WCF 服务中的 System.DirectoryServices.AccountManagement.PrincipalContext 和模拟
在 WCF 服务背后的代码中使用 PrincipalContext。 WCF 服务正在模拟,以允许“直通”类型的身份验证。
虽然我使用 Active Directory 所做的所有其他操作(主要是 System.DirectoryServices.Protocols 命名空间)在这种情况下都工作正常,但由于某种原因,System.DirectoryServices.AccountManagement 中的类会出现异常。失败的示例代码:
PrincipalContext context = new PrincipalContext(ContextType.Domain, domainName);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
当我调用 FindByIdentity 时,我收到 COMException:“发生操作错误”。对 PrincipalContext 的调用也会失败,例如:
string server = context.ConnectedServer;
OperationContext.Current.ServiceSecurityContext 和 Thread.CurrentPrincipal.Identity 都显示模拟工作正常。而且,就像我说的,S.DS.P 中的其他 AD 任务运行良好。
如果我在 PrincipalContext 上显式设置凭据,则一切正常。例如:
PrincipalContext context =
new PrincipalContext(ContextType.Domain, domainName, user, password);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
现在一切正常了。但我不会知道呼叫者的用户名和密码;我必须依靠模仿。
关于什么会导致我所看到的问题有什么想法吗?
提前致谢! 詹姆斯
Working with the PrincipalContext in code that lies behind a WCF service. The WCF service is impersonating, to allow a 'pass-through' type authentication.
While everything else I do with Active Directory (mostly the System.DirectoryServices.Protocols namespace) works fine in this scenario, for some reason the classes in System.DirectoryServices.AccountManagement throw a fit. Sample code that fails:
PrincipalContext context = new PrincipalContext(ContextType.Domain, domainName);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
When I make the call to FindByIdentity, I get a COMException: "An operations error has occurred". Calls to the PrincipalContext also fail, e.g.:
string server = context.ConnectedServer;
Both OperationContext.Current.ServiceSecurityContext and Thread.CurrentPrincipal.Identity show the impersonation is working correctly. And, like I say, other AD tasks in S.DS.P work fine.
If I explicitly set credentials on the PrincipalContext, everything works. For example:
PrincipalContext context =
new PrincipalContext(ContextType.Domain, domainName, user, password);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
Now everything works. But I won't know the username and password from the caller; I must rely on the impersonation.
Any ideas on what would cause the issue I'm seeing?
Thanks in advance!
James
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
确保为应用程序池设置了 spn,在 AD 中设置了委派,并且应用程序池帐户具有作为操作系统权限一部分的行为。
Make sure an spn is set for the app pool, delegation is set in AD, and that the app pool account has the act as part of the os privilege.