问题描述
我目前的目标是使用 System.DirectoryServices.AccountManagement
程序集中的实用程序为基于域安全组的 ASP.NET 应用程序实现只读角色提供程序.我有以下代码在我的开发域中运行良好,但在部署环境中失败:
使用 myContext 作为新的 PrincipalContext(ContextType.Domain, Nothing, "DC=My,DC=Controller", accountName, accountPassword)尝试Dim p As UserPrincipal = UserPrincipal.FindByIdentity(myContext, IdentityType.SamAccountName, userName)Dim 组 = p.GetAuthorizationGroups()对于每个 g 组Debug.WriteLine("找到安全组:" & g.DisplayName & vbNewLine)下一个Catch ex 作为例外Debug.WriteLine("遇到异常:" & vbNewLine & ex.ToString())结束尝试结束使用
异常堆栈跟踪返回如下:
<前>System.DirectoryServices.AccountManagement.PrincipalOperationException:服务器上没有这样的对象.---> System.DirectoryServices.DirectoryServicesCOMException (0x80072030): 服务器上没有这样的对象.在 System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)在 System.DirectoryServices.DirectoryEntry.Bind()在 System.DirectoryServices.DirectoryEntry.get_SchemaEntry()在 System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)在 System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)在 System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry 条目)在 System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()--- 内部异常堆栈跟踪结束 ---在 System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()在 System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()在 System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()在 System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()在 System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)在 System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)在 System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)我知道这里明显的问题"是确定对象实际上存在于服务器上.但是,我可以毫无疑问地确认,无论我使用哪个帐户的 SAM 帐户名,我都会从通话中收到相同的结果.此外,微软的 ActiveDirectoryMembershipProvider
对相同的 SAM 帐户名进行身份验证没有问题,我能够使用该信息通过 DirectorySearcher
类.我能确定的开发网络和部署之间的唯一区别是部署环境的 DC 是 Windows Server 2003 机器,而我在本地使用 Windows Server 2008 DC 进行开发.我可能会忽略什么?
由于某种原因,问题出在域控制器的路径上.将路径描述为 DC=box123,DC=dom
不起作用,但使用路径 box123.dom
起作用.不知道为什么,这不是我可以在本地域上复制的行为,但这解决了问题.
经过进一步调查,构造 DC=box123,DC=dom
当缩减为 DC=dom
时也能正常运行.我不了解寻址的动态,但我能够通过使用 DirectorySearcher 对象显示示例用户的路径来确定问题,该对象显示我的用户的路径为:LDAP://box123.dom/CN=username/CN=Users/DC=dom
I am currently aiming to implement a read-only role provider for an ASP.NET application based on domain security groups using the utilities in the System.DirectoryServices.AccountManagement
assembly. I have the following piece of code which works fine on my development domain, but fails in the deployment environment:
Using myContext As New PrincipalContext(ContextType.Domain, Nothing, "DC=My,DC=Controller", accountName, accountPassword)
Try
Dim p As UserPrincipal = UserPrincipal.FindByIdentity(myContext, IdentityType.SamAccountName, userName)
Dim groups = p.GetAuthorizationGroups()
For Each g In groups
Debug.WriteLine("Found security group: " & g.DisplayName & vbNewLine)
Next
Catch ex As Exception
Debug.WriteLine("Encountered an exception: " & vbNewLine & ex.ToString())
End Try
End Using
The exception stack trace returns as follows:
System.DirectoryServices.AccountManagement.PrincipalOperationException: There is no such object on the server. ---> System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaEntry() at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de) at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options) at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() --- End of inner exception stack trace --- at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
I know the obvious "gotcha" here is to be certain the object actually, well... exists on the server. However, I can confirm without a doubt that no matter which account's SAM Account Name I use, I receive the same result from the call. Additionally, Microsoft's ActiveDirectoryMembershipProvider
has no trouble authenticating against the same SAM Account Name and I am able to find the object using that information with the DirectorySearcher
class. The only differences I can identify between the development network and deployment is that the deployment environment's DC is a Windows Server 2003 box, whereas locally I am developing with a Windows Server 2008 DC. What might I be overlooking?
For some reason, the problem lay in the path to the domain controller. Describing the path as DC=box123,DC=dom
did not work, but using the path box123.dom
did. Can't say why, and it's not a behavior I can duplicate on the local domain, but that resolved the issue.
EDIT:
Upon further investigation, the construction DC=box123,DC=dom
when pared down to DC=dom
functioned correctly as well. I don't understand the dynamics of the addressing, but I was able to determine the trouble by displaying the path to a sample user using a DirectorySearcher object, which revealed the path to my user to be: LDAP://box123.dom/CN=username/CN=Users/DC=dom
这篇关于UserPrincipal.FindByIdentity 坚持“服务器上没有这样的对象".的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!