问题描述
在我们的系统,我们正在从Active Directory读两种方式略有不同的用户安全组。在一种情况下,由AD返回组列表中缺少域本地组。从GetAuthorizationGroups(响应)是依赖于所使用PrincipalContext。在发生故障的情况下GetAuthorizationGroups()将只返回全局组。其结果是缺少从AD所有域本地组。任何人都可以请解释一下为什么?
In our system we are reading user security groups from an Active Directory in two slightly different ways. In one case the list of groups returned by the AD is missing the domain local groups. The response from GetAuthorizationGroups () is dependent on the used PrincipalContext. In the failing scenarios GetAuthorizationGroups() will only return global groups. The result is missing all domain local groups from the AD. Can anyone please explain why?
如果不解决方案:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net");
var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB");
PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();
在这种情况下,处理由用户A执行。 用户A是该域our.domain.net中的一员。 用户A是非常相同的用户在工作溶液中的具体确定用户。该PrincipalContext应因为这一点是相同的PrincipalContext在工作溶液。从GetAuthorizationGroups()从AD的响应在此解决方案怀念域本地组。
In this case the process is executed by "UserA". "UserA" is a member of the domain "our.domain.net". "UserA" is the very same user as the specifically identified user in the working solution. The PrincipalContext should because of that be identical to the PrincipalContext in the working solution. The response from GetAuthorizationGroups() in this solution miss domain local groups from the AD.
工作方案:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net", "UserA", "PasswordA");
var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB");
PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();
在这种情况下,主叫用户特别是由使用名和密码创建主语境时确定。在这种情况下,在AD返回所有的用户是其成员的组。这是我想从失败的解决方案看,以及行为。在某些情况下,我没有用户a的用户口令和这个原因,工作液是不是一个选项。
In this case the calling user is identified specifically by use name and password when creating the Principal Context. In this case the AD returns all the groups that the user is a member of. This is the behavior I would like to see from the failing solution as well. In some cases I do not have the user password of UserA and of that reason the Working solution is not an option.
请帮我理解了为什么失败的解决方案不返回所有用户是其成员组。
Please help me understand why the failing solution does not return all the groups that the user is a member of.
推荐答案
我们finaly发现了这个问题。原来,诺伊beeing编码问题都没有。奇怪的行为是由一个erronious域级别在Active Directory中造成的。
We finaly found the problem. It turned out noy beeing a coding problem at all. The strange behaviour was caused by an erronious Domain Level in the Active Directory.
域级别必须设置为2003功能级别
Domain Level had to be set to "2003 functional level"
现在它如预期工作的。
这篇关于从Active Directory中读取用户授权组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!