6

我想在 ActiveDirectory 中获取用户的组成员身份,而不是在域中。当我在域内运行它时,一切都很好。

var context = new PrincipalContext(ContextType.Domain);
var principal = UserPrincipal.FindByIdentity(context, IdentityType.Name, "administrator");

foreach (var authorizationGroup in principal.GetAuthorizationGroups())
{
    Console.WriteLine(authorizationGroup.Name);
}

但是,当我在域外运行时,我必须指定 PrincipalContext 谎言:

var context = new PrincipalContext(ContextType.Domain, "10.0.1.255", "DC=test,DC=ad,DC=be", "administrator", "password");

当我运行这段代码时,我在执行principal.GetAuthorizationGroups(). 我得到的例外是:

System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355).
at System.DirectoryServices.AccountManagement.Utils.GetDcName(String computerName, String domainName, String siteName, Int32 flags)
at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
4

3 回答 3

3

看起来像一个DNS问题。

DC 定位器的工作原理是对 SRV 记录进行 DNS 查询,以在您当前的站点中找到适当的 DC。如果这些东西不在 DNS 中,DC 定位器将失败,这发生在您的堆栈跟踪中。

于 2009-02-04T13:53:57.760 回答
2

我只需要处理同样的问题。我希望这对其他人有帮助。

/*Argument*/
string username;



/*Global settings*/
string ADHost = "dc.a.b.c"; /*Or ip address*/
string ADUsername = "username";
string ADPassword = "password";
string ADDomain = "a.b.c";
string ADContainer = "DC=A,DC=B,DC=C"; /*I have a function to do the translation*/
/*Global settings*/

var list = new List<string>();

var path = "LDAP://" + ADHost + "/" + ADContainer;
var deDomain = new DirectoryEntry(path, ADUsername, ADPassword);
var ds = new DirectorySearcher(deDomain, "(&(objectClass=User)(sAMAccountName=" + username + "))");

ds.SearchScope = SearchScope.Subtree; /*Cascade*/
ds.ReferralChasing = ReferralChasingOption.All; /*Follow redirection*/

var usr = ds.FindOne();
if (null != usr)
{
    var deUsr = new DirectoryEntry(usr.Path, ADUsername, ADPassword);

    foreach (string groupDN in deUsr.Properties["memberOf"])
    {
        string[] parts = groupDN.Replace("CN=", "").Split(',');
        list.Add(parts[0]);
    }
}
于 2013-04-05T17:47:41.177 回答
0

可能是这样,我现在无法验证。

我尝试了以下方法:我使用 sysinternals 出色的 Active DirectoryExplorer。使用相同的凭据登录时:10.0.1.255, "administrator", "password"

现在我可以毫无问题地看到用户组

["memberOf"] = "CN=TestGroup,CN=Users,DC=test,DC=ad,DC=be"
于 2009-02-04T14:11:37.317 回答