问题描述
研究:
类似的解决方法问题,但不是现有问题的实际解决方案
指向 Microsoft End Point 更新的类似问题是罪魁祸首
以上链接最适合我的问题,我在创建这篇文章时也查看了 Stack Overflow 列出的所有类似问题,只有上面提到的问题适合我的问题.
The above links are the most suited to my problem, I have also viewed every similar question listed by Stack Overflow upon creating this post, and only the above referenced questions fit my issue.
背景:
我一直在使用 UserPrincipal.GetAuthorizationGroups 获得特定页面访问权限,该页面访问在 Server 2008 R2 上运行 IIS 7.5 的 C#.NET 4.0 Web 表单站点已有 2 年半.2013 年 5 月 15 日,我们删除了运行 Server 2008(不是 r2)的主域控制器,并将其替换为 Server 2012 域控制器.第二天,我们开始收到下面列出的例外情况.
I have been using UserPrincipal.GetAuthorizationGroups for permissions for specific page access running IIS 7.5 on Server 2008 R2 in a C#.NET 4.0 web forms site for 2 and a half years. On May 15 2013 we removed a primary Domain controller running Server 2008 (not r2) and replaced it with a Server 2012 Domain Controller. The next day we started receiving the exception listed below.
我使用主体上下文进行表单身份验证.用户名/密码握手成功并且 auth cookie 已正确设置,但随后也调用 UserPrincipal.GetAuthorizationGroups 的 Principal Context 调用间歇性失败.我们已经解决了 Server 2012 域控制器中出现的一些 BPA 问题,但这尚未解决问题.我还建立了一个在两个独立服务器上运行的 cron.尽管两台服务器运行相同的代码库,但它们将在不同时间以组 SID 解析失败.(开发环境和生产环境).
I use Principal Context for Forms Authentication. The username/pass handshake succeeds and the auth cookie is properly set, but the subsequent Principal Context call that also calls UserPrincipal.GetAuthorizationGroups fails intermittently. We've resolved a few BPA issues that appeared in the Server 2012 Domain Controller but this has yet to resolve the issue. I also instituted a cron that runs on two separate servers. The two servers will fail at Group SID resolution at different times though they are running the same code base. (A dev environment and production environment).
该问题会在 Web 服务器重新启动后暂时自行解决,而且在开发服务器上,它会在 12 小时无法运行后自行解决.生产服务器通常会停止正常运行,直到重新启动而无法自行解决.
The issue resolves itself temporarily upon web server reboot, and also on the dev server it will resolve itself after 12 hours of not functioning. The production server will usually stop functioning properly until a reboot without resolving itself.
此时,我正在尝试针对网络中的特定域控制器以及新 DC 优化 cron,并使用目前无法产生更多针对性异常时间的标准 LDAP 查询.到目前为止,我们已经在一台 Web 服务器上发现它失败的天数没有规律,但它会在大约 12 小时内恢复.最新结果显示组 SID 解析在上午 8 点到晚上 8 点之间失败然后恢复,几天后它将在晚上 8 点失败并在早上 8 点恢复,然后再正常运行 12 小时,然后再次失败.我们希望看看它是否只是一个特定的服务器通信问题,或者看看它是否是整个域控制器集.
At this point I am trying to refine the cron targeting specific Domain Controllers in the network as well as the new DC and using the standard LDAP query that is currently failing to yield more targeted exception times. Thus far we've found on one web server that there is no pattern to the days at which it fails, but it will recover within roughly 12 hours. The latest results show Group SID resolution failure between 8AM-8PM then it recovers, several days later it will fail at 8pm and recover at 8am then run fine for another 12 hours and fail again. We are hoping to see if it is just a specific server communication issue or to see if it is the entire set of Domain Controllers.
例外:
Exception information:
Exception type: PrincipalOperationException
Exception message: An error (1301) occurred while enumerating the groups.
The group's SID could not be resolved.
at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids)
at System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR[] sidAndAttr)
at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
问题:
鉴于上述信息,有没有人知道为什么停用 Windows Server 2008(而不是 r2)并实施新的 Server 2012 DC 会导致 UserPrincipal.GetAuthorizationGroups 因 1301 SID 解析错误而失败?消除可能原因的想法也将不胜感激.
