c#LDAP认证奇怪的问题
我有一个VMWare机器Windows Server 2012和Active Directory安装。域名是“cpx.local”,我创建了一个新用户“testad”。c#LDAP认证奇怪的问题
我有一个C# WinForm应用程序,所以我可以测试到LDAP服务器的连接,然后获得在Active Directory所有用户或组。
这是正常工作的代码:
string server = "192.168.238.129";
string port = "389";
System.DirectoryServices.Protocols.LdapConnection ldapConnection =
new System.DirectoryServices.Protocols.LdapConnection(new LdapDirectoryIdentifier(server + ":" + port));
TimeSpan mytimeout = new TimeSpan(0, 0, 0, 1);
try
{
ldapConnection.AuthType = AuthType.Anonymous;
ldapConnection.AutoBind = false;
ldapConnection.Timeout = mytimeout;
ldapConnection.Bind();
Console.WriteLine(("Successfully authenticated to ldap server "));
ldapConnection.Dispose();
}
catch (LdapException ex)
{
Console.WriteLine(("Error with ldap server "));
Console.WriteLine((ex.GetType().ToString() + (":" + ex.Message)));
}
的问题是,如果我想和新用户“testad”来验证它不工作。
我将AuthType更改为Basic并设置凭据。
ldapConnection.AuthType = AuthType.Basic;
ldapConnection.Credential = new NetworkCredential(@"cpx\testad", "[email protected]", "cpx.local");
ldapConnection.AutoBind = false;
ldapConnection.Timeout = mytimeout;
ldapConnection.Bind();
我得到以下错误:
我曾尝试与该用户登录时,Windows Server 2012中,我可以登录完美。
有趣的是,下面的代码工作正常:
var dirEntry = new DirectoryEntry(string.Format("LDAP://{0}/{1}", "192.168.238.129:389", "DC=cpx,DC=local"), "testad", "[email protected]");
var searcher = new DirectorySearcher(dirEntry)
{
Filter = "(&(&(objectClass=user)(objectClass=person)))"
};
var resultCollection = searcher.FindAll();
I don't know if what Im doing something wrong with the NetworkCredentials. Any advice is well appreciated.
也许doubleccheck不前 'CPX /' credentials.in的NetworkCredential支持用户名。作为域提供
ldapConnection.Credential = new NetworkCredential(@"testad", "[email protected]", "cpx.local");
试过并且不工作 – VAAA
如果设置AuthType到Negotiate,它的工作原理?
进行AuthType细节here
变化:
ldapConnection.AuthType = AuthType.Basic;
到:
ldapConnection.AuthType = AuthType.Negotiate;
关于域名 - cpx VS cpx.local - 你可以看看这篇文章的一些建议措施
http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html
The correct way to name an Active Directory domain is to create a subdomain that is the delegation of a parent domain that you have registered and have control over. As an example, if I ever started a consulting business and used the Internet-facing website mdmarra.com as my company's site, I should name my Active Directory domain ad.mdmarra.com or internal.mdmarra.com, or something similar. You want to avoid making up a TLD like .local and you also want to avoid the headache of using mdmarra.com for the Internet-facing zone and the internal zone.
您是否尝试过这里给出的建议? https://stackoverflow.com/questions/11561689/using-c-sharp-to-authenticate-user-against-ldap和在这里? https://support.microsoft。com/en-us/help/316748/how-to-authenticate-against-active-directory-by-using-forms-authen –
另外,在'using'语句中使用'ldapConnection'变量来确保对象在抛出异常的情况下处理。 –