使用Active Directory时DirectoryServicesCOMException(0x80072020)从ASP.NET应用程序 [英] DirectoryServicesCOMException (0x80072020) when using Active Directory from ASP.NET application
问题描述
我保持了传统的ASP.NET 3.5应用程序,查询Active Directory。该应用程序使用集成Windows身份验证,旨在利用其自身的安全上下文,而不是一个专用的用户名和密码才能连接到Active Directory。
I'm maintaining a legacy ASP.NET 3.5 application that queries Active Directory. The application uses "Integrated Windows Authentication" and is designed to connect to Active Directory using its own security context rather than a dedicated username and password.
下面是相关code。
using (DirectoryEntry root = new DirectoryEntry())
using (DirectorySearcher searcher = new DirectorySearcher(root))
{
searcher.Filter = string.Format("(&(samAccountName={0})(objectClass=user)(objectCategory=person))", userName.Trim());
SearchResultCollection results = searcher.FindAll();
}
尽管它使用ASP.NET 3.5,它需要从ASP.NET 4.0应用程序池可运行的,由于现有的基础设施的制约。
Although it uses ASP.NET 3.5, it needs to be runnable from an ASP.NET 4.0 application pool due to existing infrastructure constraints.
在调用的FindAll 抛出在某些情况下出现以下异常:
The call to FindAll throws the following exception under certain circumstances:
System.DirectoryServices.DirectoryServicesCOMException(0x80072020):发生操作错误
System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
当我检查与Visual Studio调试器异常对象时,<code> ExtendedErrorMessage 属性包含的更多详细信息:
When I inspect the exception object with the Visual Studio debugger, the ExtendedErrorMessage property contains more detailed information:
000004DC:LdapErr:DSID-0C0906E8,注释:为了执行此操作成功绑定必须在连接上完成,数据0,v1db1
000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
下面的截图显示了这个看起来像在Visual Studio中的调试器:
The following screenshot shows what this looks like in Visual Studio's debugger:
我发现了一些变通办法,使这项工作,但他们都不是可以接受的对我说:
I've found some work-arounds to make this work, but none of them are acceptable to me:
- 禁用的集成Windows身份验证的,而是使用的基本身份验证的
- 在IIS,ASP.NET 2.0下运行的应用程序利用的网络服务的帐户和ASP.NET模拟的禁用的
- 只从Web服务器访问应用程序,使用的本地主机的作为主机名。
- 使用ASP.NET模拟在web.config中一个硬codeD帐户。
- Disabling Integrated Windows Authentication and instead using Basic Authentication.
- In IIS, running the application under ASP.NET 2.0 with the Network Service account and ASP.NET impersonation disabled.
- Only accessing the application from the web server, using localhost as the host name.
- Using ASP.NET impersonation with a hard-coded account in web.config.
我从网上查到了一些建议,但它们都没有彻底解决了这个问题:
What Doesn't Work
I've found some suggestions from the Internet, but none of them completely resolved the problem:
- 使用
HostingEnvironment.Impersonate()。 - 禁用模拟。
我想使这项工作,而无需重新配置在Active Directory中任何东西。它的工作原理在一定的IIS配置细如上图所示,所以我相信这应该有可能使通过重新配置应用程序或IIS(除了改变.NET framework版本)的工作。
What I Want
I would like to make this work without having to reconfigure anything in Active Directory. It works fine under certain IIS configuration as shown above, so I believe it should be possible to make it work by reconfiguring the application or IIS (except for changing the .NET framework version).
推荐答案
我相信这个问题有多种原因:
I believe the problem had multiple causes:
- 使用ASP.NET模拟的。
- 在一个ASP.NET 4.0应用程序池运行ASP.NET 3.5应用程序。
要解决的第二个,应用程序升级到ASP.NET 4.0和IIS配置为使用ASP.NET 2.0。
To resolve the second one, upgrade the application to ASP.NET 4.0 or configure IIS to use ASP.NET 2.0.
这篇关于使用Active Directory时DirectoryServicesCOMException(0x80072020)从ASP.NET应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
