UserPrincipal.FindByIdentity 坚持“服务器上没有这样的对象". [英] UserPrincipal.FindByIdentity Insists "There is no such object on the server."

问题描述

我目前的目标是使用 System.DirectoryServices.AccountManagement 程序集中的实用程序为基于域安全组的 ASP.NET 应用程序实现只读角色提供程序.我有以下代码在我的开发域中运行良好，但在部署环境中失败:

使用 myContext 作为新的 PrincipalContext(ContextType.Domain, Nothing, "DC=My,DC=Controller", accountName, accountPassword)尝试Dim p As UserPrincipal = UserPrincipal.FindByIdentity(myContext, IdentityType.SamAccountName, userName)Dim 组 = p.GetAuthorizationGroups()对于每个 g 组Debug.WriteLine("找到安全组:" & g.DisplayName & vbNewLine)下一个Catch ex 作为例外Debug.WriteLine("遇到异常:" & vbNewLine & ex.ToString())结束尝试结束使用

异常堆栈跟踪返回如下:

<前>System.DirectoryServices.AccountManagement.PrincipalOperationException:服务器上没有这样的对象.---> System.DirectoryServices.DirectoryServicesCOMException (0x80072030): 服务器上没有这样的对象.在 System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)在 System.DirectoryServices.DirectoryEntry.Bind()在 System.DirectoryServices.DirectoryEntry.get_SchemaEntry()在 System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)在 System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)在 System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry 条目)在 System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()--- 内部异常堆栈跟踪结束 ---在 System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()在 System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()在 System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()在 System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()在 System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)在 System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)在 System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

我知道这里明显的问题"是确定对象实际上存在于服务器上.但是，我可以毫无疑问地确认，无论我使用哪个帐户的 SAM 帐户名，我都会从通话中收到相同的结果.此外，微软的 ActiveDirectoryMembershipProvider 对相同的 SAM 帐户名进行身份验证没有问题，我能够使用该信息通过 DirectorySearcher 类.我能确定的开发网络和部署之间的唯一区别是部署环境的 DC 是 Windows Server 2003 机器，而我在本地使用 Windows Server 2008 DC 进行开发.我可能会忽略什么?

解决方案

由于某种原因，问题出在域控制器的路径上.将路径描述为 DC=box123,DC=dom 不起作用，但使用路径 box123.dom 起作用.不知道为什么，这不是我可以在本地域上复制的行为，但这解决了问题.

经过进一步调查，构造 DC=box123,DC=dom 当缩减为 DC=dom 时也能正常运行.我不了解寻址的动态，但我能够通过使用 DirectorySearcher 对象显示示例用户的路径来确定问题，该对象显示我的用户的路径为:LDAP://box123.dom/CN=username/CN=Users/DC=dom

I am currently aiming to implement a read-only role provider for an ASP.NET application based on domain security groups using the utilities in the System.DirectoryServices.AccountManagement assembly. I have the following piece of code which works fine on my development domain, but fails in the deployment environment:

Using myContext As New PrincipalContext(ContextType.Domain, Nothing, "DC=My,DC=Controller", accountName, accountPassword)
    Try
        Dim p As UserPrincipal = UserPrincipal.FindByIdentity(myContext, IdentityType.SamAccountName, userName)
        Dim groups = p.GetAuthorizationGroups()
        For Each g In groups
            Debug.WriteLine("Found security group: " & g.DisplayName & vbNewLine)
        Next
    Catch ex As Exception
        Debug.WriteLine("Encountered an exception: " & vbNewLine & ex.ToString())
    End Try
End Using

The exception stack trace returns as follows:

    System.DirectoryServices.AccountManagement.PrincipalOperationException: There is no such object on the server.
     ---> System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.
       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
       at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
       at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
       at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
       --- End of inner exception stack trace ---
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
       at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
       at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
       at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

I know the obvious "gotcha" here is to be certain the object actually, well... exists on the server. However, I can confirm without a doubt that no matter which account's SAM Account Name I use, I receive the same result from the call. Additionally, Microsoft's ActiveDirectoryMembershipProvider has no trouble authenticating against the same SAM Account Name and I am able to find the object using that information with the DirectorySearcher class. The only differences I can identify between the development network and deployment is that the deployment environment's DC is a Windows Server 2003 box, whereas locally I am developing with a Windows Server 2008 DC. What might I be overlooking?

解决方案

For some reason, the problem lay in the path to the domain controller. Describing the path as DC=box123,DC=dom did not work, but using the path box123.dom did. Can't say why, and it's not a behavior I can duplicate on the local domain, but that resolved the issue.

EDIT:
Upon further investigation, the construction DC=box123,DC=dom when pared down to DC=dom functioned correctly as well. I don't understand the dynamics of the addressing, but I was able to determine the trouble by displaying the path to a sample user using a DirectorySearcher object, which revealed the path to my user to be: LDAP://box123.dom/CN=username/CN=Users/DC=dom

这篇关于UserPrincipal.FindByIdentity 坚持“服务器上没有这样的对象".的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！