问题
I am using System.DirectoryServices.AccountManagement to find the logged-in user's AD entry. It is working great in the VS2008 WebDev server on developers machines.
But when we installed the code on the development server (windows server 2008), we get an access error.
Both the developer's machine and the development server are members of the same domain.
We have Impersonation turned on, so we are connecting to AD with the same user credentials.
What are we missing here? Why is it working on the developer's machine, but not the development server?
The actual exception that we were receiving was "An operations error occurred".
回答1:
After some research, I found the following link: http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/c314650a-ff5e-49e6-8f53-9a7cca17e806
In it one user describes the solution to the problem:
I have seen this error and it is related to the fact that when using NTLM authentication and impersonation set to true in web.config, IIS cannot use the authenticated token against another server since it is a "secondary token".
The solution to my issue was to wrap my Active Directory code with:
using( HostingEnvironment.Impersonate() )
{
//Active Directory search goes here.
}
This makes the call to AD with the identity of the application pool, and it did the trick in my case.
回答2:
I was just looking around to fix the error System.DirectoryServices.DirectoryServicesCOMException
after using UserPrincipal.FindByIdentity
and the answer from mlsteeves was what i needed, impersonating the hostenvironnement on the production server!
So good call this was about delegation on server and your solution was perfect thanks alot!
来源:https://stackoverflow.com/questions/2463466/system-directoryservices-accountmanagement-not-working-on-the-server