C# 的 Active Directory 查找在服务器上失败,但在本地工作
在我的工作场所,我必须处理 2 个不同的域 x.com(父目录)及其子域 yxcom
父域(x.com)拥有所有 Active Directory 用户、计算机等。 .com 域我可以很好地阅读活动目录用户的电子邮件。
服务器位于域 yxcom 中,它是 x 的子域。在服务器上,Active Directory 读取失败,并且未从 Active Directory 读取电子邮件地址。
除此之外,我尝试从位于 yxcom 域(与服务器相同)的虚拟机中使用相同的代码,令我惊讶的是,这有效。
我正在 .NET 中使用目录服务来执行此操作,我的代码如下:
string userEmail = string.Empty;
try
{
accountName = accountName.Replace(ConfigurationManager.AppSettings["DomainName"].ToString(), "");
DirectorySearcher ds = new DirectorySearcher()
{
SearchRoot = new DirectoryEntry()
{
Path = ConfigurationManager.AppSettings["DirectoryPath"].ToString(),
AuthenticationType = AuthenticationTypes.Secure
}
};
ds.Filter = "(SAMAccountName=" + accountName + ")";
ds.PropertiesToLoad.Add(ConfigurationManager.AppSettings["ADMailPropertyName"].ToString());
SearchResult result = ds.FindOne();
if (result != null)
{
userEmail = result.Properties[ConfigurationManager.AppSettings["ADMailPropertyName"].ToString()][0].ToString();
}
}
catch (Exception e)
{
//Log error
}
return userEmail;
任何帮助将不胜感激。
At my workplace I have to deal with 2 different domains x.com (the parent directory) and it's subdomain y.x.com
The parent domain(x.com) has all the active directory users, computers etc. From my local workstation which sits in the x.com domain i can read emails for the active directory users just fine.
The server sits in domain y.x.com a sub domain of x. On the server the active directory read is failing and the email address is not being read from active directory.
In addition to this i tried to the same code from a virtual machine which sits in the y.x.com domain (same as the server) and to my surprise this worked.
I am using directory services in .NET to do this and my code is below:
string userEmail = string.Empty;
try
{
accountName = accountName.Replace(ConfigurationManager.AppSettings["DomainName"].ToString(), "");
DirectorySearcher ds = new DirectorySearcher()
{
SearchRoot = new DirectoryEntry()
{
Path = ConfigurationManager.AppSettings["DirectoryPath"].ToString(),
AuthenticationType = AuthenticationTypes.Secure
}
};
ds.Filter = "(SAMAccountName=" + accountName + ")";
ds.PropertiesToLoad.Add(ConfigurationManager.AppSettings["ADMailPropertyName"].ToString());
SearchResult result = ds.FindOne();
if (result != null)
{
userEmail = result.Properties[ConfigurationManager.AppSettings["ADMailPropertyName"].ToString()][0].ToString();
}
}
catch (Exception e)
{
//Log error
}
return userEmail;
Any help would be appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您的程序在服务器上运行的用户帐户是否具有 Active Directory 的必要权限?
Does the user-account that your program runs as on the server have the necessary permissions to Active Directory?
服务器进程可能在某个本地计算机帐户(系统、本地)下运行。您可能需要向DirectoryEntry 构造函数的此重载提供正确的凭据 。
the server process is probably running under some local machine account (system, local). You probably need to supply proper credentials to this overload of the DirectoryEntry constructor.
对 Greg 答案的评论指出您使用 1) 模拟和 2) Windows 身份验证。这意味着您的服务器知道您是谁,并且正在冒充您。
但是...您的服务器无法将这些凭据委托给远程服务器(x.com 域服务器)。这是一个潜在的安全漏洞,如果可能的话,允许网站将您的凭据转发给任何第三方。
一种解决方案是使用 kerberos 身份验证并启用服务器进行委派。我自己从来没有这样做过,所以不能真正帮助你了解细节。
您可以在 双跳问题。
The comment on Greg's answer states that you use 1) impersonation and 2) windows authentication. This means that your server knows who you are, and are impersonating you.
But... your server can not delegate those credentials to the remote server (the x.com domain server). This is a potential security breach which, if it was possible, allow a site to forward your credentials to any third party.
One solution is to use kerberos authentication and enable your server for delegation. I've never done this myself, so cant really help you out with the details.
You can read more about it at The Double-Hop Problem.