IIS 部署在 cassini 中正常工作后,PrincipalContext.ValidateCredentials 停止验证
我有以下代码片段来测试 AD 的纯文本用户名/密码,如果我在 Visual Studio 中按 F5 并通过 WCFTestClient 尝试它,效果很好,但是一旦我部署到 IIS 并尝试相同的功能,它就会ValidCredentials 永远不会返回 true;是否需要为应用程序池运行的身份设置一些安全方面的信息?
我尝试将应用程序池身份设置为我自己的帐户(域管理员)只是为了测试这是否是问题所在,但这也没有帮助,所以我对如何解决这个问题有点迷失。
该网站(自定义 API)设置了匿名访问。
try
{
// create a "principal context" - e.g. your domain (could be machine, too)
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, DomainName))
{
// validate the credentials
if (pc.ValidateCredentials(UserName, Password))
{
IsValid = true;
break;
}
}
}
catch (Exception)
{
LoggingControler.LogWarning(null, "Unreachable Domain: " + Domain);
}
我又回顾了一遍,这一切都归功于Windows中的权利。网络服务不知何故没有足够的权限来执行 PrincipalContext.ValidateCredentials。如果我将应用程序池标识更改为域管理员的标识,则代码可以正常工作。
如果有人可以告诉我如何设置一个具有适当权限的受限用户帐户来执行 PrincipalContext.ValidateCredentials,我就可以完成此任务。
I have the following code snippet to test a plain-text username/password against the AD, which works fine if I hit F5 in visual studio and try it via the WCFTestClient, but once I deploy to IIS and try the same function, it will never return true for ValidCredentials; is there something security wise that needs to be set for the Identity that the Application Pool runs under?
I tried setting the App Pool identity to my own account (domain admin) just to test if this was the problem, but that didn't help either, so I'm a bit lost as to how to fix this.
The site (Custom API) has anonymous access set up.
try
{
// create a "principal context" - e.g. your domain (could be machine, too)
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, DomainName))
{
// validate the credentials
if (pc.ValidateCredentials(UserName, Password))
{
IsValid = true;
break;
}
}
}
catch (Exception)
{
LoggingControler.LogWarning(null, "Unreachable Domain: " + Domain);
}
I've gone over things again, and it's all due to Rights in Windows. Network Service somehow doesn't have enough rights to execute PrincipalContext.ValidateCredentials. If I change the Application Pool Identity to the identity of a Domain Administrator, the code works.
If someone can tell me how to set up a Limited User account with the proper rights to execute PrincipalContext.ValidateCredentials, I can finish this.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好的,我终于通过 https://stackoverflow 找到了自己的答案.com/questions/5140377/query-activedirectory-sometimes-not-working-asp-net-c 和 https://elgg.leeds.ac.uk/webteam/weblog/15385.html< /a>
正如我发现的,“网络服务”应用程序池标识是解决此问题的关键...
添加读取权限不起作用;所以还有其他问题。
Ok, I've finally found my own answer via https://stackoverflow.com/questions/5140377/query-activedirectory-sometimes-not-working-asp-net-c and https://elgg.leeds.ac.uk/webteam/weblog/15385.html
As I've discovered, "Network Service" application pool identity holds the key to this problem...
Adding the read rights didn't work; so there's still something else wrong.
您是否在 IIS 中启用了 Windows 身份验证
Did you enable Windows Authentication in IIS