問題描述
研究:
類似的解決方法問題,但不是現有問題的實際解決方案
指向 Microsoft End Point 更新的類似問題是罪魁禍首
以上鏈接最適合我的問題,我在創建這篇文章時也查看了 Stack Overflow 列出的所有類似問題,只有上面提到的問題適合我的問題.
The above links are the most suited to my problem, I have also viewed every similar question listed by Stack Overflow upon creating this post, and only the above referenced questions fit my issue.
背景:
我一直在使用 UserPrincipal.GetAuthorizationGroups 獲得特定頁面訪問權限,該頁面訪問在 Server 2008 R2 上運行 IIS 7.5 的 C#.NET 4.0 Web 表單站點已有 2 年半.2013 年 5 月 15 日,我們刪除了運行 Server 2008(不是 r2)的主域控制器,并將其替換為 Server 2012 域控制器.第二天,我們開始收到下面列出的例外情況.
I have been using UserPrincipal.GetAuthorizationGroups for permissions for specific page access running IIS 7.5 on Server 2008 R2 in a C#.NET 4.0 web forms site for 2 and a half years. On May 15 2013 we removed a primary Domain controller running Server 2008 (not r2) and replaced it with a Server 2012 Domain Controller. The next day we started receiving the exception listed below.
我使用主體上下文進行表單身份驗證.用戶名/密碼握手成功并且 auth cookie 已正確設置,但隨后也調用 UserPrincipal.GetAuthorizationGroups 的 Principal Context 調用間歇性失敗.我們已經解決了 Server 2012 域控制器中出現的一些 BPA 問題,但這尚未解決問題.我還建立了一個在兩個獨立服務器上運行的 cron.盡管兩臺服務器運行相同的代碼庫,但它們將在不同時間以組 SID 解析失敗.(開發環境和生產環境).
I use Principal Context for Forms Authentication. The username/pass handshake succeeds and the auth cookie is properly set, but the subsequent Principal Context call that also calls UserPrincipal.GetAuthorizationGroups fails intermittently. We've resolved a few BPA issues that appeared in the Server 2012 Domain Controller but this has yet to resolve the issue. I also instituted a cron that runs on two separate servers. The two servers will fail at Group SID resolution at different times though they are running the same code base. (A dev environment and production environment).
該問題會在 Web 服務器重新啟動后暫時自行解決,而且在開發服務器上,它會在 12 小時無法運行后自行解決.生產服務器通常會停止正常運行,直到重新啟動而無法自行解決.
The issue resolves itself temporarily upon web server reboot, and also on the dev server it will resolve itself after 12 hours of not functioning. The production server will usually stop functioning properly until a reboot without resolving itself.
此時,我正在嘗試針對網絡中的特定域控制器以及新 DC 優化 cron,并使用目前無法產生更多針對性異常時間的標準 LDAP 查詢.到目前為止,我們已經在一臺 Web 服務器上發現它失敗的天數沒有規律,但它會在大約 12 小時內恢復.最新結果顯示組 SID 解析在上午 8 點到晚上 8 點之間失敗然后恢復,幾天后它將在晚上 8 點失敗并在早上 8 點恢復,然后再正常運行 12 小時,然后再次失敗.我們希望看看它是否只是一個特定的服務器通信問題,或者看看它是否是整個域控制器集.
At this point I am trying to refine the cron targeting specific Domain Controllers in the network as well as the new DC and using the standard LDAP query that is currently failing to yield more targeted exception times. Thus far we've found on one web server that there is no pattern to the days at which it fails, but it will recover within roughly 12 hours. The latest results show Group SID resolution failure between 8AM-8PM then it recovers, several days later it will fail at 8pm and recover at 8am then run fine for another 12 hours and fail again. We are hoping to see if it is just a specific server communication issue or to see if it is the entire set of Domain Controllers.
例外:
Exception information:
Exception type: PrincipalOperationException
Exception message: An error (1301) occurred while enumerating the groups.
The group's SID could not be resolved.
at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids)
at System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR[] sidAndAttr)
at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
問題:
鑒于上述信息,有沒有人知道為什么停用 Windows Server 2008(而不是 r2)并實施新的 Server 2012 DC 會導致 UserPrincipal.GetAuthorizationGroups 因 1301 SID 解析錯誤而失敗?消除可能原因的想法也將不勝感激.
