我可以模拟在.NET不同的Active Directory域中的用户? [英] Can I impersonate a user on a different Active Directory domain in .NET?
问题描述
我有两个Active Directory域,A和B用户在域A需要运行在他们的桌面应用程序查看和操作位于域B服务器上的资源,每个用户也有域B的帐户是否有可能模仿每个用户的域B身份在域B的资源进行操作编程?
示例工作流:
- 在用户登录到域中的。
- 在用户启动桌面应用程序。
- 在用户指定的资源域B。
- 应用程序会提示用户输入域B凭据。
- 在应用程序模仿用户的域B的身份来访问指定的资源。
- 在用户使用应用程序操纵域B的资源。
我要去的Win32 API方面讲,但我pretty的肯定,你可以P /从.NET调用这些。检查 http://pinvoke.net 。
您需要调用的LogonUser API创建重新presents用户的域B凭据的访问令牌。
然后调用ImpersonateLoggedOnUser,传递的访问令牌。调用线程将模拟域B凭据,直到您模拟一组不同的凭据或致电RevertToSelf的API。
我想这不用说,对LogonUser的调用成功,你的机器上运行需要信任域B。
I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?
Example Workflow:
- User logs in to domain A.
- User launches desktop application.
- User specifies resource in domain B.
- Application prompts user for domain B credentials.
- Application impersonates user's domain B identity to access specified resource.
- User manipulates domain B resource using application.
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
这篇关于我可以模拟在.NET不同的Active Directory域中的用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!