我可以模拟在.NET不同的Active Directory域中的用户？ [英] Can I impersonate a user on a different Active Directory domain in .NET?

问题描述

我有两个Active Directory域，A和B用户在域A需要运行在他们的桌面应用程序查看和操作位于域B服务器上的资源，每个用户也有域B的帐户是否有可能模仿每个用户的域B身份在域B的资源进行操作编程？

示例工作流：

1. 在用户登录到域中的。
2. 在用户启动桌面应用程序。
3. 在用户指定的资源域B。
4. 应用程序会提示用户输入域B凭据。
5. 在应用程序模仿用户的域B的身份来访问指定的资源。
6. 在用户使用应用程序操纵域B的资源。

解决方案

我要去的Win32 API方面讲，但我pretty的肯定，你可以P /从.NET调用这些。检查 http://pinvoke.net 。

您需要调用的LogonUser API创建重新presents用户的域B凭据的访问令牌。

然后调用ImpersonateLoggedOnUser，传递的访问令牌。调用线程将模拟域B凭据，直到您模拟一组不同的凭据或致电RevertToSelf的API。

我想这不用说，对LogonUser的调用成功，你的机器上运行需要信任域B。

I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?

Example Workflow:

1. User logs in to domain A.
2. User launches desktop application.
3. User specifies resource in domain B.
4. Application prompts user for domain B credentials.
5. Application impersonates user's domain B identity to access specified resource.
6. User manipulates domain B resource using application.

解决方案

I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.

这篇关于我可以模拟在.NET不同的Active Directory域中的用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！