错误：＆QUOT;出现操作错误＆QUOT;在System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity [英] Error: "An operations error occurred" in System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity

问题描述

我有以下的code检索给定用户名的AD组在我MVC3 Web应用程序：

I have the following code to retrieve AD groups of a given user name in my MVC3 web application:

PrincipalContext userDomain = new PrincipalContext(ContextType.Domain, username.Split('\\')[0]);
UserPrincipal user = UserPrincipal.FindByIdentity(userDomain, username);
PrincipalSearchResult<Principal> memberOfGroups = user.GetGroups();
IEnumerator<Principal> memberOfGroupsEnumerator = memberOfGroups.GetEnumerator();
List<string> userADGroups = new List<string>();

try
{
    while (memberOfGroupsEnumerator.MoveNext())
    {
        userADGroups.Add(memberOfGroupsEnumerator.Current.ToString());
    }
}
catch
{
    // When trying to access AD groups of a different domain, issues can arise at the end of the enumerator. These may be ignored.

}

这本地工作正常，但当在网络上的错误，错误如下部署到另一台计算机的：

This works fine locally but when deployed onto another machine on the network errors out with the following error:

时发生操作错误。

有关错误的堆栈跟踪：

System.DirectoryServices.DirectoryServicesCOMException（0x80072020）：发生操作错误结果。
  在System.DirectoryServices.DirectoryEntry.Bind（布尔throwIfFail）结果
  在System.DirectoryServices.DirectoryEntry.Bind（）结果
  在System.DirectoryServices.DirectoryEntry.get_AdsObject（）结果
  在System.DirectoryServices.PropertyValueCollection.PopulateList（）结果
  在System.DirectoryServices.PropertyValueCollection..ctor（的DirectoryEntry
  进入，字符串propertyName的）结果
  在System.DirectoryServices.PropertyCollection.get_Item（字符串propertyName的）结果
  在System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer（）结果
  在System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit（）结果
  在System.DirectoryServices.AccountManagement.PrincipalContext.Initialize（）结果
  在System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx（）结果
  在System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper（PrincipalContext
  背景，类型principalType，Nullable`1 identityType，字符串identityValue，日期时间refDate）结果
  在System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity（PrincipalContext背景下，字符串identityValue）结果
  在MvcSFIWebSite.Models.User..ctor（字符串的用户名）

System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at MvcSFIWebSite.Models.User..ctor(String username)

该错误信息是比较模糊的，我无法弄清楚发生了什么，因为它在本地工作的罚款。

The error message is rather ambiguous and I am unable to figure out what is happening as it works fine locally.

用于部署在计算机上的IIS使用自定义帐户，而不是程序池的身份。该帐户应被授予任何权限访问AD组目录？任何其他设置，明确在IIS需要这个工作？

The IIS on the machine used for deployment uses a custom account instead of the AppPool identity. Should this account be granted any permissions to access the AD group directory? Are any other settings explicitly required in IIS for this to work?

任何建议将是非常有益的。先谢谢了。

Any suggestions would be very helpful. Thanks in advance.

推荐答案

这个问题是因为identity_impersonate设置为true在web.config中那么这是正在传递的用户令牌是次要的象征，因此不能访问Active Directory 。

The issue was because identity_impersonate was set to true in web.config so the user token which was being passed was a secondary token and hence could not access the Active Directory.

这个答案解决了我的问题。

这篇关于错误：＆QUOT;出现操作错误＆QUOT;在System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！