使用System.DirectoryServices.AccountManagement查找组成员身份

Question

我正在尝试使用我的.NET 4应用程序(VisualStudio 2010)中的AccountManagement命名空间/程序集中的类型，针对Active Directory对用户进行身份验证。下面是我的代码：

private Boolean ValidateUser(String domainName, String userName, String password)
{
    var ou = String.Format(CultureInfo.InvariantCulture,
                           "LDAP://{0}.mydomain.com/dc={0},dc=mydomain,dc=com",
                           domainName);

    var domain = String.Format(CultureInfo.InvariantCulture,
                               "{0}.mydomain.com",
                               domainName);

    using (var context = new PrincipalContext(ContextType.Domain,
                                              domain,
                                              ou))
    {
        if (context.ValidateCredentials(userName, password))
        {
            var userPrincipal = UserPrincipal.FindByIdentity(context,
                                                             IdentityType.SamAccountName,
                                                             userName);

            return userPrincipal.IsMemberOf(context, IdentityType.Name, "GroupName");
        }

        return false;
    }
}

代码运行得很好，直到我调用FindByIdentity的语句。此调用将导致以下异常：

System.DirectoryServices.AccountManagement.PrincipalOperationException was caught
  Message=Unknown error (0x80005000)
  Source=System.DirectoryServices.AccountManagement
  ErrorCode=-2147463168
  StackTrace:
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
       at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
       at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
       at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
       at Dominos.Pulse.Server.Security.DirectoryServices.ActiveDirectoryAuthenticationProvider.ValidateUser(String domainName, String userName, String password)
  InnerException: System.Runtime.InteropServices.COMException
       Message=Unknown error (0x80005000)
       Source=System.DirectoryServices
       ErrorCode=-2147463168
       StackTrace:
            at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
            at System.DirectoryServices.DirectoryEntry.Bind()
            at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
            at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
            at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
            at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
            at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
       InnerException: 

很明显，我有一些配置错误。如果不是，也许我只是走错了路。

我的目标是简单地根据A/D对用户进行身份验证，然后确保他们是特定组(或多个组)的成员。我做错了什么？

Answer 1

你能试着像这样用餐吗：

var ou = String.Format(CultureInfo.InvariantCulture,
                      "dc={0},dc=mydomain,dc=com",
                      domainName);

根上下文不需要验证凭据。