从 DMZ 访问 Active Directory 用户组

Question

我有一个方法可以检查用户是否是 AD 组的成员。我尝试使用我自己的 AD 帐户作为凭据，然后我获得了一些有关 userprincipal 的信息，例如电子邮件等。但是在访问 userprincipals 组时，我收到以下错误消息：

Exception:
MESSAGE: The server is not operational.
SOURCE: System.DirectoryServices.AccountManagement
TARGETSITE: System.DirectoryServices.AccountManagement.ResultSet GetGroupsMemberOf(System.DirectoryServices.AccountManagement.Principal)

STACKTRACE:
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal p)
at Authorization.AuthorizeAD.IsMemberOfGroup(String user)
at PVM.Controllers.SecurityController.IsMemberOfGroup(String user)

InnerException: System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.

at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsForestName()
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal p)

代码：

public bool IsMemberOfGroup(string user) {
    using (var context = new PrincipalContext(ContextType.Domain, ContextName, ContextContainer, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer, "myUsername", "myPass")) {
        using (var userPrincipal = UserPrincipal.FindByIdentity(
                context,
                IdentityType.SamAccountName,
                user)) {
            //I can access userPrincipal.DisplayName etc
                var groupName = "TestGroup"
                //This is where I get the error
                return userPrincipal.IsMemberOf(context, IdentityType.SamAccountName, groupName);
            }
        }

        return false;
    }

我认为这可能是权限问题，但是从服务器使用 ldp.exe 时查询活动目录没有问题。

本地一切正常。我已尝试更改 IIS AppPool 登录等，但现在我最终将凭据与我的 PrincipalContext 对象一起发送。

有人知道我在这里遗漏了什么吗？

Answer 1

通过使用 PrincipalSearcher 而不是 UserPrincipal.IsMemberOf 解决了这个问题，然后我自己做了 IsMemberOf()。

private static bool IsMemberOf(PrincipalContext context, PrincipalSearcher searcher, string user,
        string groupToFind) {
        searcher.QueryFilter = new GroupPrincipal(context, groupToFind);

        var group = searcher.FindOne() as GroupPrincipal;
        if (group == null) {
            return false;
        }

        if (group.GetMembers()
            .Select(member => member as UserPrincipal)
            .Where(principal => !string.IsNullOrEmpty(principal?.SamAccountName))
            .Any(principal => principal.SamAccountName.Equals(user))) {
            return true;
        }

        return false;
    }

从 DMZ 访问 Active Directory 用户组

Access Active Directory user groups from DMZ

c#

active-directory

dmz