It's a permission problem.

这是一个权限问题。

When you run the console app, that app runs with your credentials, e.g. as "you".

当您运行控制台应用程序时，该应用程序会使用您的凭据（例如“您”）运行。

The WCF service runs where? In IIS? Most likely, it runs under a separate account, which is not permissioned to query Active Directory.

WCF 服务运行在哪里？在 IIS 中？最有可能的是，它在一个单独的帐户下运行，该帐户无权查询 Active Directory。

You can either try to get the WCF impersonation thingie working, so that your own credentials get passed on, or you can specify a username/password on creating your DirectoryEntry:

您可以尝试让 WCF 模拟工具正常工作，以便传递您自己的凭据，或者您可以在创建 DirectoryEntry 时指定用户名/密码：

DirectoryEntry directoryEntry = 
    new DirectoryEntry("LDAP://someserver.contoso.com/DC=contoso,DC=com", 
                       userName, password);

OK, so it might not be the credentials after all (that's usually the case in over 80% of the cases I see).

好的，所以它可能毕竟不是凭据（在我看到的超过 80% 的情况下通常都是这种情况）。

What about changing your code a little bit?

稍微更改一下代码怎么样？

DirectorySearcher directorySearcher = new DirectorySearcher(directoryEntry);
directorySearcher.Filter = string.Format("(&(objectClass=user)(objectCategory=user) (sAMAccountName={0}))", username);

directorySearcher.PropertiesToLoad.Add("msRTCSIP-PrimaryUserAddress");

var result = directorySearcher.FindOne();

if(result != null)
{
   if(result.Properties["msRTCSIP-PrimaryUserAddress"] != null)
   {
      var resultValue = result.Properties["msRTCSIP-PrimaryUserAddress"][0];
   }
}

My idea is: why not tell the DirectorySearcherright off the bat what attribute you're interested in? Then you don't need to do another extra step to get the full DirectoryEntryfrom the search result (should be faster), and since you told the directory searcher to find that property, it's certainly going to be loaded in the search result - so unless it's null (no value set), then you should be able to retrieve it easily.

我的想法是：为什么不直接告诉DirectorySearcher你你对什么属性感兴趣？然后你不需要再做一个额外的步骤来DirectoryEntry从搜索结果中获取完整内容（应该更快），并且由于你告诉目录搜索器找到该属性，它肯定会被加载到搜索结果中 - 所以除非它为空（未设置值），那么您应该能够轻松检索它。

Marc

马克

Just FYI, I had the same error and was using the correct credentials but my LDAP url was wrong :(

仅供参考，我遇到了同样的错误并且使用了正确的凭据，但我的 LDAP url 是错误的 :(

I got the exact same error message and code

我收到了完全相同的错误消息和代码

I had this error as well and for me it was an OU with a forward slash in the name: "File/Folder Access Groups".

我也有这个错误，对我来说，它是一个名称中带有正斜杠的 OU：“文件/文件夹访问组”。

This forum threadpointed me in the right direction. In the end, calling .Replace("/","\\/")on each path value before use solved the problem for me.

这个论坛帖子为我指明了正确的方向。最后，.Replace("/","\\/")在使用前调用每个路径值为我解决了问题。

I had the same again and again and nothing seemed to help.

我一次又一次地遇到同样的情况，但似乎没有任何帮助。

Changing the path from ldap://to LDAP://did the trick.

改变路径从ldap://到LDAP://做到了。

In the context of Ektron, this issue is resolved by installing the "IIS6 Metabase compatibility" feature in Windows:

在 Ektron 的上下文中，通过在 Windows 中安装“IIS6 元数据库兼容性”功能来解决此问题：

Check 'Windows features' or 'Role Services' for IIS6 Metabase compatibility, add if missing:

检查“Windows 功能”或“角色服务”以了解 IIS6 元数据库兼容性，如果缺少则添加：

Ref: https://portal.ektron.com/KB/1088/

参考：https: //portal.ektron.com/KB/1088/

I had the same error - in my case it was extra slash in path argument that made the difference.

我有同样的错误 - 在我的情况下，路径参数中的额外斜线造成了差异。

BAD:

坏的：

DirectoryEntry directoryEntry = 
    new DirectoryEntry("LDAP://someserver.contoso.com/DC=contoso,DC=com/", 
                       userName, password);

GOOD:

好的：

DirectoryEntry directoryEntry = 
    new DirectoryEntry("LDAP://someserver.contoso.com/DC=contoso,DC=com", 
                       userName, password);

Just had that problem in a production system in the company where I live... A webpage that made a LDAP bind stopped working after an IP changed.

刚刚在我住的公司的生产系统中遇到了这个问题...一个使 LDAP 绑定的网页在 IP 更改后停止工作。

The solution... ... I installed Basic Authentication to perform the troubleshooting indicated here: https://support.microsoft.com/en-us/kb/329986

解决方案......我安装了基本身份验证来执行此处指示的故障排除：https: //support.microsoft.com/en-us/kb/329986

And after that, things just started to work. Even after I re-disabled Basic Authentication in the page I was testing, all other pages started working again with Windows Authentication.

在那之后，事情才刚刚开始。即使在我正在测试的页面中重新禁用基本身份验证后，所有其他页面也重新开始使用 Windows 身份验证。

Regards, Acácio

问候， 阿卡西奥

The same error occurs if in DirectoryEntry.Patch is nothing after the symbols "LDAP//:". It is necessary to check the directoryEntry.Path before directorySearcher.FindOne(). Unless explicitly specified domain, and do not need to "LDAP://".

如果 DirectoryEntry.Patch 中的符号“LDAP//:”之后没有任何内容，则会发生相同的错误。有必要在 directorySearcher.FindOne() 之前检查 directoryEntry.Path。除非明确指定域，并且不需要“LDAP://”。

private void GetUser(string userName, string domainName)
{
     DirectoryEntry dirEntry = new DirectoryEntry();

     if (domainName.Length > 0)
     {
          dirEntry.Path = "LDAP://" + domainName;
     }

     DirectorySearcher dirSearcher = new DirectorySearcher(dirEntry);
     dirSearcher.SearchScope = SearchScope.Subtree;
     dirSearcher.Filter = string.Format("(&(objectClass=user)(|(cn={0})(sn={0}*)(givenName={0})(sAMAccountName={0}*)))", userName);
     var searchResults = dirSearcher.FindAll();
     //var searchResults = dirSearcher.FindOne();

     if (searchResults.Count == 0)
     {
          MessageBox.Show("User not found");
     }
     else
     {
          foreach (SearchResult sr in searchResults)
          {
              var de = sr.GetDirectoryEntry();
              string user = de.Properties["SAMAccountName"][0].ToString();
              MessageBox.Show(user); 
          }        
     }
}

Spent a day on my similar issue, but all these answers didn't help.

在我的类似问题上花了一天时间，但所有这些答案都没有帮助。

Turned out in my case, I didn't enable Windows Authentication in IIS setting...

在我的情况下，我没有在 IIS 设置中启用 Windows 身份验证...

This Error can occur if the physical machine has run out of memory. In my case i was hosting a site on IIS trying to access the AD, but the server had run out of memory.

如果物理机内存不足，则会发生此错误。就我而言，我在 IIS 上托管一个站点，试图访问 AD，但服务器内存不足。