Sim*_*mon 3 c# active-directory asp.net-mvc-5
我想要由用户主体从Active Directory获取用户组.为此,我编写了以下静态函数:
internal static List<ADGroup> GetGroupsByIdentity(UserPrincipal pUserPrincipal)
{
var lResult = new List<ADGroup>();
if (pUserPrincipal != null)
{
PrincipalSearchResult<Principal> lGroups = pUserPrincipal.GetAuthorizationGroups();
// iterate over all groups
foreach (Principal p in lGroups)
{
// make sure to add only group principals
if (p is GroupPrincipal)
{
var lGroupName = "";
var lGroupSid = "";
try
{
lGroupName = p.Name;
lGroupSid = p.Sid.Value;
if (!string.IsNullOrEmpty(lGroupName) && !string.IsNullOrEmpty(lGroupSid) &&
!lResult.Any(x => x.Sid == lGroupSid))
{
lResult.Add(new ADGroup(p));
}
}
catch (Exception e)
{
if (e is PrincipalOperationException || e is NoMatchingPrincipalException)
{
// perhaps the SID could not be resolved
// perhaps the SID does not exist in the AD any more
// ignore and proceed with next
p.Dispose();
continue;
}
else
{
throw;
}
}
finally
{
p.Dispose();
}
}
p.Dispose();
}
}
return lResult;
}
当用户执行此代码时,他会收到异常.这是堆栈的一部分:
System.DirectoryServices.AccountManagement.NoMatchingPrincipalException:
An error occurred while enumerating the groups. The group could not be found.
at System.DirectoryServices.AccountManagement.AuthZSet.get_CurrentAsPrincipal()
at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
at xxx.xxxxxxxxx.Mvc.CustomSetup.ADHandler.GetGroupsByIdentity(UserPrincipal pUserPrincipal) // the function above
at ...
问题在哪里,我该如何解决?
似乎GetAuthorizationGroups()方法有一些限制.这是自2009年以来一直存在的旧例外.微软不会修复它,因为"有一个合理的解决方法".https://connect.microsoft.com/VisualStudio/feedback/details/522539/clr-forum-error-calling-principal-getauthorizationgroups-in-winxp-sp3
使用Principal.IsMemberOf()时出现此错误.我搜索了用户是否存在于自定义组列表中.如果域中不存在组,则将其抛出
System.DirectryServices.AccountManagement.NoMatchingPrincipalException
使用.IsMemberOf()的错误示例1
List<string> groups = Constants.ADGroups(); // List of AD groups to test against
var context = new PrincipalContext(
ContextType.Domain,
"Domain");
var userPrincipal = UserPrincipal.FindByIdentity(
context,
IdentityType.SamAccountName,
httpContext.User.Identity.Name);
// Verify that the user is in the given AD group (if any)
foreach (var group in groups)
if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
return true;
使用.GetAuthorizationGroups()的错误示例2:
var context = new PrincipalContext(ContextType.Domain,"Domain");
var userPrincipal = UserPrincipal.FindByIdentity(
context,
IdentityType.SamAccountName,
httpContext.User.Identity.Name);
if (userPrincipal != null)
{
var principalGroups = userPrincipal.GetAuthorizationGroups();
foreach (var principalGroup in principalGroups)
{
foreach (var group in groups)
{
if (String.Equals(
principalGroup.Name,
group,
StringComparison.CurrentCultureIgnoreCase))
{
return true;
}
}
}
}
解决方案1:建议的解决方法是迭代AD组:
PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
var iterGroup = groups.GetEnumerator();
using (iterGroup)
{
while (iterGroup.MoveNext())
{
try
{
Principal p = iterGroup.Current;
Console.WriteLine(p.Name);
}
catch (NoMatchingPrincipalException pex)
{
continue;
}
}
}
解决方案2:我最终使用了什么(使用Windows身份验证的MVC应用程序):
这是一种更轻松的方法来检查身份验证,迭代大公司的AD可能会很慢......
var wi = HttpContext.Current.User.Identity as WindowsIdentity;
if (wi != null)
{
var wp = new WindowsPrincipal(wi);
List<string> groups = Constants.ADGroups(); // List of AD groups to test against
foreach (var @group in groups)
{
Debug.WriteLine($"Searching for {@group}");
if (wp.IsInRole(@group))
{
return true;
}
}
}
| 归档时间: |
|
| 查看次数: |
2435 次 |
| 最近记录: |