplication1._Default.btnSearch_Click(Object sender, EventArgs e)

我们对此进行了大量研究并进行了调整我们能想到的所有 IIS7 设置,但到目前为止还没有。有什么线索吗?

原文

I'm attempting to query AD in an ASP.Net (4.0) application that is running on Windows Server 2008 R2 (IIS7 installed). (It also fails when running as a 2.0 application as well)

This is nothing new for me, as I've done this many times before. I wrote a small ASP.Net program that runs fine on my own machine (Windows XP with IIS6), but fails when run on the 2008 box.

(The result is that you see a list of groups the user is a member of in a textbox)

(on button_click) 
var userName = txtUserName.Text;

if (userName.Trim().Length == 0)
{
     txtResults.Text = "-- MISSING USER NAME --";
     return;
}

var entry = new DirectoryEntry("LDAP://blah.blah/DC=blah,DC=blah",
                               "cn=acct, dc=blah, dc=blah",
                               "pass");

var search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + userName + ")";
search.PropertiesToLoad.Add("memberOf");

var groupsList = new StringBuilder();

var result = search.FindOne();

if (result != null)
{
   int groupCount = result.Properties["memberOf"].Count;

   for (int counter = 0; counter < groupCount; counter++)
   {
           groupsList.Append((string)result.Properties["memberOf"][counter]);
           groupsList.Append("\r\n");
    }
}

txtResults.Text = groupsList.ToString();

When I run this code I get the following error on search.FindOne():

System.DirectoryServices.DirectoryServicesCOMException (0x8007203B): A local error has occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at System.DirectoryServices.DirectorySearcher.FindOne()
   at WebApplication1._Default.btnSearch_Click(Object sender, EventArgs e)

We've done a lot of research with this and twiddled every IIS7 setting we can think of, but no go so far. Any clues?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

久随 2024-09-20 17:58:14

将用户名参数从“cn=xxx, dc=yyy, dc=zzz”更改为“域\用户名”

Change the username parameter from "cn=xxx, dc=yyy, dc=zzz" to "Domain\Username"

回复 原文
猫七 2024-09-20 17:58:14

您还可以更改 IIS 应用程序池以运行具有您正在搜索的查询权限的域帐户。

我还有一些其他评论:

  1. 确保 DirectoryEntry 构造函数的第一个条目也包含用户的容器。这应该有助于 DirectorySearcher 更可靠地工作。
  2. 我相信 DirectoryEntry 构造函数中的第二个参数应该是用户名,而不是 AD 查询路径。
  3. 您还应该设置 AuthenticationType 属性。对于 Server 2008,默认情况下需要将其设置为 AuthenticationTypes.Secure | AuthenticationTypes.ServerBind | AuthenticationTypes.ServerBind |验证类型.密封。我猜 2008R2 有类似的要求。

You can also change the IIS Application Pool to run a domain account with the query priveleges you are searching for.

I have a few other comments as well:

  1. Make sure the first entry for the DirectoryEntry constructor includes the container for the users as well. This should help the DirectorySearcher to work more reliably.
  2. I believe the second parameter in the DirectoryEntry constructor should be the user name, not the AD query path.
  3. You should set the AuthenticationType property as well. With Server 2008, by default, this needs to be set to AuthenticationTypes.Secure | AuthenticationTypes.ServerBind | AuthenticationTypes.Sealing. I'd guess that 2008R2 has a simliar requirement.
回复 原文
怪我入戏太深 2024-09-20 17:58:14

我发现这个问题相当老了,但在努力解决这个问题之后,我想提一下,确实可以使用 LDAP 样式的用户名(与 DNS 样式相反)。这对我来说效果很好:

    string connString = "LDAP://MyDomain/CN=blah,DC=blah,DC=blah";
    string username = "CN=MyAdmin,CN=Users,CN=blah,DC=blah,DC=blah";
    string password = "myLittleSecret";
    DirectoryEntry root = new DirectoryEntry(
         connString, 
         username, 
         password, 
         AuthenticationTypes.None);

其中 MyAdminAdministrators 角色的成员。

我花了一段时间才找到的一件小事是,如果您不想通过 SSL 进行通信,则需要使用 AuthenticationTypes.None 参数。当然,您希望在生产中执行此操作,但出于开发目的,跳过加密可能是可以的。

环境:Windows 7

I see that the question is rather old, but after struggling with this I thought to mention that it is indeed possible to use the LDAP-style of the username (in opposite to the DNS style). This works well for me:

    string connString = "LDAP://MyDomain/CN=blah,DC=blah,DC=blah";
    string username = "CN=MyAdmin,CN=Users,CN=blah,DC=blah,DC=blah";
    string password = "myLittleSecret";
    DirectoryEntry root = new DirectoryEntry(
         connString, 
         username, 
         password, 
         AuthenticationTypes.None);

Where MyAdmin is a member in the Administrators role.

One little thing that took me a while to find is the AuthenticationTypes.None parameter that is needed if you do not want to communicate over SSL. Surely, you want to do this in production, but for development purposes it may be OK to skip the encryption.

Environment: Windows 7

回复 原文
记忆里有你的影子 2024-09-20 17:58:14

当尝试查询活动目录时,我也遇到了此异常:

SearchResult result = srch.FindOne();

要解决此问题,只需将上述代码放入 Security.RunWithElevatedPrivileges() 中即可。

最终解决方案:

SPSecurity.RunWithElevatedPrivileges(delegate()
{
    result = srch.FindOne();
});

I was also getting this exception when tried to query the active directory:

SearchResult result = srch.FindOne();

To resolve this, just put the above code inside Security.RunWithElevatedPrivileges().

Final Solution:

SPSecurity.RunWithElevatedPrivileges(delegate()
{
    result = srch.FindOne();
});
回复 原文
~没有更多了~

关于作者

嘿嘿嘿

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文