在Active Directory中查找域名 [英] Find Domain Name in Active Directory

问题描述

我正在运行一个ASP.NET 4.0应用，该应用使用用户名（即HttpContext.Current.Request.LogonUserIdentity.Name.ToString（））来管理对各种组件的访问。

I'm running an ASP.NET 4.0 app which uses the user name (i.e. HttpContext.Current.Request.LogonUserIdentity.Name.ToString()) to manage access to various components.

返回的用户名格式为 abc\jsmith，其中 abc为域名， jsmith为用户的登录名。

The user name being returned is in the form "abc\jsmith" where "abc" is the domain name and "jsmith" is the login name of the user.

此应用程序的安全模块的一部分访问用户所属的Active Directory组（例如， Accounting， AccountsPayable， AdminDepartment）。我可以使用DirectoryEntry.Properties（即System.DirectoryServices.PropertyCollection） sAMAccountName .Value从Active Directory中获取用户名。

Part of the security module for this app accesses the Active Directory groups that the user belongs to (e.g., "Accounting", "AccountsPayable", "AdminDepartment"). I'm able to get the user's name from Active Directory using the DirectoryEntry.Properties (i.e., System.DirectoryServices.PropertyCollection") "sAMAccountName".Value.

到目前为止，一切都很好，但是我希望能够跨多个域扩展应用程序，这意味着我需要能够在Active Directory中找到域名以及用户的登录名。我可以获取域值从PrincipalContext中返回，但返回的是 abcdc，而不是 abc。我可以假设此属性将始终在每个域的末尾返回 dc（如域控制器）（在这种情况下，我可以使用属性的子字符串），还是还有其他地方可以获取用户的当前域名？

So far, everything is fine, but I want to be able to expand the app across multiple domains, which mean I need to be able to find the domain name in Active Directory as well as the user's Login Name. I can get a "Domain" value from PrincipalContext, but it's returning "abcdc", instead of "abc". Can I assume that this property will always return "dc" (as in "Domain Controller") at the end of each domain (in which case I can use a Substring of the property), or is there somewhere else I can get the user's current domain name?

推荐答案

我不清楚的一件事关于您在域控制器中给定目录条目检索域名的问题，我假设您有一台服务器可以看到多个受信任的域，并且用户可以登录到您的应用程序

One thing I am unclear on is your question about retrieving the domain name given a directoryentry in a domain controller. I am assuming that you have a server that can see multiple trusted domains, and that a user can log into your application from any one of them such that you don't know against what domain you need to test role membership.

为了通过ADGroup成员资格控制对功能的访问，您是否可以使用？

For controlling access to features via ADGroup membership, could you use the

HttpContext.Current.User.IsInRole("appdomain\groupname") 

其中User.Identity.Name == userdomain\user。我不熟悉域信任问题，但这是假定您可以将用户从受信任域添加到您控制的域组中，因此您不必担心组域的位置。

where User.Identity.Name=="userdomain\user". I'm not familiar with domain trust issues, but this assumes that you can add users from the trusted domain into the domain group that you control so you don't need to worry about the group domain location.

如果不能，或者在每个不同的域中都有相同的组名，那么您可以这样做吗？

If you can't, or if you have the same group name in each different domain, then you could do something like this?

HttpContext.Current.User.IsInRole(userDomainname + "\groupname")

一些点：

1. 除非您已经有一大笔钱建立AD代码库后，我建议使用System.DirectoryServices.AccountManagement命名空间中的对象。


2. 我强烈推荐 ADExplorer 实用程序从Sysinternals可以获取您域的更多LDAP视图，这通常有助于LDAP连接字符串和目录编程。


3. 如果您对互操作感到满意，并且需要执行任何LDAP连接字符串解析，请查看此站点。


4. System.DirectoryServices.AccountManagement。 PrincipalContext.Container >和System.DirectoryServices。 DirectoryEntry.Path 属性返回带域末尾的域的LDAP连接字符串（即DC = mycompany，DC = com）


5. 不要忘记可信赖的旧环境。UserDomainName& Environment.UserName（从当前正在执行的线程中获取WindowsPrincipal；请参阅表1：线程暴露的CurrentPrincipal对象 @@ http://msdn.microsoft.com/en-us/library/Aa480475.aspx ，该表提供了有关asp.net运行时当前用户的详细信息。

1. unless you already have a large established AD codebase, I would recommend using objects from the System.DirectoryServices.AccountManagement namespace.
2. I highly recommend the ADExplorer utility from Sysinternals to get a more LDAP view of your domain(s) which helps with LDAP connection strings and directory programming in general.
3. If you are comfortable with interop, and need to perform any LDAP connection string parsing, check out this site.
4. The System.DirectoryServices.AccountManagement.PrincipalContext.Container and System.DirectoryServices.DirectoryEntry.Path properties return the LDAP connection string w/ the domain at the end of the string (i.e., DC=mycompany,DC=com)
5. Don't forget about trusty old Environment.UserDomainName & Environment.UserName (which grabs the WindowsPrincipal from the currently executing thread; see Table 1: Thread Exposed CurrentPrincipal Object @ http://msdn.microsoft.com/en-us/library/Aa480475.aspx for a great table on what the current user is within the asp.net runtime. )

**更新2011年6月8日2:15 PM **

** UPDATE 6/8/2011 2:15 PM**

如果我正确理解AD，则用户域是AD返回的用户对象的组成部分。扩展您的 Bob Newaccountant示例...

If I understand AD correctly, the user's domain is an integral part of the user object returned by AD. Expanding on your example of "Bob Newaccountant"...

因此，假设以下两个域之间相互信任：

So given the following 2 Domains with a trust between them:

1. "abcdc.com"
    CN=Users
        CN="Bob NewAccountant"
2. "abc.com"
    CN=Users
        CN="Local User1"
    OU=Applications
        OU=MyApplication
            CN=ReportReaders (Members: abcdc\BNewAccountant, abc\luser1)

您应该通过以下查询获取用户的信息：

You should get the users' info given the following query:

//name parameter = domain
//container parameter = distinguished name
using(var ctx = new PrincipalContext(
                     ContextType.Domain,
                     name: "abc.com",
                     container: "OU=MyApplication,OU=Applications,DC=abc,DC=com",
                     "abc\serviceaccountname",
                     "Password1"))
{
    var officeGroup = GroupPrincipal.FindByIdentity(ctx,
                                     IdentityType.SamAccountName,
                                     "ReportReaders");

    foreach(Principal prin in officeGroup.GetMembers(recursive: true))
    {
        Console.WriteLine("DistinguishedName: " + prin.DistinguishedName 
            + " UPN: " + prin.UserPrincipalName);
    }
    //Should result in
    //  DistinguishedName: CN=luser1,CN=Users,DC=abc,DC=com UPN: luser1@abc.com
    //  DistinguishedName: CN=BNewAccountant,CN=Users,DC=abcdc,DC=com UPN: BNewAccountant@abcdc.com
}

因此，您应该能够通过活动目录的 distinguishedName 或 userPrincipalName 属性来获取用户的域。 （注意：我没有双域设置，因此目前无法测试上面的代码。）距离越来越近了吗？

So you should be able to get the user's domain via distinguishedName or userPrincipalName properties of active directory. (Note: I don't have a dual domain setup handy to me so I am not able to test the above code at this time.) Is that getting closer?

这篇关于在Active Directory中查找域名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！