活动目录UserPrincipal.Current.GetGroups()返回组在本地没有Web服务器上 [英] Active Directories UserPrincipal.Current.GetGroups() returns group on local not on web server
问题描述
下面的伟大工程在我的本地开发中。然而,当我将它移动到网络服务器,它失败,甚至不会记录错误:
The following works great on my local development box. However when I move it to the web server it fails and will not even log the error:
public static List<string> getAuthorizationGrps(string userName)
{
List<string> grps = new List<string>();
try
{
PrincipalSearchResult<Principal> groups = UserPrincipal.Current.GetGroups();
IEnumerable<string> groupNames = groups.Select(x => x.SamAccountName);
foreach (var name in groupNames)
{
grps.Add(name.ToString());
}
return grps;
}
catch (Exception ex)
{
Log.WriteLog("Error in retriving form data: " + ex.Message);
}
}
有没有办法,我必须在Web服务器上设置查询组的权限?我可以获取当前用户没有问题本地和web服务器上
Is there permissions that I must set on the webserver to query the groups? I can get the current user with no problem both locally and on the web server.
任何想法将大大AP preciated,我一直争取这2天了。
Any ideas would be greatly appreciated, I have been fighting this for 2 days now.
推荐答案
我想这是你的环境
Web browser --> Web Server --> Domain Controller
除非你正在运行的 Web浏览器和Web服务器或 Web服务器和域控制器在同一台机器上,你需要建立Kerberos委派作出上述code的工作。我猜你的开发框是工作,因为你是在同一台机器上运行Web浏览器和Web服务器。
Unless you are running the Web Browser and Web Server or Web Server and Domain Controller on the same machine, you need to set up the Kerberos delegation to make the above code work. I am guessing your dev box is working because you are running Web Browser and Web Server on the same machine.
您可以轻松地找到文章吨教你如何配置Kerberos委派IIS和ASP.NET来自谷歌。这里是一个例子。我将不包括这里的细节。关键在于,你的ASP.NET应用程序模拟客户端证书,并尝试使用该客户端凭据查询Active Directory。如果你没有 代表团正确安装,Windows会认为你的模拟凭据无法访问网络。你的情况,你不能访问域控制器。这是一种安全措施。这只是为了确保服务器不能代表网络上的最终用户做的事情,除非它明确授予的权限,做到这一点。
You can easily find tons of articles teaching you how to configure Kerberos delegation for IIS and ASP.NET from Google. Here is one example. I won't cover the details here. The point is that your ASP.NET application is impersonating the client credentials and trying to use that client credentials to query Active Directory. If you don't have delegation setup properly, Windows will think that your impersonated credentials cannot access network. In your case, you cannot access Domain Controller. This is a security measure. It's just to make sure server cannot do things on behalf of the end user on the network unless it's explicitly granted to have permissions to do that.
另一种解决办法是改变你的code。所以,你叫GetGroups之前,撤消模拟,并再次成为IIS的程序池帐户。如果您的应用程序池帐户被配置为域帐户,它有足够的权限读取Active Directory中,那么,您可以查询Active Directory用户的组。
Another solution is to change your code. So, before you call the GetGroups, you undo the impersonation and becomes the IIS AppPool account again. If your AppPool account is configured to be a domain account, which has enough permission to read the Active Directory, then, you can query Active Directory for the groups of the user.
下面是一个一滴谈论这个。这是code,我觉得应该没有任何Kerberos委派设置。我没有,虽然测试它。
Here is a blob talking about this. This is the code that I think it should work without any Kerberos delegation setup. I didn't test it though.
public static List<string> getAuthorizationGrps(string userName)
{
List<string> grps = new List<string>();
try
{
var currentUser = UserPrincipal.Current;
RevertToSelf();
PrincipalSearchResult<Principal> groups = currentUser.GetGroups();
IEnumerable<string> groupNames = groups.Select(x => x.SamAccountName);
foreach (var name in groupNames)
{
grps.Add(name.ToString());
}
return grps;
}
catch (Exception ex)
{
Log.WriteLog("Error in retriving form data: " + ex.Message);
}
}
这篇关于活动目录UserPrincipal.Current.GetGroups()返回组在本地没有Web服务器上的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
