Azure 应用服务上的 ActiveDirectoryMembershipProvider:拒绝访问

ActiveDirectoryMembershipProvider on Azure App Service: Access Denied

IIS 7 上的遗留应用程序之一 运行 最近已移植到 Azure 应用服务。

该应用程序使用 WebMatrix(简单成员资格)和 Active Directory 作为成员资格提供程序。在 Azure App Service 上托管它后,我们收到 Access Denied 错误

web.config

<membership defaultProvider="simple">
   <providers>
     <clear />
     <add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
     <add name="AD1MembershipProvider" description="Active Directory"
               type="System.Web.Security.ActiveDirectoryMembershipProvider" 
               applicationName="appName" connectionStringName="AD1ConnectionString" 
               connectionUsername="..." connectionPassword="..." 
               connectionProtection="None" 
               enableSearchMethods="true" attributeMapUsername="sAMAccountName" /> 
   </providers>
</membership>
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
   <providers>
     <add name="DefaultRoleProvider" type="WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData" />
   </providers>
</roleManager>


<connectionStrings>   
   <add name="AD1ConnectionString" connectionString="LDAP://something.DIR/DC=something,DC=something,DC=DIR" /> 
</connectionStrings>

应用启动报错:

[COMException]: Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
[UnauthorizedAccessException]: Access is denied.

   at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
   at System.DirectoryServices.ActiveDirectory.DirectoryContext.isServer()
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at System.Web.Security.DirectoryInformation.InitializeDomainAndForestName()
   at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
   at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
[ConfigurationErrorsException]: Access is denied.
 (D:\home\site\wwwroot\web.config line 106)
   at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
   at System.Web.Configuration.ProvidersHelper.InstantiateProviders(ProviderSettingsCollection configProviders, ProviderCollection providers, Type providerType)
   at System.Web.Security.Membership.InitializeSettings(Boolean initializeGeneralSettings, RuntimeConfig appConfig, MembershipSection settings)
   at System.Web.Security.Membership.Initialize()
   at System.Web.Security.Membership.get_Providers()
   at WebMatrix.WebData.WebSecurity.PreAppStartInit()
   at WebMatrix.WebData.PreApplicationStartCode.Start()
[InvalidOperationException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
 (D:\home\site\wwwroot\web.config line 106).
   at System.Web.Compilation.BuildManager.InvokePreStartInitMethodsCore(ICollection`1 methods, Func`1 setHostingEnvironmentCultures)
   at System.Web.Compilation.BuildManager.InvokePreStartInitMethods(ICollection`1 methods)
   at System.Web.Compilation.BuildManager.CallPreStartInitMethods(String preStartInitListPath, Boolean& isRefAssemblyLoaded)
   at System.Web.Compilation.BuildManager.ExecutePreAppStart()
   at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters, PolicyLevel policyLevel, Exception appDomainCreationException)
[HttpException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
 (D:\home\site\wwwroot\web.config line 106).
   at System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
   at System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)

我们尝试在 providersroleManager 中禁用 WebMatrix,但即使 ActiveDirectoryMembershipProvider 也会出现同样的错误。

有什么建议吗?

A​​zure App Service 在 sanbox 中运行,这就是它失败的原因。您将无法允许访问,因为您无权访问主机 OS。不过有几个选项。

  1. 将您的应用程序部署到 Azure VM 并将其join部署到您的本地 域名。
  2. Migrate your local AD authentication for your app over to Azure Active Directory and enable AAD 在您的应用上。
  3. 将您现有的 Active Directory 迁移到 Azure Active Directory

在我看来,选项 2 将是您的最佳选择。 doc 是此类混合云解决方案的架构概述。根据 VM 大小,选项 1 的成本会更高一些,而选项 3 将需要大量规划。