如何抓住从客户机AD凭据在Web应用程序？ [英] How to grab AD credentials from client machine in a web application?

问题描述

是否有可能抢了客户端计算机上用户的ActiveDirectory凭据从Web应用程序中的？

Is it possible to grab activedirectory credentials for the user on a client machine from within a web application?

要澄清，我设计这将是对客户的内部网托管的Web应用程序。

To clarify, I am designing a web application which will be hosted on a client's intranet.

有一个要求访问应用程序时不会提示输入凭据应用程序的用户，并且用户登录到客户端计算机的替代证书应自动抓起，无需用户交互。

There is a requirement that the a user of the application not be prompted for credentials when accessing the application, and that instead the credentials of the user logged onto the client machine should be grabbed automatically, without user interaction.

推荐答案

当然可以。这是内联网应用特别有用。

Absolutely. This is especially useful for intranet applications.

既然你没有指定你的环境，我会认为这是.NET，但那是不可能的，当然唯一的办法。

Since you did not specify your environment, I'll assume it is .NET, but that isn't the only way possible of course.

Active Directory可以很容易地使用 LDAP 进行查询。如果您使用的是.NET，你可以做一些像这$ C $ ç例如或低于我的榜样。您也可以在<一做href="https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-22_11-5259887.html"相对=nofollow> SQL环境的为好。

Active Directory can be queried easily using LDAP. If you're using .NET, you can do something like in this code example or my example below. You can also do it within SQL environments as well.

如果你只需要在Windows处理身份验证，您可以设置，例如，.NET Web应用起来的<一个href="http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx"相对=nofollow> Windows身份验证。一定要<一href="http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/524404dc-8586-46b0-89ac-0f5db6d33c9c.mspx?mfr=true"相对=nofollow> 关闭匿名登录 IIS中为您的应用程序。一旦这样做，你就可以访问该用户的Windows登录名，并用它来作进一步的安全检查（例如，他们的组/角色成员于公元）。

If you just need Windows to handle authentication, you can set, for example, a .NET Web app up for Windows Authentication. Be sure to turn off Anonymous Logins within IIS for your application. Once done, you'll be able to access the user's Windows logon name and use it to make further security checks (for example, their group/role membership in AD).

您也可以使用像企业库的安全应用程序块简化整个烂摊子。

You can also simplify the whole mess using something like Enterprise Library's Security Application Block.

下面是一个简短的C＃示例：（转换为VB.NET 这里）

Here is a short C# example: (convert to VB.NET here)

using System.DirectoryServices;

/// <summary>
/// Gets the email address, if defined, of a user from Active Directory.
/// </summary>
/// <param name="userid">The userid of the user in question.  Make
/// sure the domain has been stripped first!</param>
/// <returns>A string containing the user's email address, or null
/// if one was not defined or found.</returns>
public static string GetEmail(string userid)
{
    DirectorySearcher searcher;
    SearchResult result;
    string email;

    // Check first if there is a slash in the userid
    // If there is, domain has not been stripped
    if (!userid.Contains("\\"))
    {
        searcher = new DirectorySearcher();
        searcher.Filter = String.Format("(SAMAccountName={0})", userid);
        searcher.PropertiesToLoad.Add("mail");
        result = searcher.FindOne();
        if (result != null)
        {
            email = result.Properties["mail"][0].ToString();
        }
    }

    return email;
}

您不必指定的域控制器。执行空/默认构造函数DirectorySearcher从会导致它尝试自动＆mdash看一上来;其实，这是 的preferred方法 。

You do not have to specify a domain controller. Performing the empty/default constructor for DirectorySearcher will cause it to attempt to look one up automatically — in fact, this is the preferred method.

这篇关于如何抓住从客户机AD凭据在Web应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！