Given the above information, does anyone have any idea why decommissioning the Windows Server 2008 (not r2) and implementing a new Server 2012 DC would cause UserPrincipal.GetAuthorizationGroups to fail with the 1301 SID resolution error?
Ideas on eliminating possible causes would also be appreciated.
免責聲明:
這是我在 Stack Overflow 上的第一篇文章,我經常在這里研究,但直到現在還沒有參與討論.請原諒我是否應該在其他地方發布,并在發布前隨時指出更好的步驟.
This is my first post to Stack Overflow, I often research here but have not joined in discussions until now. Forgive me if I should have posted elsewhere and feel free to point out better steps before posting.
2013 年 6 月 13 日更新:
在 6 月 12 日,我解決了未處置的物品導致問題的可能性.時間框架太短,無法確定調整后的代碼是否解決了問題,但我會繼續更新,因為我們正在努力尋求解決方案,如果幸運的話,這里有人可以伸出援手.
On the 12th of June I addressed the possibility of items not disposed causing the issue. The time frame has been too short to determine if the adjusted code has fixed the issue, but I will continue to update as we work towards a resolution such that maybe with any luck someone here can lend a hand.
原始代碼
public bool isGroupMember(string userName, ArrayList groupList)
{
bool valid = false;
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domain_server + ".domain.org:636", null, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer);
// find the user in the identity store
UserPrincipal user =
UserPrincipal.FindByIdentity(
ctx,
userName);
// get the groups for the user principal and
// store the results in a PrincipalSearchResult object
PrincipalSearchResult<Principal> groups =
user.GetAuthorizationGroups();
// display the names of the groups to which the
// user belongs
foreach (Principal group in groups)
{
foreach (string groupName in groupList)
{
if (group.ToString() == groupName)
{
valid = true;
}
}
}
return valid;
}
更新代碼
public bool isGroupMember(string userName, ArrayList groupList, string domain_server)
{
bool valid = false;
try
{
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domain_server + ".domain.org:636", null, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer))
{
// find the user in the identity store
UserPrincipal user =
UserPrincipal.FindByIdentity(
ctx,
userName);
try
{
// get the groups for the user principal and
// store the results in a PrincipalSearchResult object
using (PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups())
{
// display the names of the groups to which the
// user belongs
foreach (Principal group in groups)
{
foreach (string groupName in groupList)
{
if (group.ToString() == groupName)
{
valid = true;
}
}
group.Dispose();
}
}//end using-2
}
catch
{
log_gen("arbitrary info");
return false;
}
}//end using-1
}
catch
{
log_gen("arbitrary info");
return false;
}
return valid;
}
推薦答案
我剛剛遇到了同樣的問題,我設法找到的信息可能會有所幫助;如上所述,我們在域控制器運行 Server 2012 時看到了這個問題 - 首先是客戶部署,然后在我們自己的網絡上復制.
I have just run into this same issue and the info I have managed to track down may be helpful; as above we have seen this problem where the domain controller is running Server 2012 - firstly with a customer deployment and then replicated on our own network.
經過一些實驗,我們發現我們的代碼可以在 Server 2012 上正常運行,但在客戶端系統運行 Server 2008 時遇到了 1301 錯誤代碼.有關所發生情況的關鍵信息可以在這里找到:
After some experimentation we found that our code would run fine on Server 2012, but hit the 1301 error code when the client system was running Server 2008. The key information about what was happening was found here:
德語翻譯的 MS 博客
以下鏈接中提到的修補程序已解決了我們測試系統上的問題
The hotfix referred to in the link below has fixed the problem on our test system
無法映射 SID S-1-18-1 和 SID S-1-18-2
希望這對某人有幫助!正如許多人所指出的,這個方法調用似乎相當脆弱,我們可能會在遇到其他問題之前考慮實施一些替代方法.
Hope this is helpful for someone! As many have noted this method call seems rather fragile and we will probably look at implementing some alternative approach before we hit other issues.
加里
這篇關于UserPrincipals.GetAuthorizationGroups 枚舉組時發生錯誤 (1301).升級到 Server 2012 域控制器后的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!