Given the above information, does anyone have any idea why decommissioning the Windows Server 2008 (not r2) and implementing a new Server 2012 DC would cause UserPrincipal.GetAuthorizationGroups to fail with the 1301 SID resolution error?
Ideas on eliminating possible causes would also be appreciated.
免责声明:
这是我在 Stack Overflow 上的第一篇文章,我经常在这里研究,但直到现在还没有参与讨论.请原谅我是否应该在其他地方发布,并在发布前随时指出更好的步骤.
This is my first post to Stack Overflow, I often research here but have not joined in discussions until now. Forgive me if I should have posted elsewhere and feel free to point out better steps before posting.
2013 年 6 月 13 日更新:
在 6 月 12 日,我解决了未处置的物品导致问题的可能性.时间框架太短,无法确定调整后的代码是否解决了问题,但我会继续更新,因为我们正在努力寻求解决方案,如果幸运的话,这里有人可以伸出援手.
On the 12th of June I addressed the possibility of items not disposed causing the issue. The time frame has been too short to determine if the adjusted code has fixed the issue, but I will continue to update as we work towards a resolution such that maybe with any luck someone here can lend a hand.
原始代码
public bool isGroupMember(string userName, ArrayList groupList)
{
bool valid = false;
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domain_server + ".domain.org:636", null, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer);
// find the user in the identity store
UserPrincipal user =
UserPrincipal.FindByIdentity(
ctx,
userName);
// get the groups for the user principal and
// store the results in a PrincipalSearchResult object
PrincipalSearchResult<Principal> groups =
user.GetAuthorizationGroups();
// display the names of the groups to which the
// user belongs
foreach (Principal group in groups)
{
foreach (string groupName in groupList)
{
if (group.ToString() == groupName)
{
valid = true;
}
}
}
return valid;
}
更新代码
public bool isGroupMember(string userName, ArrayList groupList, string domain_server)
{
bool valid = false;
try
{
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domain_server + ".domain.org:636", null, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer))
{
// find the user in the identity store
UserPrincipal user =
UserPrincipal.FindByIdentity(
ctx,
userName);
try
{
// get the groups for the user principal and
// store the results in a PrincipalSearchResult object
using (PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups())
{
// display the names of the groups to which the
// user belongs
foreach (Principal group in groups)
{
foreach (string groupName in groupList)
{
if (group.ToString() == groupName)
{
valid = true;
}
}
group.Dispose();
}
}//end using-2
}
catch
{
log_gen("arbitrary info");
return false;
}
}//end using-1
}
catch
{
log_gen("arbitrary info");
return false;
}
return valid;
}
推荐答案
我刚刚遇到了同样的问题,我设法找到的信息可能会有所帮助;如上所述,我们在域控制器运行 Server 2012 时看到了这个问题 - 首先是客户部署,然后在我们自己的网络上复制.
I have just run into this same issue and the info I have managed to track down may be helpful; as above we have seen this problem where the domain controller is running Server 2012 - firstly with a customer deployment and then replicated on our own network.
经过一些实验,我们发现我们的代码可以在 Server 2012 上正常运行,但在客户端系统运行 Server 2008 时遇到了 1301 错误代码.有关所发生情况的关键信息可以在这里找到:
After some experimentation we found that our code would run fine on Server 2012, but hit the 1301 error code when the client system was running Server 2008. The key information about what was happening was found here:
德语翻译的 MS 博客
以下链接中提到的修补程序已解决了我们测试系统上的问题
The hotfix referred to in the link below has fixed the problem on our test system
无法映射 SID S-1-18-1 和 SID S-1-18-2
希望这对某人有帮助!正如许多人所指出的,这个方法调用似乎相当脆弱,我们可能会在遇到其他问题之前考虑实施一些替代方法.
Hope this is helpful for someone! As many have noted this method call seems rather fragile and we will probably look at implementing some alternative approach before we hit other issues.
加里
这篇关于UserPrincipals.GetAuthorizationGroups 枚举组时发生错误 (1301).升级到 Server 2012 域控制器后的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!