跨域主动目录身份验证，无需添加信任 [英] Cross domain active directory authentication without adding trust

问题描述

我在多台计算机上设置了多个活动目录域，并且所有这些域都连接在同一网络中。

现在，我将我的应用程序托管在其中一个服务器中。现在，我想允许来自网络中多个域的每个AD用户登录，而不在域之间添加 Trust 。

我可以通过添加但我不想在它之间增加信任。

有没有人知道如何才能得到这个？



我尝试过：



添加信任时，此代码链接对我有用域之间。 .NET中跨域用户的目录身份验证 [ ^ ]

I have set up multiple active directory domains in multiple machines and all are connected in the same network.
Now, I host my application in one of the server. Now I want to allow a login for every AD users from multiple domains which are in the network without adding Trust between domains.
I am able to achieve this by adding Trust between domains but I don't want to add trust between it.
Does anyone have an idea how can I get this?

What I have tried:

This code link is working for me when adding Trust between domains. Directory Authentication for Cross Domain Users in .NET[^]

推荐答案

如果你认为你作为一个不可信任的实体，可以问任何AD树嘿！这个密码对这个帐户有用吗？，你'严重错误的认证过程如何运作以及与之通信的安全性。



如果目标AD不信任您，或者更具体地说，该帐户请求来自，无论是用户还是机器，它都不会让你问这个问题。



必须有信任关系，不管是双向或单向信任。

If you think that you, as a non-trusted entity, can just ask any AD tree "Hey! Is this password good for this account?", you'd be sorely mistaken about how the authentication process works and the security of communicating with it.

If the target AD doesn't trust you, or more specifically, the account the request came from, be it a user or a machine, it's not going to let you ask that question.

There has to be a trust relationship, be it a two-way or a one-way trust.

这篇关于跨域主动目录身份验证，无需添加信任的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！