活动目录-调用目标已引发异常 [英] Active directory - exception has been thrown by the target of an invocation

问题描述

我在与Active Directory不同的服务器中有一个Web应用程序，并且我想更改用户密码.代码如下:

I have a web application in a separate server than Active Directory and I want to change a user password. The code is the next:

string newPassword = Membership.GeneratePassword(int.Parse(WebConfigurationManager.AppSettings["passLenght"]),
                                int.Parse(WebConfigurationManager.AppSettings["passNonAlpha"]));

DirectoryEntry de = new DirectoryEntry(WebConfigurationManager.ConnectionStrings["ADConnString"].ConnectionString,
WebConfigurationManager.AppSettings["ADAdmin"], WebConfigurationManager.AppSettings["ADAdminPass"]);

DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(objectClass=user) (userPrincipalName=" + name + "))";

SearchResultCollection results = deSearch.FindAll();

if (results.Count == 1)
{
   foreach (SearchResult OneSearchResult in results)
   {
      DirectoryEntry AlterUser = OneSearchResult.GetDirectoryEntry();
      AlterUser.AuthenticationType = AuthenticationTypes.Secure;
      AlterUser.Invoke("SetPassword", newPassword);
      AlterUser.CommitChanges();
      AlterUser.Close();
   }
}

当我在开发环境(Active Directory和Web应用程序位于同一服务器上)中运行此程序时，它正在工作.但是，当我尝试在生产环境中运行它时，出现下一个错误:

When I run this in my development environment (where Active Directory and the web application are on the same server) it is working. But when I try to run it in the production environment I am having the next error:

调用的目标抛出了异常

Exception has been thrown by the target of an invocation

我想念什么?

谢谢.

我可以深入研究异常错误，并且得到以下信息:

I could go deep in the exception error and I get this:

访问被拒绝. (来自HRESULT的异常:0x80070005(E_ACCESSDENIED))

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

推荐答案

权限是问题.运行您的ASP.NET代码的帐户无权设置帐户密码.

Permissions are the issue. The account under which your ASP.NET code is running doesn't have the permission to set the account password.

要么:

• 在具有所需权限的用户下运行AppPool，或者
• 使用模拟来提升SetPassword呼叫的权限

• Run the AppPool under a user that has the required permissions, or
• Use impersonation to elevate the permissions for the SetPassword call

它在您的开发环境中正常工作/生产失败的原因可能是由于以下原因造成的:

The reason it is working in your dev environment/failing in production is likely due to a combination of:

• 您正在以用户帐户运行的Visual Studio开发Web服务器下运行该应用程序，该服务器具有必要的权限.在真实" IIS下运行它会在一个特权较低的帐户下运行它.
• 在实时环境中，从Web服务器到AD服务器还有另一跳，并且凭据没有传递. Web服务器需要具有网络凭据(作为AppPool身份的一部分或对LogonUser的调用)，以便向AD进行身份验证.

• You are running the app under the Visual Studio development web server that runs under your user account, which has the necessary permissions. Running it under "real" IIS will run it under a less privileged account.
• In the live environment there's another machine hop from the web server to the AD server, and the credentials don't get passed along. The web server needs to have network credentials (either as part of the AppPool identity, or a call to LogonUser) in order to authenticate to AD.

这篇关于活动目录-调用目标已引发异常的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！