从单向信任访问用户信息 [英] Accessing user info from a one way trust
问题描述
我有两个域,矿山和他们的。我的是我的地域,并具有单向信任他们(使用LDAPS端口636),使矿山信任他们,但他们不相信煤矿。我可以从他们从他们的日志将用户添加到组在我,并让用户进入机和应用程序矿井网络。信任似乎正常工作。
I have two domains, MINE and THEIRS. MINE is my local domain and has a one way trust with THEIRS (using LDAPS port 636), so that MINE trusts THEIRS but THEIRS does not trust MINE. I can add users from THEIRS to groups in MINE, and have users from THEIR log into machines and applications on the MINE network. The trust appears to be working properly.
我写了一点.NET应用程序(不ASP.Net)通过广域网来测试连接。我们有一个应用程序,是没有看到用户与他们在群体中的矿山。其他应用程序一样的SharePoint,做工精细。
I am writing a little .Net application (not ASP.Net) to test connectivity over the WAN. We have one app that isn't seeing users from THEIRS in groups in MINE. Other apps, like SharePoint, work fine.
我试着使用ASP.Net 4选项与System.DirectoryServices.AccountManagement对象,如PrincipalContext,UserPrincipal,GroupPrincipal等快速code段
I tried using ASP.Net 4 option with System.DirectoryServices.AccountManagement objects, like PrincipalContext, UserPrincipal, GroupPrincipal, etc. Quick code snippet
PrincipalContext domainContext = GetDomainContext(DomainName, ConnectionPort,
UseSpecifiedCredentials, Credentials);
GroupPrincipal theGroup = GroupPrincipal.FindByIdentity(domainContext,
IdentityType.SamAccountName, GroupName);
PrincipalCollection theUsers = theGroup.Members;
var users = from u in theUsers
select u.Name;
return users.ToArray();
这一切的伟大工程,当我直接连接到矿山。这个问题开始与连接到他们的。无论是LDAPS交通1路信任返回错误:
It all works GREAT when I connect directly to MINE. The issue comes in with connecting to THEIRS. Either the 1 way trust of the LDAPS traffic is returning the error:
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
所以,我切换到.NET中使用的DirectoryEntry,DirectorySearcher从等,这实际上是对工作他们域。2变化
So I switch to .Net 2 variations using DirectoryEntry, DirectorySearcher, etc. This actually works against THEIRS domain.
List<string> userNames = new List<string>();
string searchString = string.Format("(sAMAccountName={0})", GroupName);
SearchResult result = SearchAD(DomainName, ConnectionPort, searchString);
我可以直接连接到他们的域名,使用一些模拟在code。
I can connect directly to the THEIRS domain, using some impersonation in the code.
当我查询组在我,我回到了SID从他们的用户,而不是用户帐户。
When I query the groups in MINE, I get back the SID for the users from THEIRS, not a user account.
The following users are a member of testGroup:
CN=S-1-5-21-....,CN=ForeignSecurityPrincipals,DC=MINE,DC=local
CN=S-1-5-21-....,CN=ForeignSecurityPrincipals,DC=MINE,DC=local
我想在这个模拟为好,运行它从他们的用户,但没有运气。
I tried the impersonation on this as well, running it as a user from THEIRS but no luck.
我怎样才能从他们的用户信息时,用户在我的?我一定要取上述CN / SID和查询他们的域名?那我在.NET 4的东西不见了?
How can I get user info from THEIRS when the user is in MINE? Do I have to take the above CN/SID and query THEIRS domain? What am I missing in the .Net 4 stuff?
推荐答案
我假设你有你的ASP.NET的机器在我运行。
I assume you have your ASP.NET machine running in MINE.
如果您确保您使用的是域用户帐户从域中运行的应用程序你System.DirectoryServices.AccountManagement的做法应该只是工作。在正常的单向信任配置的(除非你正在做选择性身份的信任),从他们应该有权限的域用户帐户从两个矿和阅读他们。
Your System.DirectoryServices.AccountManagement approach should just work if you make sure you use a domain user account from THEIR domain to run the application. In normal one-way trust configuration (unless you are doing selective authentication trust), the domain user account from THEIR should have permissions to read from both MINE and THEIR.
要确保你从他们的域名,你可以简单的设置程序池的身份。当然,你可以使用模拟来做到这一点。
To make sure you use a domain user from THEIR domain, you can simply set the AppPool identity. Of course, you can use impersonation to do it too.
这篇关于从单向信任访问用户信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
