无需使用NetworkService作为身份的DirectoryEntry身份验证 [英] DirectoryEntry Authentication without using the NetworkService as Identity
问题描述
大家好,
这是一个困扰我很多的问题,我似乎无法解决.
我有一台运行ASP.Net应用程序的IIS机器.该应用程序连接到SQL Server.
为了避免在连接字符串中包含用户名和密码,我将应用程序池的标识更改为有权访问SQL Server的用户,我们将其称为连接器".
在此应用程序中,我还使用DirectorySearcher类执行LDAP身份验证.
突然我意识到,每当我向DirectoryEntry对象构造函数提供完全限定的用户名(例如domain \ username或username @ domain)时,一切似乎都可以正常工作,但是每当我仅提供不包含域的用户名时,它就会引发异常. />
作为一些故障排除,我已将应用程序的标识更改为NetworkService,并且突然之间,无论有没有域规范,一切都可以正常工作.
我试着环顾四周,但不知道为什么会这样.
连接器"用户属于"IIS_WPG"组,他甚至是IIS计算机的本地管理员...
我需要在身份中使用连接器"用户.
关于如何解决这个问题的任何想法?而且也很高兴,有人可以向我解释为什么会这样吗?
在此先感谢,
Hello all,
Here is a question that has been bothering me a lot and I can''t seem to get resolved.
I''ve got an IIS machine that runs an ASP.Net application. This application connects to a SQL server.
To avoid having usernames and passwords in the connection string, I''ve changed the Identification of the application pool to a user that has access to the SQL server, let''s call is "Connector".
In this application I also perform LDAP authentication using the DirectorySearcher class.
Suddenly I realized that whenever I supply a fully qualified username to the DirectoryEntry object constructor (such as domain\username or username@domain) everything seems to work fine but whenever I only supply the username without the domain, it throws an exception.
As a bit of troubleshooting, I''ve changed the Identity of the application to NetworkService, and suddenly, all works fine, both with or without domain specification.
I''ve tried to look around a little bit and I don''t get why this is happening.
The "Connector" user belongs to the "IIS_WPG" group, and he even is a local admin of the IIS machine...
I need to use the "Connector" user in the Identity.
Any ideas on how to go around this? And also quite nice to have, can someone explain to me why this is happening?
Thanks in advance,
推荐答案
路易斯,
我怀疑用户连接器"仅是IIS计算机上的本地用户?当您插入域用户时会发生什么?
(是的,是的,我知道这看起来像是我在抓着稻草.)
干杯
曼弗雷德(Manfred)
Hi Luis,
I suspect the user "Connector" is a local user on the IIS machine(s) only? What happens when you plugin a domain user?
(Yes, yes I know this looks like I''m clutching at straws here.)
Cheers
Manfred
这篇关于无需使用NetworkService作为身份的DirectoryEntry身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
