FindByIdentity failing with PricipalOperationExcep

2020-07-23 04:13发布

问题:

I'm struggling with an issue in utilizing System.DirectoryServices.AccountManagement in my internal web application. The error is not very descriptive, but here's what's going on:

When I attempt to validate that a provided user id exists in the AD, I do so with the following code:

private bool IsWindowsIDValid(string strWindowsID) 
{ 
var context = new PrincipalContext(ContextType.Domain, "DOMAINSERVER", "DC=DOMAINNAME,DC=net"); 
var userPrincipal = UserPrincipal.FindByIdentity(context, strWindowsID); 
return (userPrincipal != null); 
} 

However, an exception is throw at the second line, where FindByIdentity is called. Here are the exception details:

Message: "An operations error occurred."

Stack trace:

at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at *****.IsWindowsIDValid(String strWindowsID) in *****.ascx.cs:line 193

This same error occurs if I attempt to examine the ConnectedServer property of the PrincipalContext as well. However, I can attempt to validate credentials against the context (using context.ValidateCredentials()), and it will pass just fine.

Any ideas as to what may be going on? I can run this code just fine in a stand alone console script on my machine - this is occurring in my local development environment, inside VisualStudio, when I attempt to debug the webapp. Is this a permissions issue or something else perhaps? I'm pretty lost at this point.

I appreciate any help!

-Patrick

回答1:

An old question, but I had this same error. For me, the problem is that PrincipalContext doesn't work without a username and password in its constructor... I get the exact same error message whenever I call any method or property of the UserPrincipal (or on the PrincipalContext for that matter).

If you specify a username and password of a domain user with Active Directory permissions to the container you're specifying, the call to FindByIdentity should succeed:

var context = new PrincipalContext(ContextType.Domain, "DOMAINSERVER",
                                   "DC=DOMAINNAME,DC=net", userName, pw); 
var userPrincipal = UserPrincipal.FindByIdentity(context, strWindowsID); 

For me, this isn't a solution, because I won't have those two parameters. But that's why you're getting the error you're getting.

According to Microsoft's help, doing it your way should run under the credentials of the calling process... but no matter who I'm running under (and I've verified the impersonation) calls to a UserPrincipal object without specifying a username and pw on its PrincipalContext just won't work.

Hope that belatedly helps, James



回答2:

Another belated answer to an old question but, this article helped me troubleshoot it in my case: http://support.microsoft.com/kb/329986

I was getting the "operations error" similar to the one in this post.

The clue was the suggestion to test it outside your web app. So I created a console app, added a reference to System.DirectoryServices.AccountManagement, and entered the following code:

private static void Main(string[] args)
    {

        var adGroups = new List<string>();

        using (var principalContext = new PrincipalContext(ContextType.Domain))
        {
            using (var user = UserPrincipal.FindByIdentity(principalContext, @"MYDOMAIN\MYUSERNAME"))
            {
                if (user == null) return;

                var groups = user.GetAuthorizationGroups();
                adGroups.AddRange(from @group in groups
                                  where @group.Name.ToUpper().Contains("SOME-STRING-COMMON-TO-ALL-THE-AD-GROUPS-PERTINENT-TO-MY-MVC-APP")
                                  select @group.Name);
            }
        }
    }

That worked, so I was then convinced my problem was the "double hop" issue described in the MS article.

The solution was to ensure impersonation was turned on in my web.config file. (It's an intranet app, so I've got Windows authentication mode turned on, and impersonation turned on; that solved it).

<system.web>
    <httpRuntime targetFramework="4.5" />
    <compilation debug="true" targetFramework="4.5" />
    <authentication mode="Windows" />
    <identity impersonate="true" />
    <authorization>
            <deny users="?" />
    </authorization>