問題描述

我有兩個域，處于信任關系中，我試圖從 C# Web 應用程序管理它們.為此，我必須模擬兩個不同的技術用戶，但效果很好，所以我不會強調那部分代碼.

I have two domains, in a trusted relationship, that I'm trying to manage from a C# web application. To do that, I have to impersonate two different technical users, but that works good, so I will not emphasize that part of the code.

要為文件系統構建適當且易于管理的 ACL，我必須

To build proper and easy to manage ACLs for the file system, I must

• 在域 A 中創建一個組(好的！)
• 在 domainB 中查找用戶(好的！)
• 將用戶添加到組中(提交更改時失敗，錯誤消息:服務器上沒有此類對象.(來自 HRESULT 的異常:0x80072030))

如果我添加來自同一個域的用戶，則代碼運行良好，所以我相信我在這里只遺漏了一小部分信息.我使用本文檔作為參考看到了這個問題 以及(還有一些引用此錯誤消息)，但它們都沒有幫助.

If I'm adding a user from the same domain, the code works perfectly, so I believe I'm only missing a small partial info here. I used this document as a reference and saw this question as well (and a few more citing this error message) but neither of them helped.

代碼(刪除了try-catch塊以使其更簡單)

Code (try-catch block removed to make it simpler)

// de is a DirectoryEntry object of the AD group, received by the method as a parameter
// first impersonation to search in domainB
// works all right
if (impersonator.impersonateUser("techUser1", "domainB", "pass")) {
    DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass");
    de.Invoke("Add", new object[] { "LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" });
    // de.Invoke("Add", new object[] { "LDAP://domainA.company.com/CN=anotherUserFromDomainA,OU=AnotherOU,DC=domainB,DC=company,DC=com" });
    impersonator.undoImpersonation();
}

// second impersonation because the group (de) is in domainA
// and techUser2 has account operator privileges there
if (impersonator.impersonateUser("techUser2", "domainA", "pass"))
{
    de.CommitChanges();
    impersonator.undoImpersonation();
    return true;
}
else
{
    // second impersonation was unsuccessful, so return an empty object
    return false;
}

第 6 行有效，如果我調試它或強制將屬性寫入 HttpResponse，它顯然就在那里.所以 LDAP 查詢似乎沒問題.

Line 6 works, if I debug it or force the properties to be written to HttpResponse, it is clearly there. So the LDAP queries seem to be OK.

此外，如果我注釋掉第 6 行并取消注釋第 7 行，那么基本上我添加了一個來自同一域的用戶，整個事情會奇跡般地運行.對于域B，我被卡住了.有什么好的建議嗎?

Also, if I comment out line 6 and uncomment 7, so basically I add a user from the same domain, the whole thing works miraculously. With domainB, I'm stuck. Any good piece of advice?

推薦答案

按照你的代碼，我看到你得到 de 作為參數，它在 Domain A.然后你正在創建 DirectoryEntry 對象 dom，它被 模擬，但從未被使用過.但是，您正在嘗試使用 LDAP 直接將對象從 Domain B 添加到 de.這一行:

de.Invoke("Add", new object[{"LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" }); 

...
using (DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass"))
{
    using (DirectorySearcher searcher = new DirectorySearcher(dom))
    {
        searcher.Filter = "(&(objectClass=user)(CN=theUserIWantToAdd))";
        SearchResult result = searcher.FindOne();
        de.Invoke("Add", new object[] { result.Path });
    }
}
...

//GET THE USER FROM DOMAIN B
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(domainContext, UPN))
{
    if (userPrincipal != null)
    {
       //FIND THE GROUP IN DOMAIN A
       using (GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, groupName))
       {
          if (groupPrincipal != null)
          {
             //CHECK TO MAKE SURE USER IS NOT IN THAT GROUP
             if (!userPrincipal.IsMemberOf(groupPrincipal))
             {
                string userSid = string.Format("<SID={0}>", userPrincipal.SID.ToString());
                DirectoryEntry groupDirectoryEntry = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
                groupDirectoryEntry.Properties["member"].Add(userSid);
                groupDirectoryEntry.CommitChanges();
              }
           }
        }
     }
 }