通过活动目录的Winform用户授权 [英] Winform user authorization via active directory
问题描述
我遇到的情况是,在执行应用程序中的任务之前,我正在使用以下代码来验证AD中的用户身份
使用System.Security.Principal;
WindowsIdentity身份= WindowsIdentity.GetCurrent();
WindowsPrincipal主体=新的WindowsPrincipal(identity);
返回Principal.IsInRole( someGroup);
上面的代码对我域中的机器正常,但是我确实有一些不在我安装了WINFORM应用程序的域。如何验证AD中的用户成员身份?
编辑-是否可以提示Windows登录?
由于您的计算机根本没有加入域,因此我们无法使用WindowsIdentity或WindowsPrincipal,然后检查其IsInRole()方法。 IsInRole()方法仅在您的计算机加入域并且使用域计算机帐户执行S4USelf时才有效。
您也不能使用LogonUser方法,因为您的计算机
我认为我们只能直接查询Active Directory来获取所需的信息。
据我所知,您发布的Microsoft KB中的代码无法很好地工作。它正在尝试从memberOf属性进行查询。组信息并不总是可以从memberOf属性中获得。
我刚刚使用AccountManagement编写了IsInRole()函数。我想这就是你想要的。 IsinRole()函数将调用递归函数IsInGroup()来找出用户所属的所有组。
私有布尔IsInRole(字符串域,字符串用户名,字符串密码,字符串角色)
{
使用(var context = new PrincipalContext(ContextType.Domain,domain,username,password))
{
。GroupPrincipal组= GroupPrincipal.FindByIdentity(上下文,IdentityType.SamAccountName,角色);
UserPrincipal用户= UserPrincipal.FindByIdentity(上下文,IdentityType.SamAccountName,用户名);
返回IsInGroup(用户,组);
}
}
私人布尔IsInGroup(主要负责人,GroupPrincipal组)
{
if(principal.IsMemberOf(group))
返回true;
foreach(Principal.GetGroups()中的g)
{
if(IsInGroup(g,group))
返回true;
}
返回false;
}
要使用此IsInRole()函数,您需要提供域名和域凭据。如果提供的用户名和密码错误,则会出现异常。
您需要.NET 3.5 SP1才能使用AccountManagement API。另外,您可能要注意此修复程序。如果在某些环境中运行,AccountManagement API会出现一些错误。您可能需要应用此修复程序。
I have a situation where I am using the following code to verify user membership in AD before executing tasks in my app
using System.Security.Principal;
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole("someGroup");
The above code works fine for machines on my domain, however I do have some machines which are not on my domain on which I have the WINFORM application installed. How can I verify the user membership in AD?
Edit - is there a way to prompt the windows login?
Since your computer is not joined to domain at all, we cannot use WindowsIdentity or WindowsPrincipal and then check its IsInRole() method. The IsInRole() method works only if your computer is joined to the domain and it's using your domain machine account to do S4USelf.
You cannot use LogonUser approach too because your computer won't let you create a logon session from an untrusted forest.
I think we can only query the Active Directory directly to get the information we want. The code in your posted Microsoft KB does not work very well as far as I can tell. It's trying to query from memberOf attribute. The group information is not always available from the memberOf attributes.
I just wrote an IsInRole() function using AccountManagement. I guess this is what you want. The IsInRole() function will call a recursive function IsInGroup() to find out all the groups the user belongs to.
private bool IsInRole(string domain, string username, string password, string role)
{
using (var context = new PrincipalContext(ContextType.Domain, domain, username, password))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(context, IdentityType.SamAccountName, role);
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
return IsInGroup(user, group);
}
}
private bool IsInGroup(Principal principal, GroupPrincipal group )
{
if (principal.IsMemberOf(group))
return true;
foreach (var g in principal.GetGroups())
{
if (IsInGroup(g, group))
return true;
}
return false;
}
To use this IsInRole() function, you need to provide your domain name and domain credentials. If the username and password provided are wrong, you will get an exception.
You need .NET 3.5 SP1 to use AccountManagement API. Also, you may like to pay attention to this hotfix. The AccountManagement API got some bugs if running in some environment. You may need to apply the hotfix.
这篇关于通过活动目录的Winform用户授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
