UserPrincipal.GetGroups vs. UserPrincipal.GetAutho

2019-04-21 12:38发布

问题:

I am using ASP.Net 4.0 MVC to query active directory. I am trying to get a list of a user's group memberships and that iterate through them. I am having a weird problem. To get the groups I was using:

   PrincipalSearchResult<Principal> groups = up.GetGroups();

Which worked great on localhost but returns an empty set when moved to IIS6. So I tried using this:

    PrincipalSearchResult<Principal> groups = up.GetAuthorizationGroups();

Which worked great on IIS6 but returns an empty set on localhost. What is the difference between these 2 methods? Why can I use one in IIS6 and not on localhost? Why can I use the other one on localhost and not in IIS6?

回答1:

I assume GetAuthorizationGroups() calls in to tokenGroups in AD. To read that, your service account (or IIS machine account if Network Service) needs to be in the Windows Authorization Access group in AD.



回答2:

The why part has been answered, but this may help someone wanting to know the functional difference between the two methods. From MS documentation:

GetGroups - Returns a collection of group objects that specify the groups of which the current principal is a member.

This overloaded method only returns the groups of which the principal is directly a member; no recursive searches are performed.

GetAuthorizationGroups - Returns a collection of principal objects that contains all the authorization groups of which this user is a member. This function only returns groups that are security groups; distribution groups are not returned.

This method searches all groups recursively and returns the groups in which the user is a member. The returned set may also include additional groups that system would consider the user a member of for authorization purposes.

So GetGroups gets all groups of which the user is a direct member, and GetAuthorizationGroups gets all authorization groups of which the user is a direct or indirect member.

Despite the way they are named, one is not a subset of the other. There may be groups returned by GetGroups not returned by GetAuthorizationGroups, and vice versa.